Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Metropolitan Police malware has infected my system  (Read 20163 times)

0 Members and 1 Guest are viewing this topic.

benni9000

    Topic Starter


    Rookie

    • Experience: Beginner
    • OS: Unknown
    Metropolitan Police malware has infected my system
    « on: June 24, 2012, 12:59:56 PM »
    Last Wednesday I was on the net when a screen came up saying that I had illegal copies of music, games and programs on my laptop and also claiming that I had been looking at unsuitable content on the internet.  It had the Metropolitan police logo, addresse and all the official looking stuff.  It also said that they had locked my PC and I had to pay a fine of £100 to unlock it.  I couldn't do anything on my laptop.  I couldn't even open task manager so I hit the power button and restarted the laptop.  When it got into windows the screen came up again.  When I restarted the laptop a 3rd time I turned the wifi off and it booted fine without the screen.  When I turned the wifi on however the screen came back.  After restarting again without the wifi on I scanned my laptop using my my anti virus software Avast but it didn't pick up anything.  I then went RMB on start then 'Explore all users' (I use Windows XP) then to here 'C:\Documents and Settings\Benni\Start Menu\Programs\Startup' and found a shortcut called 'ctfmon'.  Not something I had installed.  I deleted it and it came straight back.  I then searched the name on C:\ drive and found some files with the same name.  I deleted them.  One was an exe file.  The shortcut came back to the startup menu but the others didn't.  I also looked at the properties of the ctfmon file that kept coming back and look to see where it went to.  It went to a RUNDLL file in the windows32 folder.  This I couldn't delete as the file was write protected or my hard drive was full.  After I had done all of this I turned on my wifi and the malware screen DIDN'T pop up.  Yay I thought until I restarted.  I hadn't got rid of it and everything was back, but now I had a work around to get onto the internet.  I search the Metropolitan police malware on the net and found that it was world wide and a nightmare to get rid of.  Google also pointed out to me that I had been infected and recommended some programs to use.  I installed McCafee Stinger which didn't find it.  So back to the net, that's when I found Computer Hope.  I read the read me before requesting malware removal help.  I followed the instructions and installed and ran the programs.  I have the logs as well for when you request them.  Unfortunately during the process I have accidentally blocked a java file using online armour.  The file is here C:\windows\system32\javacpl.cpl and now I cant run the program or figure out how to unblock it.  Something else that has happened while I was running all the scans and anti spyware and such is that when I boot the laptop up I am missing a RUNDLL file (I think it's the one that was infected) with a message saying 'Error loading jork_O_typ_col.exe  The specified module could not be found'.  Now it seams that everything has fixed the malware issue, but I think some of the files are still around.  I know ctfmon shortcut is still there.  I haven't tried anything else as the 'read this' post said not to do anything until instructed so I haven't.  I am by no means a computer expert but I'm sure the RUNDLL file is kind of needed by windows or at least is important.  Could someone please help me finish this off and get my laptop back to propper working order.  The 'read this' post was really helpful and easy to use, I am grateful it was there.  I'm not sure if you need the logs posted or not, I did get a Little confused about that so I have left them out until requested.

    I hope someone can help

    Benni

    Allan

    • Moderator

    • Mastermind
    • Thanked: 1207
    • Experience: Guru
    • OS: Windows 10
    Re: Metropolitan Police malware has infected my system
    « Reply #1 on: June 24, 2012, 01:29:17 PM »
    I'm sorry, I can't follow your post at all. As concisely as possible, what's your question?

    benni9000

      Topic Starter


      Rookie

      • Experience: Beginner
      • OS: Unknown
      Re: Metropolitan Police malware has infected my system
      « Reply #2 on: June 24, 2012, 02:14:36 PM »
      I got Metropolitan Police malware on my laptop.  I followed the "read this before requesting malware removal help" post which seems to have stopped it, Now I just need to get rid of the damage?  I think there are still some files left on my laptop from the malware and I am missing a RUNDLL file from the windows directory.  Also how do I unblock javacpl.cpl which I accidentally blocked with online armour?  It's stopping me from running Java when I click on it.

      Allan

      • Moderator

      • Mastermind
      • Thanked: 1207
      • Experience: Guru
      • OS: Windows 10
      Re: Metropolitan Police malware has infected my system
      « Reply #3 on: June 24, 2012, 02:32:54 PM »
      Please follow the instructions in the following link and post your logs:
      http://www.computerhope.com/forum/index.php/topic,46313.0.html

      benni9000

        Topic Starter


        Rookie

        • Experience: Beginner
        • OS: Unknown
        Re: Metropolitan Police malware has infected my system
        « Reply #4 on: June 24, 2012, 03:47:30 PM »
        here they are.

        [year+ old attachment deleted by admin]

        benni9000

          Topic Starter


          Rookie

          • Experience: Beginner
          • OS: Unknown
          Re: Metropolitan Police malware has infected my system
          « Reply #5 on: June 25, 2012, 02:29:51 PM »
          Sorry, I was supposed to post them this way.



          mbam-log-2012-06-23 (19-22-03)


          Malwarebytes Anti-Malware (Trial) 1.61.0.1400
          www.malwarebytes.org

          Database version: v2012.06.23.05

          Windows XP Service Pack 3 x86 NTFS
          Internet Explorer 8.0.6001.18702
          Benni :: TRINITY [administrator]

          Protection: Enabled

          23/06/2012 19:05:23
          mbam-log-2012-06-23 (19-22-03).txt

          Scan type: Quick scan
          Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
          Scan options disabled: P2P
          Objects scanned: 243523
          Time elapsed: 13 minute(s), 15 second(s)

          Memory Processes Detected: 0
          (No malicious items detected)

          Memory Modules Detected: 0
          (No malicious items detected)

          Registry Keys Detected: 32
          HKCR\CLSID\{597A9974-8CB0-4f41-B61F-ED065738A397} (PUP.RewardsArcade) -> No action taken.
          HKCR\CLSID\{25514C64-8321-494e-BD3E-3DBAB3F8CEBA} (PUP.RewardsArcade) -> No action taken.
          HKCR\TypeLib\{60BE6B2E-F2F5-4404-AA1E-4381D4A6EEA2} (PUP.RewardsArcade) -> No action taken.
          HKCR\Interface\{6427058B-217C-4C7F-A6CE-C7934C0BDCEB} (PUP.RewardsArcade) -> No action taken.
          HKCR\RewardsArcade.FBApi.1 (PUP.RewardsArcade) -> No action taken.
          HKCR\RewardsArcade.FBApi (PUP.RewardsArcade) -> No action taken.
          HKCR\RewardsArcade.BHO.1 (PUP.RewardsArcade) -> No action taken.
          HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{597A9974-8CB0-4F41-B61F-ED065738A397} (PUP.RewardsArcade) -> No action taken.
          HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{597A9974-8CB0-4F41-B61F-ED065738A397} (PUP.RewardsArcade) -> No action taken.
          HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{597A9974-8CB0-4F41-B61F-ED065738A397} (PUP.RewardsArcade) -> No action taken.
          HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{BDEA95CF-F0E6-41E0-BD3D-B00F39A4E939} (Adware.ShoppingReport2) -> No action taken.
          HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.
          HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.
          HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{258C9770-1713-4021-8D7E-1F184A2BD754} (Adware.ShoppingReport2) -> No action taken.
          HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{DB38E21A-0133-419D-92AD-ECDFD5244D6D} (Adware.ShoppingReport2) -> No action taken.
          HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.ShoppingReport2) -> No action taken.
          HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (PUP.MyWebSearch) -> No action taken.
          HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (PUP.MyWebSearch) -> No action taken.
          HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907} (PUP.MyWebSearch) -> No action taken.
          HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> No action taken.
          HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (PUP.MyWebSearch) -> No action taken.
          HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (PUP.MyWebSearch) -> No action taken.
          HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA} (PUP.MyWebSearch) -> No action taken.
          HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> No action taken.
          HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RewardsArcade (PUP.RewardsArcade) -> No action taken.
          HKCU\SOFTWARE\QuickyPlaeyrSoft (Trojan.DNSChanger) -> No action taken.
          HKCU\Software\ShoppingReport2 (Adware.ShoppingReport2) -> No action taken.
          HKLM\SOFTWARE\ScanQuery (Adware.ScanQuery) -> No action taken.
          HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (PUP.MyWebSearch) -> No action taken.
          HKLM\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (PUP.MyWebSearch) -> No action taken.
          HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScanQuery (Adware.ScanQuery) -> No action taken.
          HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SCANQUERY_SERVICE (Adware.ScanQuery) -> No action taken.

          Registry Values Detected: 5
          HKCU\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping|{DB38E21A-0133-419D-92AD-ECDFD5244D6D} (Adware.ShoppingReport2) -> Data: 8198 -> No action taken.
          HKCU\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping|{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.ShoppingReport2) -> Data: 8197 -> No action taken.
          HKCU\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.ShoppingReport2) -> Data:  -> No action taken.
          HKCU\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{DB38E21A-0133-419d-92AD-ECDFD5244D6D} (Adware.ShoppingReport2) -> Data:  -> No action taken.
          HKCU\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search| (Adware.Hotbar) -> Data: http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUman000 -> No action taken.

          Registry Data Items Detected: 0
          (No malicious items detected)

          Folders Detected: 28
          C:\Program Files\RewardsArcade (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Application Data\ShoppingReport2 (Adware.ShoppingReport2) -> No action taken.
          C:\Documents and Settings\Benni\Application Data\ShoppingReport2\cs (Adware.ShoppingReport2) -> No action taken.
          C:\Documents and Settings\Benni\Application Data\ShoppingReport2\cs\db (Adware.ShoppingReport2) -> No action taken.
          C:\Documents and Settings\Benni\Application Data\ShoppingReport2\cs\dwld (Adware.ShoppingReport2) -> No action taken.
          C:\Documents and Settings\Benni\Application Data\ShoppingReport2\cs\report (Adware.ShoppingReport2) -> No action taken.
          C:\Documents and Settings\Benni\Application Data\ShoppingReport2\cs\res1 (Adware.ShoppingReport2) -> No action taken.
          C:\Documents and Settings\Benni\Start Menu\Programs\QuickyPlaeyr (Trojan.DNSChanger) -> No action taken.
          C:\Program Files\Mozilla Firefox\extensions\{DE9265D8-D55D-4286-9DC4-F8D8A0CA2F64} (Adware.ScanQuery) -> No action taken.
          C:\Program Files\Mozilla Firefox\extensions\{DE9265D8-D55D-4286-9DC4-F8D8A0CA2F64}\chrome (Adware.ScanQuery) -> No action taken.
          C:\Program Files\Mozilla Firefox\extensions\{DE9265D8-D55D-4286-9DC4-F8D8A0CA2F64}\defaults (Adware.ScanQuery) -> No action taken.
          C:\Program Files\Mozilla Firefox\extensions\{DE9265D8-D55D-4286-9DC4-F8D8A0CA2F64}\defaults\preferences (Adware.ScanQuery) -> No action taken.
          C:\Program Files\ScanQuery (Adware.ScanQuery) -> No action taken.
          C:\Documents and Settings\All Users\Application Data\ScanQuery (Adware.ScanQuery) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498 (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Chrome (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\defaults (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\defaults\preferences (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\locale (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\locale\en-US (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin (PUP.RewardsArcade) -> No action taken.

          Files Detected: 68
          C:\Program Files\RewardsArcade\RewardsArcade.dll (PUP.RewardsArcade) -> No action taken.
          C:\Program Files\RewardsArcade\fb.js (PUP.RewardsArcade) -> No action taken.
          C:\Program Files\RewardsArcade\appAPIinternalWrapper.js (PUP.RewardsArcade) -> No action taken.
          C:\Program Files\RewardsArcade\jquery.js (PUP.RewardsArcade) -> No action taken.
          C:\Program Files\RewardsArcade\json.js (PUP.RewardsArcade) -> No action taken.
          C:\Program Files\RewardsArcade\RewardsArcade.exe (PUP.RewardsArcade) -> No action taken.
          C:\Program Files\RewardsArcade\Uninstall.exe (PUP.RewardsArcade) -> No action taken.
          C:\Program Files\RewardsArcade\UserConfirmation.exe (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Application Data\ShoppingReport2\cs\Config.xml (Adware.ShoppingReport2) -> No action taken.
          C:\Documents and Settings\Benni\Application Data\ShoppingReport2\cs\db\Aliases.dbs (Adware.ShoppingReport2) -> No action taken.
          C:\Documents and Settings\Benni\Application Data\ShoppingReport2\cs\db\Sites.dbs (Adware.ShoppingReport2) -> No action taken.
          C:\Documents and Settings\Benni\Application Data\ShoppingReport2\cs\dwld\WhiteList.xip (Adware.ShoppingReport2) -> No action taken.
          C:\Documents and Settings\Benni\Application Data\ShoppingReport2\cs\report\aggr_storage.xml (Adware.ShoppingReport2) -> No action taken.
          C:\Documents and Settings\Benni\Application Data\ShoppingReport2\cs\report\send_storage.xml (Adware.ShoppingReport2) -> No action taken.
          C:\Documents and Settings\Benni\Application Data\ShoppingReport2\cs\res1\WhiteList.dbs (Adware.ShoppingReport2) -> No action taken.
          C:\Program Files\Mozilla Firefox\extensions\{DE9265D8-D55D-4286-9DC4-F8D8A0CA2F64}\chrome.manifest (Adware.ScanQuery) -> No action taken.
          C:\Program Files\Mozilla Firefox\extensions\{DE9265D8-D55D-4286-9DC4-F8D8A0CA2F64}\install.rdf (Adware.ScanQuery) -> No action taken.
          C:\Program Files\Mozilla Firefox\extensions\{DE9265D8-D55D-4286-9DC4-F8D8A0CA2F64}\chrome\scanquery.jar (Adware.ScanQuery) -> No action taken.
          C:\Program Files\Mozilla Firefox\extensions\{DE9265D8-D55D-4286-9DC4-F8D8A0CA2F64}\defaults\preferences\prefs.js (Adware.ScanQuery) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\uninstall.ico (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Chrome\rewardsarcade.crx (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome.manifest (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\install.rdf (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\background.html (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\browser.xul (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\crossrider.js (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\crossriderapi.js (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\dialog.js (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\manage-apps-style.css (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\manage-apps.html (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\messaging.js (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\options.js (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\options.xul (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\push.html (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\search_dialog.xul (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\socialapi.js (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\update.html (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\utilityapi.js (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\workers_chain.js (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\faye-browser-min.js (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\jquery-1.4.2.js (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\facebox.css (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\facebox.js (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\b.png (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\bl.png (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\br.png (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\closelabel.gif (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\loading.gif (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\tl.png (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\tr.png (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\defaults\preferences\prefs.js (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\locale\en-US\translations.dtd (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\button1.png (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\button2.png (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\button3.png (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\button4.png (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\button5.png (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\crossrider_statusbar.png (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\icon128.png (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\icon16.png (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\icon24.png (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\icon48.png (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\panelarrow-up.png (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\popup.css (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\popup.html (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\popup_binding.xml (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\skin.css (PUP.RewardsArcade) -> No action taken.
          C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\update.css (PUP.RewardsArcade) -> No action taken.

          (end)




          SUPERAntiSpyware Scan Log - 06-23-2012 - 18-40-46


          SUPERAntiSpyware Scan Log
          http://www.superantispyware.com

          Generated 06/23/2012 at 06:40 PM

          Application Version : 5.1.1002

          Core Rules Database Version : 8788
          Trace Rules Database Version: 6600

          Scan type       : Complete Scan
          Total Scan Time : 01:12:34

          Operating System Information
          Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
          Administrator

          Memory items scanned      : 847
          Memory threats detected   : 0
          Registry items scanned    : 35420
          Registry threats detected : 151
          File items scanned        : 145639
          File threats detected     : 653

          PUP.MyWebSearch/FunWebProducts
             HKLM\SOFTWARE\Fun Web Products
             HKLM\SOFTWARE\Fun Web Products#JpegConversionLib
             HKLM\SOFTWARE\Fun Web Products#CacheDir
             HKLM\SOFTWARE\Fun Web Products\MSNMessenger
             HKLM\SOFTWARE\Fun Web Products\MSNMessenger#DLLFile
             HKLM\SOFTWARE\Fun Web Products\MSNMessenger#DLLDir
             HKLM\SOFTWARE\Fun Web Products\ScreenSaver
             HKLM\SOFTWARE\Fun Web Products\ScreenSaver#ImagesDir
             HKLM\SOFTWARE\Fun Web Products\Settings
             HKLM\SOFTWARE\Fun Web Products\Settings\CursorManiaBtn
             HKLM\SOFTWARE\Fun Web Products\Settings\CursorManiaBtn#LastHTMLMenuURL
             HKLM\SOFTWARE\Fun Web Products\Settings\CursorManiaBtn#HTMLMenuRevision
             HKLM\SOFTWARE\Fun Web Products\Settings\CursorManiaBtn#ETag
             HKLM\SOFTWARE\Fun Web Products\Settings\Promos
             HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextNone.numActive
             HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextNone.0
             HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyFreqNone
             HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextUninstalled.numActive
             HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextUninstalled.0
             HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyFreqUninstalled
             HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.numActive
             HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.numActive2
             HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.1
             HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.2
             HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.3
             HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.4
             HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.5
             HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.6
             HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.7
             HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.8
             HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn
             HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn#HTMLMenuPosDeleted
             HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn#LastHTMLMenuURL
             HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn#HTMLMenuRevision
             HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn#ETag
             HKLM\SOFTWARE\FunWebProducts
             HKLM\SOFTWARE\FunWebProducts\Installer
             HKLM\SOFTWARE\FunWebProducts\Installer#Dir
             HKLM\SOFTWARE\FunWebProducts\Installer#sr
             HKLM\SOFTWARE\FunWebProducts\Installer#pl
             HKLM\SOFTWARE\FunWebProducts\Installer#CurInstall
             HKLM\SOFTWARE\FunWebProducts\Installer#CheckForConnection
             HKLM\SOFTWARE\FunWebProducts\Installer#CacheDir
             HKU\S-1-5-21-2990146027-3927655144-4261030477-1005\SOFTWARE\MyWebSearch
             HKLM\SOFTWARE\MyWebSearch
             HKLM\SOFTWARE\MyWebSearch\bar
             HKLM\SOFTWARE\MyWebSearch\bar#UseFWB
             HKLM\SOFTWARE\MyWebSearch\bar#pid
             HKLM\SOFTWARE\MyWebSearch\bar#fwp
             HKLM\SOFTWARE\MyWebSearch\bar#tiec
             HKLM\SOFTWARE\MyWebSearch\bar#Dir
             HKLM\SOFTWARE\MyWebSearch\bar#PluginPath
             HKLM\SOFTWARE\MyWebSearch\bar#UninstallString
             HKLM\SOFTWARE\MyWebSearch\bar#Id
             HKLM\SOFTWARE\MyWebSearch\bar#CurInstall
             HKLM\SOFTWARE\MyWebSearch\bar#SettingsDir
             HKLM\SOFTWARE\MyWebSearch\bar#sr
             HKLM\SOFTWARE\MyWebSearch\bar#pl
             HKLM\SOFTWARE\MyWebSearch\bar#CacheDir
             HKLM\SOFTWARE\MyWebSearch\bar#ConfigDateStamp
             HKLM\SOFTWARE\MyWebSearch\bar#HTMLMenuRevision
             HKLM\SOFTWARE\MyWebSearch\bar#sscLabel
             HKLM\SOFTWARE\MyWebSearch\bar#sscURL
             HKLM\SOFTWARE\MyWebSearch\bar#Flags
             HKLM\SOFTWARE\MyWebSearch\bar#HistoryDir
             HKLM\SOFTWARE\MyWebSearch\bar#Maximized
             HKLM\SOFTWARE\MyWebSearch\bar#Visible
             HKLM\SOFTWARE\MyWebSearch\SearchAssistant
             HKLM\SOFTWARE\MyWebSearch\SearchAssistant#pid
             HKLM\SOFTWARE\MyWebSearch\SearchAssistant#fwp
             HKLM\SOFTWARE\MyWebSearch\SearchAssistant#Dir
             HKLM\SOFTWARE\MyWebSearch\SearchAssistant#esh
             HKLM\SOFTWARE\MyWebSearch\SearchAssistant#lsp
             HKLM\SOFTWARE\MyWebSearch\SearchAssistant#Id
             HKLM\SOFTWARE\MyWebSearch\SearchAssistant#CurInstall
             HKLM\SOFTWARE\MyWebSearch\SearchAssistant#sr
             HKLM\SOFTWARE\MyWebSearch\SearchAssistant#pl
             HKLM\SOFTWARE\MyWebSearch\SearchAssistant#ConfigDateStamp
             HKLM\SOFTWARE\MyWebSearch\SearchAssistant#ABS
             HKLM\SOFTWARE\MyWebSearch\SearchAssistant#DES
             HKLM\SOFTWARE\MyWebSearch\SearchAssistant#sscEnabled
             HKLM\SOFTWARE\MyWebSearch\SearchAssistant#eintl
             HKLM\SOFTWARE\MyWebSearch\SearchAssistant#fs
             HKLM\SOFTWARE\MyWebSearch\SkinTools
             HKLM\SOFTWARE\MyWebSearch\SkinTools#PlayerPath
             HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}
             HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}\TreatAs
             HKCR\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3}
             HKCR\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3}\TreatAs
             HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}
             HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0
             HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0
             HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0\win32
             HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\FLAGS
             HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\HELPDIR
             HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
             HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid
             HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32
             HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib
             HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib#Version
             HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}
             HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid
             HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid32
             HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib
             HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib#Version
             HKLM\Software\FocusInteractive
             HKLM\Software\FocusInteractive\bar
             HKLM\Software\FocusInteractive\bar\Switches
             HKLM\Software\FocusInteractive\bar\Switches#incmail.exe
             HKLM\Software\FocusInteractive\bar\Switches#msimn.exe
             HKLM\Software\FocusInteractive\bar\Switches#msn.exe
             HKLM\Software\FocusInteractive\bar\Switches#outlook.exe
             HKLM\Software\FocusInteractive\bar\Switches#waol.exe
             HKLM\Software\FocusInteractive\bar\Switches#aim.exe
             HKLM\Software\FocusInteractive\bar\Switches#icq.exe
             HKLM\Software\FocusInteractive\bar\Switches#icqlite.exe
             HKLM\Software\FocusInteractive\bar\Switches#msmsgs.exe
             HKLM\Software\FocusInteractive\bar\Switches#msnmsgr.exe
             HKLM\Software\FocusInteractive\bar\Switches#ypager.exe
             HKLM\Software\FocusInteractive\bar\Switches#au
             HKLM\Software\FocusInteractive\bar\Switches#mwsSrcAs.dll
             HKLM\Software\FocusInteractive\bar\Switches#ps
             HKLM\Software\FocusInteractive\bar\Switches#ok
             HKLM\Software\FocusInteractive\bar\Switches#od
             HKLM\Software\FocusInteractive\bar\Switches#nk
             HKLM\Software\FocusInteractive\bar\Switches#nd
             HKLM\Software\FocusInteractive\Email-IM
             HKLM\Software\FocusInteractive\Email-IM\0
             HKLM\Software\FocusInteractive\Email-IM\0#Toolbar
             HKLM\Software\FocusInteractive\Email-IM\0#AppName
             HKLM\Software\FocusInteractive\Outlook
             C:\Program Files\MyWebSearch\bar\History\search3
             C:\Program Files\MyWebSearch\bar\History
             C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
             C:\Program Files\MyWebSearch\bar\Settings
             C:\Program Files\MyWebSearch\bar
             C:\Program Files\MyWebSearch
             C:\Program Files\FunWebProducts\ScreenSaver\Images
             C:\Program Files\FunWebProducts\ScreenSaver
             C:\Program Files\FunWebProducts\Shared
             C:\Program Files\FunWebProducts

          Browser Hijacker.Deskbar
             HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
             HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid
             HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32
             HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib
             HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib#Version

          Trojan.DNS-Changer (Hi-Jacked DNS)
             HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{451623F4-A7AF-4D6E-8A4B-6B4575F5FD17}#NAMESERVER
             HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{53E4B888-81F5-4200-87CD-2C5DCA401DC6}#NAMESERVER
             HKLM\SYSTEM\CONTROLSET002\SERVICES\TCPIP\PARAMETERS\INTERFACES\{451623F4-A7AF-4D6E-8A4B-6B4575F5FD17}#NAMESERVER
             HKLM\SYSTEM\CONTROLSET002\SERVICES\TCPIP\PARAMETERS\INTERFACES\{53E4B888-81F5-4200-87CD-2C5DCA401DC6}#NAMESERVER

          Rootkit.Agent/Gen-GXServ
             HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys
             HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys#start
             HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys#type

          Adware.Tracking Cookie
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\NL2MS9T0.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\VIZMOZLP.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\TD88FARK.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\5UNIQ3PY.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\AQ2K7NVL.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\4QHFHBY9.txt [ Cookie:[email protected].com/eurosport/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\7K9NIXSE.txt [ Cookie:[email protected]/pagead/conversion/1072624510/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\RTPROEIF.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\UX2NPDNX.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\XEDU7OPJ.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\N666H9UK.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\YKRNLY1A.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\2OO7FP33.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\9ISSDHK4.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\VA0ILD7Q.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\ECZW16ZX.txt [ Cookie:[email protected]/eurosport/yahoouk/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\HBRK4EZV.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\6SQOBDUQ.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\JKLMM9UF.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\003ANIMN.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\8WBMCXQ0.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\QXS1ATMQ.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\JJZFARUJ.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\L6HD2PGI.txt [ Cookie:[email protected]/pagead/conversion/1070752702/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\7XI1690K.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\BGO1091I.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\FDJ4ZMMS.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\GPTLCRJW.txt [ Cookie:[email protected]/pagead/conversion/1028445026/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\QFX1V5IB.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\376S5A3A.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\0HA5WH2B.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\D1703L9M.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\HLJK5C0Q.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\FS3SQV2O.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\KNJMQBND.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\FJDP3W68.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\TAZYW5P4.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\V25SZ4EC.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\3B5OJ109.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\OKONVCT7.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\4XR97HUD.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\2N1A73WF.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\6450ZJKQ.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\XJOUQGIU.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\RRT5HV3T.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\UNFSLYYK.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\XX0W20XM.txt [ Cookie:[email protected]/cgi-bin ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\GO22OT12.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\2MDXBWS6.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\5OIRHYJN.txt [ Cookie:[email protected]/ ]
             C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\[email protected][2].txt [ Cookie:[email protected]/ ]
             account.goodgamestudios.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
             core.insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
             ds.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
             ec.atdmt.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
             gw.callingbanners.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
             ia.media-imdb.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
             media.mtvnservices.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
             media.scanscout.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
             media1.clubpenguin.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
             media1.thegamehomepage.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
             memecounter.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
             msnbcmedia.msn.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
             s0.2mdn.net [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
             secure-uk.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
             secure-us.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
             serving-sys.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
             spe.atdmt.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
             tracking.onefeed.co.uk [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
             .bs.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .at.atwola.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .advertising.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .advertising.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .advertising.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .surveymonkey.122.2o7.net [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .popcapgames.122.2o7.net [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .atdmt.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .linksynergy.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .linksynergy.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .linksynergy.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .linksynergy.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .doubleclick.net [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .fastclick.net [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .fastclick.net [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .server.cpmstar.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             www.underdogmedia.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .atdmt.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .serving-sys.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .pointroll.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .pointroll.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .invitemedia.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .invitemedia.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .server.cpmstar.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .server.cpmstar.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .server.cpmstar.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .apmebf.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .invitemedia.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .serving-sys.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .serving-sys.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .adbrite.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .zedo.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .zedo.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .revsci.net [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .pro-market.net [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .pro-market.net [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .collective-media.net [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .invitemedia.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .invitemedia.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .invitemedia.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .invitemedia.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .collective-media.net [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .zedo.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .zedo.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .zedo.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .zedo.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .zedo.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .smartadserver.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .smartadserver.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .smartadserver.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .smartadserver.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .adbrite.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .advertising.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .advertising.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .ru4.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .serving-sys.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .serving-sys.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .serving-sys.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .tribalfusion.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .media6degrees.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .media6degrees.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .media6degrees.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .at.atwola.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .invitemedia.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             .lucidmedia.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /112.2O7 ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /112.2O7 ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /122.2O7 ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /122.2O7 ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /192COM.112.2O7 ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /192COM.112.2O7 ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /247REALMEDIA ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /247REALMEDIA ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /2O7 ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /2O7 ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /77TRACKING ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /A1.INTERCLICK ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ACRONYMFINDER ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /AD.360YIELD ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /AD.360YIELD ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /AD.APPROVEDFOOD ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /AD.YIELDMANAGER ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /AD.YIELDMANAGER ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /AD.YIELDMANAGER ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /AD1.EMEDIATE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /AD2.POPCAP ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADBRITE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADBRITE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADCENTRICONLINE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADECN ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADFORM ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /ADFORM ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADINTERAX ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /ADINTERAX ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADS.AD4GAME ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADS.ADACADO ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADS.ADACADO ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADS.ADK2 ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADS.AS4X.TMCS.TICKETMASTER ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADS.AUDIENCE2MEDIA ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADS.AUDIENCE2MEDIA ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADS.CNN ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADS.GAMESBANNERNET ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADS.GAMESFREE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADS.GLISPA ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADS.GOHOLIDAYS ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADS.MONSTER ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADS.ODEON.CO ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADS.POINTROLL ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADS.POINTROLL ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADS.PUBMATIC ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADS.PUBMATIC ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADS.RAASNET ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADS.TELEGRAPH.CO ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADS.UNDERTONE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /ADS.UNDERTONE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADS1.MUMSNET ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADS1.MUMSNET ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADSERVER.ADTECHUS ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADSERVER.ADTECHUS ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADSERVER.MORE4KIDS ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADSERVER1.MOKONO ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADTECH ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /ADTECH ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADVERTISING ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADVERTISING ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /ADVERTISING ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][4].TXT [ /ADVERTISING ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADVIVA ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADVIVA ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /ADVIVA ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADX.BIXEE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADX.IBIBO ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADXPOSE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADXPOSE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /AIMFAR.SOLUTION.WEBORAMA ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /AIMFAR.SOLUTION.WEBORAMA ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /AMZNMOTHERCARE.122.2O7 ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /AMZNMOTHERCARE.122.2O7 ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ANDERSELITE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /APMEBF ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /APMEBF ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /AR.ATWOLA ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /AR.ATWOLA ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /AT.ATWOLA ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /AT.ATWOLA ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ATDMT ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ATDMT ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /ATDMT ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][4].TXT [ /ATDMT ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /AUDIENCE2MEDIA ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /AZJMP ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /BANNERS.BATTLEON ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /BIZRATE.CO ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /BIZRATE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /BIZRATE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /BMUK.BURSTNET ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /BMUK.BURSTNET ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /BRAVENET ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /BS.SERVING-SYS ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /BS.SERVING-SYS ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /BURSTNET ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /BURSTNET ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /CASALEMEDIA ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /CASALEMEDIA ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /CDISCOUNT.CO ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /CLICKFUSE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /CLICKFUSE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /CLICKLIVERPOOL ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /CMPMEDICA.112.2O7 ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /CMPMEDICA.112.2O7 ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /CN.CLICKABLE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /COLLECTIVE-MEDIA ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /COLLECTIVE-MEDIA ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /CONTENT.YIELDMANAGER ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /CONTENT.YIELDMANAGER ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][4].TXT [ /CONTENT.YIELDMANAGER ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][5].TXT [ /CONTENT.YIELDMANAGER ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /COUNTER.SURFCOUNTERS ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /COUNTERS.GIGYA ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /COUNTERS.GIGYA ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /COUNTRYCODE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /CZ5.CLICKZS ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /DC.TREMORMEDIA ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /DEBENHAMS.122.2O7 ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /DIRECTTRACK ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /DISCOUNTTHEATRE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /DISCOUNTVOUCHERS.CO ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /DISCOUNTVOUCHERS.CO ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /DMTRACKER ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /DMTRACKER ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /DMTRACKER ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /DOUBLECLICK ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /DOUBLECLICK ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEK4CGCJGFQ.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEK4EKDPCFO.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEK4ENAZMKP.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEK4EPC5WEQ.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEK4GMD5WAQ.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEK4KKCZELP.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEKICMCJGHO.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEKIKOCPECO.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEKIWOCZWKO.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEKOCLAZKBP.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEKOEGCPSGP.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEKOGPCJOBO.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEKOOHAJKEP.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEKOQJDZCAO.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEKYGPCPEFO.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /E-2DJ6AEKYOGCZEEQ.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEKYOLDJKKO.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEKYSNDPSKO.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEKYUJDPOKO.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEKYUOCZCCO.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AELIAGC5SBO.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AELYEPD5WFO.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WAKIKJDZWEP.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WAKIQGC5SLO.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WAKOCODPWHP.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WALICPAZWCQ.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WALOGKCZMCP.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WAMIEKCZEEO.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /E-2DJ6WBK4QJDJKEP.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WBKIWPCPIHP.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /E-2DJ6WBKOUGCZACP.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WBL4UNCPSKQ.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /E-2DJ6WCK4UJC5OLP.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WCL4OJCJWBQ.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WCL4UIDJMHO.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WCLOCGCZKGP.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WCLOQNAJCBQ.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WCMICPCPAEP.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WCMIEKAZWLQ.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /E-2DJ6WCMYGKC5AAP.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /E-2DJ6WDK4OLCPKBP.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WDKOCNCJADP.STATS.ESOMNITURE ]
             C:\DOCUMENTS AND SETTINGS\AMANDA\CO

          SuperDave

          • Malware Removal Specialist


          • Genius
          • Thanked: 991
          • Certifications: List
          • Experience: Expert
          • OS: Windows 8
          Re: Metropolitan Police malware has infected my system
          « Reply #6 on: June 25, 2012, 04:13:49 PM »
          Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

          1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
          2. The fixes are specific to your problem and should only be used for this issue on this machine.
          3. If you don't know or understand something, please don't hesitate to ask.
          4. Please DO NOT run any other tools or scans while I am helping you.
          5. It is important that you reply to this thread. Do not start a new topic.
          6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
          7. Absence of symptoms does not mean that everything is clear.

          If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
          *************************************************************************
          You can uninstall these because they are no longer required:

          Java(TM) 6 Update 13
          Java(TM) 6 Update 33
          Java(TM) 6 Update 5
          Java(TM) 6 Update 7
          While you are there you should also uninstall nectar search toolbar because it could contain spyware.
          ***************************************************************
          Please run MBAM again and clean the infections. Please post the new log.

          Download Security Check by screen317 from one of the following links and save it to your desktop.

          Link 1
          Link 2

          * Double-click Security Check.bat
          * Follow the on-screen instructions inside of the black box.
          * A Notepad document should open automatically called checkup.txt
          * Post the contents of that document in your next reply.

          Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
          **********************************************************
          Download Combofix from any of the links below, and save it to your DESKTOP

          Link 1
          Link 2
          Link 3

          To prevent your anti-virus application interfering with  ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.
          • Close any open windows and double click ComboFix.exe to run it.

            You will see the following image:


          Click I Agree to start the program.

          ComboFix will then extract the necessary files and you will see this:



          As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to  have this pre-installed on your machine before doing any malware  removal. This will not occur in Windows Vista and 7

          It will allow you to boot up into a special recovery/repair  mode that will allow us to more easily help you should your computer  have a problem after an attempted removal of malware.

          If you did not have it installed, you will see the prompt below. Choose YES.



          Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

          **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

          Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



          Click on Yes, to continue scanning for malware.

          When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

          Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

          Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.
          Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

          benni9000

            Topic Starter


            Rookie

            • Experience: Beginner
            • OS: Unknown
            Re: Metropolitan Police malware has infected my system
            « Reply #7 on: June 27, 2012, 12:17:19 PM »

            I have removed the following:

            Java(TM) 6 Update 33
            Java(TM) 6 Update 5
            Java(TM) 6 Update 7
            nectar search toolbar

            Unfortunatly I couldn't uninstall Java(TM) 6 Update 13.  I got a fatal instalation error.

            MBAM log.

            Malwarebytes Anti-Malware (Trial) 1.61.0.1400
            www.malwarebytes.org

            Database version: v2012.06.26.08

            Windows XP Service Pack 3 x86 NTFS
            Internet Explorer 8.0.6001.18702
            Benni :: TRINITY [administrator]

            Protection: Enabled

            27/06/2012 17:25:32
            mbam-log-2012-06-27 (17-25-32).txt

            Scan type: Quick scan
            Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
            Scan options disabled: P2P
            Objects scanned: 243687
            Time elapsed: 12 minute(s), 57 second(s)

            Memory Processes Detected: 0
            (No malicious items detected)

            Memory Modules Detected: 0
            (No malicious items detected)

            Registry Keys Detected: 0
            (No malicious items detected)

            Registry Values Detected: 0
            (No malicious items detected)

            Registry Data Items Detected: 0
            (No malicious items detected)

            Folders Detected: 0
            (No malicious items detected)

            Files Detected: 0
            (No malicious items detected)

            (end)

            Security Check by screen317 log

            Results of screen317's Security Check version 0.99.42 
             Windows XP Service Pack 3 x86   
             Internet Explorer 8 
            ``````````````Antivirus/Firewall Check:``````````````[/u]
             Windows Firewall Disabled! 
            avast! Antivirus   
             Antivirus up to date! 
            `````````Anti-malware/Other Utilities Check:`````````[/u]
             SUPERAntiSpyware     
             Malwarebytes Anti-Malware version 1.61.0.1400 
             CCleaner     
             Java(TM) 6 Update 13 
             Java version out of Date!
             Adobe Flash Player    11.3.300.262 
             Adobe Reader 9 Adobe Reader out of Date!
             Mozilla Firefox 12.0 Firefox out of Date! 
            ````````Process Check: objlist.exe by Laurent````````[/u] 
             Malwarebytes Anti-Malware mbamservice.exe 
             Malwarebytes Anti-Malware mbamgui.exe 
             Tall Emu Online Armor OAcat.exe
             Tall Emu Online Armor oasrv.exe
             Tall Emu Online Armor oaui.exe
             Tall Emu Online Armor OAhlp.exe
             AVAST Software Avast AvastSvc.exe 
             AVAST Software Avast avastUI.exe 
            `````````````````System Health check`````````````````[/u]
             Total Fragmentation on Drive C:: 15% Defragment your hard drive soon!
            ````````````````````End of Log``````````````````````[/u]


            Combofix log - while this was running MBAM picked up some files it reconed were infected and I quarantined them.  Was this right or have I made a mess of things?

            ComboFix 12-06-27.01 - Benni 27/06/2012  18:29:36.1.2 - x86
            Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1918.1086 [GMT 1:00]
            Running from: c:\downloads\ComboFix.exe
            AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
            FW: Online Armor Firewall *Enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
            .
            ADS - WINDOWS: deleted 24 bytes in 1 streams.
            .
            (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
            .
            .
            c:\documents and settings\All Users\Application Data\TEMP
            c:\documents and settings\Benni\Application Data\PriceGong
            c:\documents and settings\Benni\Application Data\PriceGong\Data\1.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\1.xml
            c:\documents and settings\Benni\Application Data\PriceGong\Data\11.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\1391.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\173.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\2229.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\a.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\a.xml
            c:\documents and settings\Benni\Application Data\PriceGong\Data\b.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\b.xml
            c:\documents and settings\Benni\Application Data\PriceGong\Data\c.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\c.xml
            c:\documents and settings\Benni\Application Data\PriceGong\Data\d.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\d.xml
            c:\documents and settings\Benni\Application Data\PriceGong\Data\e.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\e.xml
            c:\documents and settings\Benni\Application Data\PriceGong\Data\f.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\f.xml
            c:\documents and settings\Benni\Application Data\PriceGong\Data\g.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\g.xml
            c:\documents and settings\Benni\Application Data\PriceGong\Data\h.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\h.xml
            c:\documents and settings\Benni\Application Data\PriceGong\Data\i.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\i.xml
            c:\documents and settings\Benni\Application Data\PriceGong\Data\j.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\J.xml
            c:\documents and settings\Benni\Application Data\PriceGong\Data\k.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\k.xml
            c:\documents and settings\Benni\Application Data\PriceGong\Data\l.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\l.xml
            c:\documents and settings\Benni\Application Data\PriceGong\Data\m.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\m.xml
            c:\documents and settings\Benni\Application Data\PriceGong\Data\mru.xml
            c:\documents and settings\Benni\Application Data\PriceGong\Data\n.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\n.xml
            c:\documents and settings\Benni\Application Data\PriceGong\Data\o.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\o.xml
            c:\documents and settings\Benni\Application Data\PriceGong\Data\p.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\p.xml
            c:\documents and settings\Benni\Application Data\PriceGong\Data\q.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\q.xml
            c:\documents and settings\Benni\Application Data\PriceGong\Data\r.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\r.xml
            c:\documents and settings\Benni\Application Data\PriceGong\Data\s.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\s.xml
            c:\documents and settings\Benni\Application Data\PriceGong\Data\t.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\t.xml
            c:\documents and settings\Benni\Application Data\PriceGong\Data\u.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\u.xml
            c:\documents and settings\Benni\Application Data\PriceGong\Data\v.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\v.xml
            c:\documents and settings\Benni\Application Data\PriceGong\Data\w.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\w.xml
            c:\documents and settings\Benni\Application Data\PriceGong\Data\wlu.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\x.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\x.xml
            c:\documents and settings\Benni\Application Data\PriceGong\Data\y.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\y.xml
            c:\documents and settings\Benni\Application Data\PriceGong\Data\z.txt
            c:\documents and settings\Benni\Application Data\PriceGong\Data\z.xml
            c:\documents and settings\Benni\WINDOWS
            c:\program files\Search Guard Plus
            c:\program files\Search Guard Plus\fbsProtection.xml
            c:\program files\Search Guard Plus\fbsSearchProvider.xml
            c:\program files\Search Guard Plus\FbsSearchProviderIE8.exe
            c:\program files\Search Guard Plus\SearchGuardPlus.exe
            c:\program files\Search Guard Plus\SearchGuardPlus.ico
            c:\program files\Search Guard Plus\uninstalSGP.exe
            c:\program files\Search Guard PlusU
            c:\program files\Search Guard PlusU\SGPU.ico
            c:\program files\Search Guard PlusU\sgpUpdater.exe
            c:\program files\Search Guard PlusU\sgpUpdater.xml
            c:\program files\Search Guard PlusU\sgpUpdaters.exe
            c:\program files\Search Guard PlusU\uninstalSGPU.exe
            c:\program files\SGPSA
            c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
            c:\windows\system32\test
            .
            .
            (((((((((((((((((((((((((   Files Created from 2012-05-27 to 2012-06-27  )))))))))))))))))))))))))))))))
            .
            .
            2012-06-26 21:56 . 2012-06-26 21:56   0   ----a-w-   c:\windows\system32\REN8F.tmp
            2012-06-26 21:56 . 2012-06-26 21:56   0   ----a-w-   c:\windows\system32\REN8E.tmp
            2012-06-26 21:56 . 2012-06-26 21:56   0   ----a-w-   c:\windows\system32\REN8D.tmp
            2012-06-23 18:33 . 2012-06-23 18:33   476936   ----a-w-   c:\windows\system32\npdeployJava1.dll
            2012-06-23 18:04 . 2012-06-23 18:04   --------   d-----w-   c:\documents and settings\Benni\Application Data\Malwarebytes
            2012-06-23 18:03 . 2012-06-23 18:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
            2012-06-23 18:03 . 2012-06-23 18:03   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
            2012-06-23 18:03 . 2012-04-04 14:56   22344   ----a-w-   c:\windows\system32\drivers\mbam.sys
            2012-06-23 16:20 . 2012-06-23 16:20   --------   d-----w-   c:\documents and settings\Benni\Application Data\SUPERAntiSpyware.com
            2012-06-23 16:20 . 2012-06-23 16:20   --------   d-----w-   c:\program files\SUPERAntiSpyware
            2012-06-23 16:20 . 2012-06-23 16:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
            2012-06-23 08:25 . 2012-06-23 17:57   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
            2012-06-23 08:25 . 2012-06-23 08:25   --------   d-----w-   c:\documents and settings\Benni\Application Data\OnlineArmor
            2012-06-23 08:25 . 2012-05-30 13:43   44592   ----a-w-   c:\windows\system32\drivers\oahlp32.sys
            2012-06-23 08:25 . 2012-05-30 13:43   31912   ----a-w-   c:\windows\system32\drivers\OAnet.sys
            2012-06-23 08:25 . 2012-05-30 13:43   27632   ----a-w-   c:\windows\system32\drivers\OAmon.sys
            2012-06-23 08:25 . 2012-05-30 13:43   208312   ----a-w-   c:\windows\system32\drivers\OADriver.sys
            2012-06-23 08:24 . 2012-06-24 09:53   --------   d-----w-   c:\program files\Online Armor
            2012-06-22 20:22 . 2012-06-23 07:05   --------   d-----w-   c:\program files\stinger
            2012-06-14 16:21 . 2012-05-11 14:42   521728   ------w-   c:\windows\system32\dllcache\jsdbgui.dll
            2012-05-30 12:59 . 2012-05-30 12:59   4966600   ----a-w-   c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
            .
            .
            .
            ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
            .
            2012-06-23 19:05 . 2012-04-04 10:04   426184   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
            2012-06-23 19:05 . 2011-10-25 20:54   70344   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
            2012-06-23 18:33 . 2010-07-04 12:21   472840   ----a-w-   c:\windows\system32\deployJava1.dll
            2012-06-02 14:19 . 2007-07-30 18:18   22040   ----a-w-   c:\windows\system32\wucltui.dll.mui
            2012-06-02 14:19 . 2007-07-30 18:19   15384   ----a-w-   c:\windows\system32\wuaucpl.cpl.mui
            2012-06-02 14:19 . 2004-08-11 16:12   329240   ----a-w-   c:\windows\system32\wucltui.dll
            2012-06-02 14:19 . 2004-08-11 16:12   219160   ----a-w-   c:\windows\system32\wuaucpl.cpl
            2012-06-02 14:19 . 2004-08-11 16:12   210968   ----a-w-   c:\windows\system32\wuweb.dll
            2012-06-02 14:19 . 2007-07-30 18:19   45080   ----a-w-   c:\windows\system32\wups2.dll
            2012-06-02 14:19 . 2007-07-30 18:19   15384   ----a-w-   c:\windows\system32\wuapi.dll.mui
            2012-06-02 14:19 . 2004-08-11 16:12   53784   ----a-w-   c:\windows\system32\wuauclt.exe
            2012-06-02 14:19 . 2004-08-11 16:12   35864   ----a-w-   c:\windows\system32\wups.dll
            2012-06-02 14:19 . 2004-08-11 16:00   97304   ----a-w-   c:\windows\system32\cdm.dll
            2012-06-02 14:19 . 2007-07-30 18:18   17944   ----a-w-   c:\windows\system32\wuaueng.dll.mui
            2012-06-02 14:19 . 2004-08-11 16:12   577048   ----a-w-   c:\windows\system32\wuapi.dll
            2012-06-02 14:19 . 2004-08-11 16:12   1933848   ----a-w-   c:\windows\system32\wuaueng.dll
            2012-05-31 13:22 . 2004-08-11 16:00   599040   ----a-w-   c:\windows\system32\crypt32.dll
            2012-05-16 15:08 . 2004-08-11 16:00   916992   ----a-w-   c:\windows\system32\wininet.dll
            2012-05-15 13:20 . 2004-08-11 16:00   1863168   ----a-w-   c:\windows\system32\win32k.sys
            2012-05-11 14:42 . 2004-08-11 16:00   43520   ------w-   c:\windows\system32\licmgr10.dll
            2012-05-11 14:42 . 2004-08-11 16:00   1469440   ------w-   c:\windows\system32\inetcpl.cpl
            2012-05-11 11:38 . 2004-08-11 16:00   385024   ------w-   c:\windows\system32\html.iec
            2012-05-05 18:41 . 2012-05-05 18:41   2476   ----a-w-   C:\cc_20120505_194122.reg
            2012-05-04 13:16 . 2004-08-11 16:00   2148352   ----a-w-   c:\windows\system32\ntoskrnl.exe
            2012-05-04 12:32 . 2004-08-03 21:59   2026496   ----a-w-   c:\windows\system32\ntkrnlpa.exe
            2012-05-02 13:46 . 2004-08-11 16:11   139656   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
            2012-04-14 20:05 . 2012-04-14 20:05   6452   ----a-w-   C:\cc_20120414_210534.reg
            2012-03-29 19:31 . 2012-03-29 19:31   1624   ----a-w-   C:\cc_20120329_203128.reg
            2012-05-13 22:14 . 2012-04-06 16:17   97208   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
            .
            .
            (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
            .
            .
            *Note* empty entries & legit default entries are not shown
            REGEDIT4
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
            @="{472083B0-C522-11CF-8763-00608CC02F24}"
            [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
            2012-03-07 00:15   123536   ----a-w-   c:\program files\AVAST Software\Avast\ashShell.dll
            .
            [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
            "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
            "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-07 4241512]
            "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
            "Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-11-12 268640]
            "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
            "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
            "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
            "@OnlineArmor GUI"="c:\program files\Online Armor\OAui.exe" [2012-05-30 2346592]
            "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
            .
            [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
            "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
            .
            c:\documents and settings\Benni\Start Menu\Programs\Startup\
            ctfmon.lnk - c:\windows\system32\rundll32.exe [2004-8-11 33280]
            PowerReg Scheduler.exe [2010-12-28 256000]
            .
            c:\documents and settings\All Users\Start Menu\Programs\Startup\
            Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]
            Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-6-26 50688]
            Skype.lnk - c:\windows\Installer\{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}\SkypeIcon.exe [2012-3-24 371272]
            .
            [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
            "{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2012-05-30 361800]
            "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
            2011-05-04 17:54   551296   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
            2006-11-16 14:20   73728   ----a-w-   c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
            .
            [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
            Authentication Packages   REG_MULTI_SZ      msv1_0 wvauth
            .
            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
            @=""
            .
            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
            @="Driver"
            .
            [HKLM\~\startupfolder\C:^Documents and Settings^Benni^Start Menu^Programs^Startup^ctfmon.lnk]
            path=c:\documents and settings\Benni\Start Menu\Programs\Startup\ctfmon.lnk
            backup=c:\windows\pss\ctfmon.lnkStartup
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
            c:\windows\system32\dumprep 0 -k [X]
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
            2012-01-03 07:37   843712   ----a-w-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
            2011-09-07 22:58   37296   ----a-w-   c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
            2007-09-23 17:27   159744   ----a-w-   c:\program files\DellTPad\Apoint.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
            2008-04-14 00:12   15360   ----a-w-   c:\windows\system32\ctfmon.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
            2008-02-22 11:43   1245184   ----a-w-   c:\program files\Dell\QuickSet\quickset.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
            2011-10-18 14:30   136176   ----atw-   c:\documents and settings\Benni\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
            2004-09-13 10:51   1450096   ------w-   c:\program files\Ahead\InCD\InCD.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
            2006-09-11 03:40   218032   ----a-w-   c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
            2012-03-27 04:09   421736   ----a-w-   c:\program files\iTunes\iTunesHelper.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KADxMain]
            2006-11-02 13:05   282624   ----a-w-   c:\windows\system32\KADxMain.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
            2001-07-09 09:50   155648   ----a-w-   c:\windows\system32\NeroCheck.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PD0620 STISvc]
            2005-05-10 17:03   36864   ----a-r-   c:\windows\system32\P0620Pin.dll
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
            2008-02-26 09:57   128296   ------w-   c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
            2011-10-24 13:28   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecureUpgrade]
            2007-09-14 09:53   218424   ----a-w-   c:\program files\Wave Systems Corp\SecureUpgrade.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
            2007-12-05 16:24   405504   ----a-w-   c:\program files\Sigmatel\C-Major Audio\WDM\stsystra.exe
            .
            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WavXMgr]
            2007-09-10 08:55   92160   ----a-w-   c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
            .
            [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
            "EnableFirewall"= 0 (0x0)
            .
            [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
            "%windir%\\system32\\sessmgr.exe"=
            "c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
            "c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
            "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
            "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
            "c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
            "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
            "c:\\Program Files\\Vuze\\Azureus.exe"=
            "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
            "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
            "c:\\Program Files\\iTunes\\iTunes.exe"=
            .
            R0 tclondrv;tclondrv;c:\windows\system32\drivers\tclondrv.sys [02/03/2010 21:54 20352]
            R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [06/11/2011 20:06 612184]
            R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [06/11/2011 20:06 337880]
            R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [23/06/2012 09:25 208312]
            R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [23/06/2012 09:25 44592]
            R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [23/06/2012 09:25 27632]
            R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [23/06/2012 09:25 31912]
            R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 17:27 12880]
            R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 22:55 67664]
            R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [12/08/2011 00:38 116608]
            R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [19/12/2006 14:21 79432]
            R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [06/11/2011 20:06 20696]
            R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [23/06/2012 19:03 654408]
            R2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [23/06/2012 09:24 210920]
            R2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [23/06/2012 09:24 4382968]
            R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [11/08/2004 17:00 5120]
            R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [02/11/2006 12:32 97536]
            R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [23/06/2012 19:03 22344]
            S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [18/09/2010 17:59 136176]
            S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [30/05/2012 13:56 3048136]
            S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [29/02/2012 09:50 158856]
            S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [04/04/2012 11:04 250056]
            S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [18/09/2010 17:59 136176]
            S3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\drivers\btblan.sys [16/02/2012 14:02 33792]
            S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [13/05/2012 23:14 129976]
            .
            Contents of the 'Scheduled Tasks' folder
            .
            2012-06-27 c:\windows\Tasks\Adobe Flash Player Updater.job
            - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 19:05]
            .
            2012-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
            - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
            .
            2012-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
            - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-18 16:59]
            .
            2012-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
            - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-18 16:59]
            .
            2012-06-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2990146027-3927655144-4261030477-1005Core.job
            - c:\documents and settings\Benni\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-01-02 14:30]
            .
            2012-06-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2990146027-3927655144-4261030477-1005UA.job
            - c:\documents and settings\Benni\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-01-02 14:30]
            .
            .
            ------- Supplementary Scan -------
            .
            uStart Page = hxxp://www.google.com/ig?hl=en
            uInternet Connection Wizard,ShellNext = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
            uInternet Settings,ProxyOverride = *.local
            IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
            DPF: {888078C6-70B2-4F88-8EE7-1F50DDEA6120} - hxxps://as.photoprintit.de/ips-opdata/activex/ImageUploader6.cab
            FF - ProfilePath - c:\documents and settings\Benni\Application Data\Mozilla\Firefox\Profiles\rusocneo.default\
            FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
            FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?hl=en&source=iglk
            FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&SearchSource=2&q=
            .
            - - - - ORPHANS REMOVED - - - -
            .
            Toolbar-{8020143D-5926-4394-A04D-DD0B649DA121} - (no file)
            WebBrowser-{8020143D-5926-4394-A04D-DD0B649DA121} - (no file)
            WebBrowser-{D70F2DE6-51E2-42D4-9077-4CA06CAFC836} - (no file)
            WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
            MSConfigStartUp-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
            .
            .
            .
            **************************************************************************
            .
            catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
            Rootkit scan 2012-06-27 18:54
            Windows 5.1.2600 Service Pack 3 NTFS
            .
            scanning hidden processes ... 
            .
            scanning hidden autostart entries ...
            .
            scanning hidden files ... 
            .
            scan completed successfully
            hidden files: 0
            .
            **************************************************************************
            .
            --------------------- LOCKED REGISTRY KEYS ---------------------
            .
            [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
            @Denied: (2) (LocalSystem)
            "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5 977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
               d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,39,3c,dc,5a,e8,6b,65,4b,b6,b9,4f,\
            "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839 E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
               d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,39,3c,dc,5a,e8,6b,65,4b,b6,b9,4f,\
            .
            --------------------- DLLs Loaded Under Running Processes ---------------------
            .
            - - - - - - - > 'winlogon.exe'(768)
            c:\program files\SUPERAntiSpyware\SASWINLO.DLL
            c:\windows\system32\WININET.dll
            c:\windows\system32\Ati2evxx.dll
            c:\windows\System32\BCMLogon.dll
            c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL
            c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
            .
            - - - - - - - > 'lsass.exe'(824)
            c:\windows\system32\wvauth.dll
            c:\windows\system32\biolsp.dll
            .
            Completion time: 2012-06-27  19:01:08
            ComboFix-quarantined-files.txt  2012-06-27 18:01
            .
            Pre-Run: 73,205,567,488 bytes free
            Post-Run: 73,671,028,736 bytes free
            .
            WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
            [boot loader]
            timeout=2
            default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
            [operating systems]
            c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
            UnsupportedDebug="do not select this" /debug
            multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
            .
            - - End Of File - - A436A629F9FA163B0CD50B5027C100F9

            SuperDave

            • Malware Removal Specialist


            • Genius
            • Thanked: 991
            • Certifications: List
            • Experience: Expert
            • OS: Windows 8
            Re: Metropolitan Police malware has infected my system
            « Reply #8 on: June 27, 2012, 01:38:40 PM »
            Quote
            Unfortunatly I couldn't uninstall Java(TM) 6 Update 13.  I got a fatal instalation error.
            I had that problem about a month ago. I ended up uninstalling Java and then downloaded the newest version. Please try this:

            Update Your Java (JRE)

            Old versions of Java have vulnerabilities that malware can use to infect your system.


            First Verify your Java Version

            If there are any other version(s) installed then update now.

            Get the new version (if needed)

            If your version is out of date install the newest version of the Sun Java Runtime Environment.

            Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

            Be sure to close ALL open web browsers before starting the installation.

            Remove any old versions

            1. Download JavaRa and unzip the file to your Desktop.
            2. Open JavaRA.exe and choose Remove Older Versions
            3. Once complete exit JavaRA.

            Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
            ***********************************************
            Update your Adobe Reader. get.adobe.com/reader.

            Be sure to uncheck the Free McAfee Security Scan so it isn't installed.
            ***********************************************
            Quote
            Total Fragmentation on Drive C:: 15% Defragment your hard drive soon!

            You can using the defragger on your computer or this one.

            Defraggler is very effective and easy to use.

            Important! Be sure to uncheck Install optional Yahoo! Toolbar or Google Chrome during the install process to avoid installing them.

            Note: Be sure to clean out temp files and restart the computer just before beginning a defrag.
            ******************************************
            Quote
            while this was running MBAM picked up some files it reconed were infected and I quarantined them.  Was this right or have I made a mess of things?
            No problem.

            ComboFix is running from the wrong location. Please delete it, download and new one and save it to your DESKTOP.

            Re-running ComboFix to remove infections:

            • Close any open browsers.
            • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
            • Open notepad and copy/paste the text in the quotebox below into it:
              Quote
              KillAll::

              File::
              c:\windows\system32\REN8F.tmp
              c:\windows\system32\REN8E.tmp
              c:\windows\system32\REN8D.tmp

            • Save this as CFScript.txt, in the same location as ComboFix.exe



            • Referring to the picture above, drag CFScript into ComboFix.exe
            • When finished, it shall produce a log for you at C:\ComboFix.txt
            • Please post the contents of the log in your next reply.
            *****************************************************
            Please download aswMBR.exe ( 511KB ) to your desktop.

            Double click the aswMBR.exe to run it



            Click the "Scan" button to start scan

            Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives



            On completion of the scan click save log, save it to your desktop and post in your next reply
            Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

            benni9000

              Topic Starter


              Rookie

              • Experience: Beginner
              • OS: Unknown
              Re: Metropolitan Police malware has infected my system
              « Reply #9 on: June 28, 2012, 03:24:26 PM »
              I checked which Java I had installed.  Apparently I didn't have it, but it was in my control panel.  I have run javara and remeoved all the old versions.  Java (TM) 6 update 13 is still in my add remove programs directory and still won't uninstall.  The latest version is installed but If I try to open it from control panel Online Armour blocks the file java.cpl in C:\WINDOWS\system32.  I accidentally blocked it when I first installed it and haven't jet figured out how to allow it to run.

              Adobe reader X (10.1.3) installed

              Defrag completed

              deleted combofix and re-downloaded to desktop.  copied that script to notepad.  Disabled MBAM and Avast and draged CFscript to combofix as displayed.  Combofix ran and froze up.  Had to turn the pc off.  Tried again but left it for an hour and it still did nothing.  Tried it with online armour also disabled and the result was still the same.

              do you want me to carry on with the rest of your instructions tomorrow?

              SuperDave

              • Malware Removal Specialist


              • Genius
              • Thanked: 991
              • Certifications: List
              • Experience: Expert
              • OS: Windows 8
              Re: Metropolitan Police malware has infected my system
              « Reply #10 on: June 28, 2012, 04:05:32 PM »
              Quote
              I accidentally blocked it when I first installed it and haven't jet figured out how to allow it to run.
              You will have to get into Armour and remove the block. I'm not sure how to do that because I use Comodo.
              Quote
              do you want me to carry on with the rest of your instructions tomorrow?
              Yes please.

              Copy and paste the text in the code box below into Notepad.
              Code: [Select]
              @echo off
              del c:\windows\system32\REN8F.tmp
              c:\windows\system32\REN8E.tmp
              c:\windows\system32\REN8D.tmp

              exit

              Then click File > Save as
              Save to the Desktop as blackpudding.bat
              And Save as type: All Files.

              Double-click on blackpudding.bat to run it.
              Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

              benni9000

                Topic Starter


                Rookie

                • Experience: Beginner
                • OS: Unknown
                Re: Metropolitan Police malware has infected my system
                « Reply #11 on: June 30, 2012, 12:46:17 PM »
                Sorry for the delay.  I haven't given up.  Just had lots of other stuff to do.

                I managed to fix the javacpl.cpl block issue.

                ASW LOG

                aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
                Run date: 2012-06-30 19:17:53
                -----------------------------
                19:17:53.531    OS Version: Windows 5.1.2600 Service Pack 3
                19:17:53.531    Number of processors: 2 586 0x6802
                19:17:53.531    ComputerName: TRINITY  UserName: Benni
                19:18:02.156    Initialize success
                19:18:03.437    AVAST engine defs: 12063000
                19:18:24.671    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
                19:18:24.687    Disk 0 Vendor: TOSHIBA_MK1252GSX LV011D Size: 114473MB BusType: 3
                19:18:24.750    Disk 0 MBR read successfully
                19:18:24.750    Disk 0 MBR scan
                19:18:24.750    Disk 0 Windows XP default MBR code
                19:18:24.750    Disk 0 Partition 1 00     DE Dell Utility Dell 8.0      109 MB offset 63
                19:18:24.765    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS       114361 MB offset 224910
                19:18:24.765    Disk 0 scanning sectors +234436545
                19:18:24.859    Disk 0 scanning C:\WINDOWS\system32\drivers
                19:18:35.765    Service scanning
                19:18:57.250    Modules scanning
                19:19:06.937    Disk 0 trace - called modules:
                19:19:06.953    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
                19:19:06.953    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8abd9ab8]
                19:19:06.953    3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000089[0x8abe4f18]
                19:19:06.953    5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8abe3b00]
                19:19:07.546    AVAST engine scan C:\WINDOWS
                19:19:14.593    AVAST engine scan C:\WINDOWS\system32
                19:21:20.703    AVAST engine scan C:\WINDOWS\system32\drivers
                19:21:39.984    AVAST engine scan C:\Documents and Settings\Benni
                19:27:55.031    AVAST engine scan C:\Documents and Settings\All Users
                19:29:10.750    Scan finished successfully
                19:30:04.468    Disk 0 MBR has been saved successfully to "C:\Iain\MBR.dat"
                19:30:04.562    The log file has been saved successfully to "C:\Iain\aswMBR.txt"

                Ran Blackpudding.bat

                Got a message saying "Windows canot open this file"  REN8E.tmp.  to open this file windows needs to know what program created it.  get the option of Use web service to find appropriate program or Select program from list.  I clicked cancel as I have no idea what to do.

                Got a message saying "Windows canot open this file"  REN8D.tmp.  to open this file windows needs to know what program created it.  get the option of Use web service to find appropriate program or Select program from list.  I clicked cancel as I have no idea what to do.

                no futher messages from running Blackpudding.bat

                And I still can't seem to uninstall Java 6 Update 13.  Having said that I can't find it either.  If I go to Add/Remove programs and click on Java 6 update 13 then click on support information the pop up window tells me there's a read me file in C:\program files\java\jre1.6.0 13.  the jre1.6.0 13 does not exist.  Has this become a rogue entry in my add/remove programs list?
                 

                SuperDave

                • Malware Removal Specialist


                • Genius
                • Thanked: 991
                • Certifications: List
                • Experience: Expert
                • OS: Windows 8
                Re: Metropolitan Police malware has infected my system
                « Reply #12 on: June 30, 2012, 02:56:26 PM »
                Quote
                Has this become a rogue entry in my add/remove programs list?
                I don't really know why this happened. As I mentioned before, this also happened to me. However, it is nothing serious

                Please download: HiJackThis to your Desktop.
                • Double Click the HijackThis icon, located on your Desktop.
                • By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
                • Accept the license agreement.
                • Click the Open the Misc Tools section button.
                • Click on the Open Uninstall Manager button.
                • Click Java(TM) 6 Update 13 and delete this program.
                ******************************************************
                SysProt Antirootkit

                Download
                SysProt Antirootkit from the link below (you will find it at the bottom
                of the page under attachments, or you can get it from one of the
                mirrors).

                http://sites.google.com/site/sysprotantirootkit/

                Unzip it into a folder on your desktop.
                • Double click Sysprot.exe to start the program.
                • Click on the Log tab.
                • In the Write to log box select the following items.
                  • Process << Selected
                  • Kernel Modules << Selected
                  • SSDT << Selected
                  • Kernel Hooks << Selected
                  • IRP Hooks << NOT Selected
                  • Ports << NOT Selected
                  • Hidden Files << Selected
                • At the bottom of the page
                  • Hidden Objects Only << Selected
                • Click on the Create Log button on the bottom right.
                • After a few seconds a new window should appear.
                • Select Scan Root Drive. Click on the Start button.
                • When it is complete a new window will appear to indicate that the scan is finished.
                • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
                Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

                benni9000

                  Topic Starter


                  Rookie

                  • Experience: Beginner
                  • OS: Unknown
                  Re: Metropolitan Police malware has infected my system
                  « Reply #13 on: July 01, 2012, 08:46:41 AM »
                  Deleted Java 6 update 13 using Hijackthis.

                  Sysprot Log

                  SysProt AntiRootkit v1.0.1.0
                  by swatkat

                  ******************************************************************************************
                  ******************************************************************************************

                  No Hidden Processes found

                  ******************************************************************************************
                  ******************************************************************************************
                  Kernel Modules:
                  Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
                  Service Name: ---
                  Module Base: ADE99000
                  Module End: ADEB1000
                  Hidden: Yes

                  Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
                  Service Name: ---
                  Module Base: BA648000
                  Module End: BA64A000
                  Hidden: Yes

                  ******************************************************************************************
                  ******************************************************************************************
                  SSDT:
                  Function Name: ZwAddBootEntry
                  Address: ADEF1DF8
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwAllocateVirtualMemory
                  Address: ADF7EA5A
                  Driver Base: ADF73000
                  Driver End: ADFC4000
                  Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

                  Function Name: ZwAssignProcessToJobObject
                  Address: ADEF285E
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwClose
                  Address: ADF1ED5D
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwConnectPort
                  Address: AE1CC64C
                  Driver Base: AE1CA000
                  Driver End: AE1FB000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwCreateEvent
                  Address: ADEF72E4
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwCreateEventPair
                  Address: ADEF7330
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwCreateFile
                  Address: AE1D3316
                  Driver Base: AE1CA000
                  Driver End: AE1FB000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwCreateIoCompletion
                  Address: ADEF7422
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwCreateKey
                  Address: ADF1E711
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwCreateMutant
                  Address: ADEF7252
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwCreatePort
                  Address: AE1CC46A
                  Driver Base: AE1CA000
                  Driver End: AE1FB000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwCreateProcess
                  Address: AE1CDEE8
                  Driver Base: AE1CA000
                  Driver End: AE1FB000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwCreateProcessEx
                  Address: AE1CA978
                  Driver Base: AE1CA000
                  Driver End: AE1FB000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwCreateSection
                  Address: ADEF7374
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwCreateSemaphore
                  Address: ADEF729A
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwCreateThread
                  Address: AE1CB634
                  Driver Base: AE1CA000
                  Driver End: AE1FB000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwCreateTimer
                  Address: ADEF73DC
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwDebugActiveProcess
                  Address: AE1CBD22
                  Driver Base: AE1CA000
                  Driver End: AE1FB000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwDeleteBootEntry
                  Address: ADEF1E44
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwDeleteKey
                  Address: ADF1F423
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwDeleteValueKey
                  Address: ADF1F6D9
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwDuplicateObject
                  Address: ADEF49A8
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwEnumerateKey
                  Address: ADF1F28E
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwEnumerateValueKey
                  Address: ADF1F0F9
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwFreeVirtualMemory
                  Address: ADF7EB34
                  Driver Base: ADF73000
                  Driver End: ADFC4000
                  Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

                  Function Name: ZwLoadDriver
                  Address: ADEF1AD6
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwModifyBootEntry
                  Address: ADEF1E90
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwNotifyChangeKey
                  Address: ADEF4D1C
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwNotifyChangeMultipleKeys
                  Address: ADEF2B02
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwOpenEvent
                  Address: ADEF730E
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwOpenEventPair
                  Address: ADEF7352
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwOpenFile
                  Address: AE1D3694
                  Driver Base: AE1CA000
                  Driver End: AE1FB000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwOpenIoCompletion
                  Address: ADEF7446
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwOpenKey
                  Address: ADF1EA6D
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwOpenMutant
                  Address: ADEF7278
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwOpenProcess
                  Address: ADEF4518
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwOpenSection
                  Address: ADEF73AE
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwOpenSemaphore
                  Address: ADEF72C2
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwOpenThread
                  Address: ADEF474C
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwOpenTimer
                  Address: ADEF7400
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwProtectVirtualMemory
                  Address: ADF7ECA0
                  Driver Base: ADF73000
                  Driver End: ADFC4000
                  Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

                  Function Name: ZwQueryKey
                  Address: ADF1EF74
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwQueryObject
                  Address: ADEF29CE
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwQueryValueKey
                  Address: ADF1EDC6
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwQueueApcThread
                  Address: AE1CDA44
                  Driver Base: AE1CA000
                  Driver End: AE1FB000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwRenameKey
                  Address: ADF88B68
                  Driver Base: ADF73000
                  Driver End: ADFC4000
                  Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

                  Function Name: ZwRequestPort
                  Address: AE1CCCB0
                  Driver Base: AE1CA000
                  Driver End: AE1FB000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwRequestWaitReplyPort
                  Address: AE1CD018
                  Driver Base: AE1CA000
                  Driver End: AE1FB000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwRestoreKey
                  Address: ADF1DD84
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwResumeThread
                  Address: AE1CC0CE
                  Driver Base: AE1CA000
                  Driver End: AE1FB000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwSecureConnectPort
                  Address: AE1CC86E
                  Driver Base: AE1CA000
                  Driver End: AE1FB000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwSetBootEntryOrder
                  Address: ADEF1EDC
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwSetBootOptions
                  Address: ADEF1F28
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwSetContextThread
                  Address: AE1CBBCC
                  Driver Base: AE1CA000
                  Driver End: AE1FB000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwSetSystemInformation
                  Address: ADEF1B46
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwSetSystemPowerState
                  Address: ADEF1CEA
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwSetValueKey
                  Address: ADF1F52A
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwShutdownSystem
                  Address: ADEF1C92
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwSuspendProcess
                  Address: AE1CC1FE
                  Driver Base: AE1CA000
                  Driver End: AE1FB000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwSuspendThread
                  Address: AE1CBF7A
                  Driver Base: AE1CA000
                  Driver End: AE1FB000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwSystemDebugControl
                  Address: ADEF1D5A
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwTerminateProcess
                  Address: ADF7ED60
                  Driver Base: ADF73000
                  Driver End: ADFC4000
                  Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

                  Function Name: ZwTerminateThread
                  Address: AE1CBA66
                  Driver Base: AE1CA000
                  Driver End: AE1FB000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwUnloadDriver
                  Address: AE1CD518
                  Driver Base: AE1CA000
                  Driver End: AE1FB000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwVdmControl
                  Address: ADEF1F74
                  Driver Base: ADED9000
                  Driver End: ADF73000
                  Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

                  Function Name: ZwWriteVirtualMemory
                  Address: ADF7EBE0
                  Driver Base: ADF73000
                  Driver End: ADFC4000
                  Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

                  ******************************************************************************************
                  ******************************************************************************************
                  Kernel Hooks:
                  Hooked Function: ZwClose
                  At Address: 805BC55E
                  Jump To: ADF91C8C
                  Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

                  Hooked Function: ObMakeTemporaryObject
                  At Address: 805BC55E
                  Jump To: ADF91C8C
                  Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

                  Hooked Function: ObInsertObject
                  At Address: 805C2FE2
                  Jump To: ADF9374C
                  Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

                  Hooked Function: ObCloseHandle
                  At Address: 805BC55E
                  Jump To: ADF91C8C
                  Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

                  ******************************************************************************************
                  ******************************************************************************************
                  No hidden files/folders found

                  SuperDave

                  • Malware Removal Specialist


                  • Genius
                  • Thanked: 991
                  • Certifications: List
                  • Experience: Expert
                  • OS: Windows 8
                  Re: Metropolitan Police malware has infected my system
                  « Reply #14 on: July 01, 2012, 04:01:04 PM »
                  How's your computer running now?

                  I'd like to scan your machine with ESET OnlineScan

                  •Hold down Control and click on the following link to open ESET OnlineScan in a new window.
                  ESET OnlineScan
                  •Click the button.
                  •For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
                  • Click on to download the ESET Smart Installer. Save it to your desktop.
                  • Double click on the icon on your desktop.
                  •Check
                  •Click the button.
                  •Accept any security warnings from your browser.
                  •Check
                  •Push the Start button.
                  •ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
                  •When the scan completes, push
                  •Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
                  •Push the button.
                  •Push
                  A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
                  Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

                  benni9000

                    Topic Starter


                    Rookie

                    • Experience: Beginner
                    • OS: Unknown
                    Re: Metropolitan Police malware has infected my system
                    « Reply #15 on: July 03, 2012, 03:39:33 PM »
                    Here is the ESET Log

                    [email protected] as downloader log:
                    all ok
                    # version=7
                    # OnlineScannerApp.exe=1.0.0.1
                    # OnlineScanner.ocx=1.0.0.6583
                    # api_version=3.0.2
                    # EOSSerial=58554bdb09dce644811fbe806f8fc97c
                    # end=finished
                    # remove_checked=false
                    # archives_checked=true
                    # unwanted_checked=true
                    # unsafe_checked=false
                    # antistealth_checked=true
                    # utc_time=2012-07-03 12:16:40
                    # local_time=2012-07-03 01:16:40 (+0000, GMT Daylight Time)
                    # country="United Kingdom"
                    # lang=1033
                    # osver=5.1.2600 NT Service Pack 3
                    # compatibility_mode=512 16777215 100 0 107290 107290 0 0
                    # compatibility_mode=768 16777215 100 0 75885219 75885219 0 0
                    # compatibility_mode=6401 16777213 66 100 348807 2879305 0 0
                    # compatibility_mode=8192 67108863 100 0 0 0 0 0
                    # scanned=120787
                    # found=0
                    # cleaned=0
                    # scan_time=9941


                    The computer seems to be running fine now with the exception of a missing RUNDLL file upon start up.  I have mentioned this before in my original post and in my shortend version.

                    I got Metropolitan Police malware on my laptop.  I followed the "read this before requesting malware removal help" post which seems to have stopped it, Now I just need to get rid of the damage?  I think there are still some files left on my laptop from the malware and I am missing a RUNDLL file from the windows directory.

                    I have attache a jpg of the error window as I couldn't seem to get it into the post.

                    I believe the RUNDLL file was the source of my malware issue.  I will explain my reasoning though I could be wrong.  When I got the malware it locked up the laptop.  It didn't however start until the internet connection was live.  So with the internet disconnected I looked in my startup folder by going right mouse button on Start and browsing all users.  I found a short cut called cpfmon.  I deleted cos I didn't know what it was.  Came straight back.  So I searched C drive for cpfmon and found a few other files withe the same name.  I deleted them and then connected to the internet.  No malware issue.  When I restarted and connected I got the malware back.  So I looked at the properties of the cpfmon shortcut and found where it was linked to, it was a RUNDLL file in the windows directory.  Hence why I think the RUNDLL file was the source of the malware or at least what it had infected.

                    Apart from this missing file everything is ok that I can see.  I appreciate all the help you have given.

                    Thank you

                    [year+ old attachment deleted by admin]

                    SuperDave

                    • Malware Removal Specialist


                    • Genius
                    • Thanked: 991
                    • Certifications: List
                    • Experience: Expert
                    • OS: Windows 8
                    Re: Metropolitan Police malware has infected my system
                    « Reply #16 on: July 04, 2012, 04:31:55 PM »
                    I'm happy that everything is working well but I want to check further on that alert and then we'll so some cleanup.
                    Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

                    SuperDave

                    • Malware Removal Specialist


                    • Genius
                    • Thanked: 991
                    • Certifications: List
                    • Experience: Expert
                    • OS: Windows 8
                    Re: Metropolitan Police malware has infected my system
                    « Reply #17 on: July 04, 2012, 05:46:42 PM »
                    Please download SystemLook from one of the links below and save it to your desktop.

                    Link # 1
                    Link # 2

                    Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

                    Double-click SystemLook.exe to run it.

                    Copy the contents of the following codebox into the main textfield.
                    Code: [Select]
                    :filefind
                    jork_0_typ_col.exe

                    Click the Look button to start the scan.

                    Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).

                    When finished, a notepad window will open with the results of the scan. Please post the log. The log can also be found on your desktop entitled SystemLook.txt
                    Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

                    benni9000

                      Topic Starter


                      Rookie

                      • Experience: Beginner
                      • OS: Unknown
                      Re: Metropolitan Police malware has infected my system
                      « Reply #18 on: July 05, 2012, 12:44:11 PM »
                      SystemLook 30.07.11 by jpshortstuff
                      Log created at 18:17 on 05/07/2012 by Benni
                      Administrator - Elevation successful

                      ========== filefind ==========

                      Searching for "jork_0_typ_col.exe"
                      No files found.

                      -= EOF =-


                      SuperDave

                      • Malware Removal Specialist


                      • Genius
                      • Thanked: 991
                      • Certifications: List
                      • Experience: Expert
                      • OS: Windows 8
                      Re: Metropolitan Police malware has infected my system
                      « Reply #19 on: July 05, 2012, 06:48:10 PM »
                      Double-click SystemLook.exe to run it.

                      Copy the contents of the following codebox into the main textfield.
                      Code: [Select]
                      :regfind
                      jork_0_typ_col.exe

                      Click the Look button to start the scan.

                      Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).

                      When finished, a notepad window will open with the results of the scan. Please post the log. The log can also be found on your desktop entitled SystemLook.txt
                       
                      Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

                      benni9000

                        Topic Starter


                        Rookie

                        • Experience: Beginner
                        • OS: Unknown
                        Re: Metropolitan Police malware has infected my system
                        « Reply #20 on: July 06, 2012, 12:42:33 PM »
                        Nothing exciting I'm afraid

                        SystemLook 30.07.11 by jpshortstuff
                        Log created at 19:39 on 06/07/2012 by Benni
                        Administrator - Elevation successful

                        ========== regfind ==========

                        Searching for "jork_0_typ_col.exe"
                        No data found.

                        -= EOF =-

                        SuperDave

                        • Malware Removal Specialist


                        • Genius
                        • Thanked: 991
                        • Certifications: List
                        • Experience: Expert
                        • OS: Windows 8
                        Re: Metropolitan Police malware has infected my system
                        « Reply #21 on: July 07, 2012, 06:25:45 PM »
                        Please download SystemLook from one of the links below and save it to your desktop.

                        Link # 1
                        Link # 2

                        Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

                        Double-click SystemLook.exe to run it.

                        Copy the contents of the following codebox into the main textfield.
                        Code: [Select]
                        :regfind
                        "error loading"

                        Click the Look button to start the scan.

                        Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).

                        When finished, a notepad window will open with the results of the scan. Please post the log. The log can also be found on your desktop entitled SystemLook.txt
                         
                        Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

                        benni9000

                          Topic Starter


                          Rookie

                          • Experience: Beginner
                          • OS: Unknown
                          Re: Metropolitan Police malware has infected my system
                          « Reply #22 on: July 08, 2012, 11:13:25 AM »
                          I'm afraid there is still no joy

                          SystemLook 30.07.11 by jpshortstuff
                          Log created at 18:08 on 08/07/2012 by Benni
                          Administrator - Elevation successful

                          ========== regfind ==========

                          Searching for ""error loading""
                          No data found.

                          -= EOF =-

                          SuperDave

                          • Malware Removal Specialist


                          • Genius
                          • Thanked: 991
                          • Certifications: List
                          • Experience: Expert
                          • OS: Windows 8
                          Re: Metropolitan Police malware has infected my system
                          « Reply #23 on: July 09, 2012, 04:49:22 PM »
                          Please do this even if you don't have your OS disk.Please let me know what happens.

                          Do you have an XP CD?

                          If so, place it in your CD ROM drive and follow the instructions below:
                          •Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
                          *Let this run undisturbed until the window with the blue  progress bar goes away
                          SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.
                          Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

                          benni9000

                            Topic Starter


                            Rookie

                            • Experience: Beginner
                            • OS: Unknown
                            Re: Metropolitan Police malware has infected my system
                            « Reply #24 on: July 11, 2012, 10:36:10 AM »
                            Unfortunatly I don't have the XP CD.  I got the lap top with an XP downgrade as I didn't want Windows Vista.  I have the Vista CD though.

                            I followed the FSC /Scannow instructions.  It went through it all.  There was no message after it finished so I assume everything was ok.

                            SuperDave

                            • Malware Removal Specialist


                            • Genius
                            • Thanked: 991
                            • Certifications: List
                            • Experience: Expert
                            • OS: Windows 8
                            Re: Metropolitan Police malware has infected my system
                            « Reply #25 on: July 11, 2012, 04:44:31 PM »
                            Unfortunatly I don't have the XP CD.  I got the lap top with an XP downgrade as I didn't want Windows Vista.  I have the Vista CD though.

                            I followed the FSC /Scannow instructions.  It went through it all.  There was no message after it finished so I assume everything was ok.
                            If it didn't ask for the XP disk that means all the OS files are ok. I'm at a loss as to what's causing this error.
                            Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

                            benni9000

                              Topic Starter


                              Rookie

                              • Experience: Beginner
                              • OS: Unknown
                              Re: Metropolitan Police malware has infected my system
                              « Reply #26 on: July 12, 2012, 03:05:20 PM »
                              Ok.  No worries.  Other than that message on startup everything seems to be working ok.  I really appreciate the time and effort you've spent helping me sort my laptop out.

                              Thank you

                              SuperDave

                              • Malware Removal Specialist


                              • Genius
                              • Thanked: 991
                              • Certifications: List
                              • Experience: Expert
                              • OS: Windows 8
                              Re: Metropolitan Police malware has infected my system
                              « Reply #27 on: July 12, 2012, 03:56:33 PM »
                              We should do some cleanup before you go.

                              Download this program and run it Uninstall ComboFix .It will remove ComboFix for you
                              *******************************************
                              To turn off Windows XP System Restore:

                              NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

                              1. Click Start.
                              2. Right-click the My Computer icon, and then click Properties.
                              3. Click the System Restore tab.
                              4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
                              5. Click Apply.
                              6.  When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
                              7. Click OK.
                              8. Restart the computer and follow the instructions in the next section to turn on System Restore.

                              To turn on Windows XP System Restore:

                              1. Click Start.
                              2. Right-click My Computer, and then click Properties.
                              3. Click the System Restore tab.
                              4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
                              5. Click Apply, and then click OK.
                              ************************************************
                              Clean out your temporary internet files and temp files.

                              Download TFC by OldTimer to your desktop.

                              Double-click TFC.exe to run it.

                              Note: If you are running on Vista, right-click on the file and choose Run As Administrator

                              TFC will close all programs when run, so make sure you have saved all your work before you begin.

                              * Click the Start button to begin the cleaning process.
                              * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
                              * Please let TFC run uninterrupted until it is finished.

                              Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
                              ************************************************
                              Use the Secunia Software Inspector to check for out of date software.

                              •Click Start Now

                              •Check the box next to Enable thorough system inspection.

                              •Click Start

                              •Allow the scan to finish and scroll down to see if any updates are needed.
                              •Update anything listed.
                              .
                              ----------

                              Go to Microsoft Windows Update and get all critical updates.

                              ----------

                              I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

                              SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
                              * Using SpywareBlaster to protect your computer from Spyware and Malware
                              * If you don't know what ActiveX controls are, see here

                              Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

                              Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

                              Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
                              Safe Surfing!
                              Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender