Metropolitan Police malware has infected my system

[benni9000]

Last Wednesday I was on the net when a screen came up saying that I had illegal copies of music, games and programs on my laptop and also claiming that I had been looking at unsuitable content on the internet.  It had the Metropolitan police logo, addresse and all the official looking stuff.  It also said that they had locked my PC and I had to pay a fine of £100 to unlock it.  I couldn't do anything on my laptop.  I couldn't even open task manager so I hit the power button and restarted the laptop.  When it got into windows the screen came up again.  When I restarted the laptop a 3rd time I turned the wifi off and it booted fine without the screen.  When I turned the wifi on however the screen came back.  After restarting again without the wifi on I scanned my laptop using my my anti virus software Avast but it didn't pick up anything.  I then went RMB on start then 'Explore all users' (I use Windows XP) then to here 'C:\Documents and Settings\Benni\Start Menu\Programs\Startup' and found a shortcut called 'ctfmon'.  Not something I had installed.  I deleted it and it came straight back.  I then searched the name on C:\ drive and found some files with the same name.  I deleted them.  One was an exe file.  The shortcut came back to the startup menu but the others didn't.  I also looked at the properties of the ctfmon file that kept coming back and look to see where it went to.  It went to a RUNDLL file in the windows32 folder.  This I couldn't delete as the file was write protected or my hard drive was full.  After I had done all of this I turned on my wifi and the malware screen DIDN'T pop up.  Yay I thought until I restarted.  I hadn't got rid of it and everything was back, but now I had a work around to get onto the internet.  I search the Metropolitan police malware on the net and found that it was world wide and a nightmare to get rid of.  Google also pointed out to me that I had been infected and recommended some programs to use.  I installed McCafee Stinger which didn't find it.  So back to the net, that's when I found Computer Hope.  I read the read me before requesting malware removal help.  I followed the instructions and installed and ran the programs.  I have the logs as well for when you request them.  Unfortunately during the process I have accidentally blocked a java file using online armour.  The file is here C:\windows\system32\javacpl.cpl and now I cant run the program or figure out how to unblock it.  Something else that has happened while I was running all the scans and anti spyware and such is that when I boot the laptop up I am missing a RUNDLL file (I think it's the one that was infected) with a message saying 'Error loading jork_O_typ_col.exe  The specified module could not be found'.  Now it seams that everything has fixed the malware issue, but I think some of the files are still around.  I know ctfmon shortcut is still there.  I haven't tried anything else as the 'read this' post said not to do anything until instructed so I haven't.  I am by no means a computer expert but I'm sure the RUNDLL file is kind of needed by windows or at least is important.  Could someone please help me finish this off and get my laptop back to propper working order.  The 'read this' post was really helpful and easy to use, I am grateful it was there.  I'm not sure if you need the logs posted or not, I did get a Little confused about that so I have left them out until requested.

I hope someone can help

Benni

[Allan]

I'm sorry, I can't follow your post at all. As concisely as possible, what's your question?

[benni9000]

I got Metropolitan Police malware on my laptop.  I followed the "read this before requesting malware removal help" post which seems to have stopped it, Now I just need to get rid of the damage?  I think there are still some files left on my laptop from the malware and I am missing a RUNDLL file from the windows directory.  Also how do I unblock javacpl.cpl which I accidentally blocked with online armour?  It's stopping me from running Java when I click on it.

[Allan]

Please follow the instructions in the following link and post your logs:
http://www.computerhope.com/forum/index.php/topic,46313.0.html

[benni9000]

here they are.

[year+ old attachment deleted by admin]

[benni9000]

Sorry, I was supposed to post them this way.



mbam-log-2012-06-23 (19-22-03)

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.23.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Benni :: TRINITY [administrator]

Protection: Enabled

23/06/2012 19:05:23
mbam-log-2012-06-23 (19-22-03).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 243523
Time elapsed: 13 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 32
HKCR\CLSID\{597A9974-8CB0-4f41-B61F-ED065738A397} (PUP.RewardsArcade) -> No action taken.
HKCR\CLSID\{25514C64-8321-494e-BD3E-3DBAB3F8CEBA} (PUP.RewardsArcade) -> No action taken.
HKCR\TypeLib\{60BE6B2E-F2F5-4404-AA1E-4381D4A6EEA2} (PUP.RewardsArcade) -> No action taken.
HKCR\Interface\{6427058B-217C-4C7F-A6CE-C7934C0BDCEB} (PUP.RewardsArcade) -> No action taken.
HKCR\RewardsArcade.FBApi.1 (PUP.RewardsArcade) -> No action taken.
HKCR\RewardsArcade.FBApi (PUP.RewardsArcade) -> No action taken.
HKCR\RewardsArcade.BHO.1 (PUP.RewardsArcade) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{597A9974-8CB0-4F41-B61F-ED065738A397} (PUP.RewardsArcade) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{597A9974-8CB0-4F41-B61F-ED065738A397} (PUP.RewardsArcade) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{597A9974-8CB0-4F41-B61F-ED065738A397} (PUP.RewardsArcade) -> No action taken.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{BDEA95CF-F0E6-41E0-BD3D-B00F39A4E939} (Adware.ShoppingReport2) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{258C9770-1713-4021-8D7E-1F184A2BD754} (Adware.ShoppingReport2) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{DB38E21A-0133-419D-92AD-ECDFD5244D6D} (Adware.ShoppingReport2) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.ShoppingReport2) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RewardsArcade (PUP.RewardsArcade) -> No action taken.
HKCU\SOFTWARE\QuickyPlaeyrSoft (Trojan.DNSChanger) -> No action taken.
HKCU\Software\ShoppingReport2 (Adware.ShoppingReport2) -> No action taken.
HKLM\SOFTWARE\ScanQuery (Adware.ScanQuery) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScanQuery (Adware.ScanQuery) -> No action taken.
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SCANQUERY_SERVICE (Adware.ScanQuery) -> No action taken.

Registry Values Detected: 5
HKCU\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping|{DB38E21A-0133-419D-92AD-ECDFD5244D6D} (Adware.ShoppingReport2) -> Data: 8198 -> No action taken.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping|{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.ShoppingReport2) -> Data: 8197 -> No action taken.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.ShoppingReport2) -> Data:  -> No action taken.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{DB38E21A-0133-419d-92AD-ECDFD5244D6D} (Adware.ShoppingReport2) -> Data:  -> No action taken.
HKCU\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search| (Adware.Hotbar) -> Data: http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUman000 -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 28
C:\Program Files\RewardsArcade (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Application Data\ShoppingReport2 (Adware.ShoppingReport2) -> No action taken.
C:\Documents and Settings\Benni\Application Data\ShoppingReport2\cs (Adware.ShoppingReport2) -> No action taken.
C:\Documents and Settings\Benni\Application Data\ShoppingReport2\cs\db (Adware.ShoppingReport2) -> No action taken.
C:\Documents and Settings\Benni\Application Data\ShoppingReport2\cs\dwld (Adware.ShoppingReport2) -> No action taken.
C:\Documents and Settings\Benni\Application Data\ShoppingReport2\cs\report (Adware.ShoppingReport2) -> No action taken.
C:\Documents and Settings\Benni\Application Data\ShoppingReport2\cs\res1 (Adware.ShoppingReport2) -> No action taken.
C:\Documents and Settings\Benni\Start Menu\Programs\QuickyPlaeyr (Trojan.DNSChanger) -> No action taken.
C:\Program Files\Mozilla Firefox\extensions\{DE9265D8-D55D-4286-9DC4-F8D8A0CA2F64} (Adware.ScanQuery) -> No action taken.
C:\Program Files\Mozilla Firefox\extensions\{DE9265D8-D55D-4286-9DC4-F8D8A0CA2F64}\chrome (Adware.ScanQuery) -> No action taken.
C:\Program Files\Mozilla Firefox\extensions\{DE9265D8-D55D-4286-9DC4-F8D8A0CA2F64}\defaults (Adware.ScanQuery) -> No action taken.
C:\Program Files\Mozilla Firefox\extensions\{DE9265D8-D55D-4286-9DC4-F8D8A0CA2F64}\defaults\preferences (Adware.ScanQuery) -> No action taken.
C:\Program Files\ScanQuery (Adware.ScanQuery) -> No action taken.
C:\Documents and Settings\All Users\Application Data\ScanQuery (Adware.ScanQuery) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498 (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Chrome (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\defaults (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\defaults\preferences (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\locale (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\locale\en-US (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin (PUP.RewardsArcade) -> No action taken.

Files Detected: 68
C:\Program Files\RewardsArcade\RewardsArcade.dll (PUP.RewardsArcade) -> No action taken.
C:\Program Files\RewardsArcade\fb.js (PUP.RewardsArcade) -> No action taken.
C:\Program Files\RewardsArcade\appAPIinternalWrapper.js (PUP.RewardsArcade) -> No action taken.
C:\Program Files\RewardsArcade\jquery.js (PUP.RewardsArcade) -> No action taken.
C:\Program Files\RewardsArcade\json.js (PUP.RewardsArcade) -> No action taken.
C:\Program Files\RewardsArcade\RewardsArcade.exe (PUP.RewardsArcade) -> No action taken.
C:\Program Files\RewardsArcade\Uninstall.exe (PUP.RewardsArcade) -> No action taken.
C:\Program Files\RewardsArcade\UserConfirmation.exe (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Application Data\ShoppingReport2\cs\Config.xml (Adware.ShoppingReport2) -> No action taken.
C:\Documents and Settings\Benni\Application Data\ShoppingReport2\cs\db\Aliases.dbs (Adware.ShoppingReport2) -> No action taken.
C:\Documents and Settings\Benni\Application Data\ShoppingReport2\cs\db\Sites.dbs (Adware.ShoppingReport2) -> No action taken.
C:\Documents and Settings\Benni\Application Data\ShoppingReport2\cs\dwld\WhiteList.xip (Adware.ShoppingReport2) -> No action taken.
C:\Documents and Settings\Benni\Application Data\ShoppingReport2\cs\report\aggr_storage.xml (Adware.ShoppingReport2) -> No action taken.
C:\Documents and Settings\Benni\Application Data\ShoppingReport2\cs\report\send_storage.xml (Adware.ShoppingReport2) -> No action taken.
C:\Documents and Settings\Benni\Application Data\ShoppingReport2\cs\res1\WhiteList.dbs (Adware.ShoppingReport2) -> No action taken.
C:\Program Files\Mozilla Firefox\extensions\{DE9265D8-D55D-4286-9DC4-F8D8A0CA2F64}\chrome.manifest (Adware.ScanQuery) -> No action taken.
C:\Program Files\Mozilla Firefox\extensions\{DE9265D8-D55D-4286-9DC4-F8D8A0CA2F64}\install.rdf (Adware.ScanQuery) -> No action taken.
C:\Program Files\Mozilla Firefox\extensions\{DE9265D8-D55D-4286-9DC4-F8D8A0CA2F64}\chrome\scanquery.jar (Adware.ScanQuery) -> No action taken.
C:\Program Files\Mozilla Firefox\extensions\{DE9265D8-D55D-4286-9DC4-F8D8A0CA2F64}\defaults\preferences\prefs.js (Adware.ScanQuery) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\uninstall.ico (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Chrome\rewardsarcade.crx (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome.manifest (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\install.rdf (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\background.html (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\browser.xul (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\crossrider.js (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\crossriderapi.js (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\dialog.js (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\manage-apps-style.css (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\manage-apps.html (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\messaging.js (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\options.js (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\options.xul (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\push.html (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\search_dialog.xul (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\socialapi.js (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\update.html (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\utilityapi.js (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\workers_chain.js (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\faye-browser-min.js (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\jquery-1.4.2.js (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\facebox.css (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\facebox.js (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\b.png (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\bl.png (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\br.png (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\closelabel.gif (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\loading.gif (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\tl.png (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\tr.png (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\defaults\preferences\prefs.js (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\locale\en-US\translations.dtd (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\button1.png (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\button2.png (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\button3.png (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\button4.png (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\button5.png (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\crossrider_statusbar.png (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\icon128.png (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\icon16.png (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\icon24.png (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\icon48.png (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\panelarrow-up.png (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\popup.css (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\popup.html (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\popup_binding.xml (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\skin.css (PUP.RewardsArcade) -> No action taken.
C:\Documents and Settings\Benni\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\update.css (PUP.RewardsArcade) -> No action taken.

(end)




SUPERAntiSpyware Scan Log - 06-23-2012 - 18-40-46

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/23/2012 at 06:40 PM

Application Version : 5.1.1002

Core Rules Database Version : 8788
Trace Rules Database Version: 6600

Scan type       : Complete Scan
Total Scan Time : 01:12:34

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned      : 847
Memory threats detected   : 0
Registry items scanned    : 35420
Registry threats detected : 151
File items scanned        : 145639
File threats detected     : 653

PUP.MyWebSearch/FunWebProducts
   HKLM\SOFTWARE\Fun Web Products
   HKLM\SOFTWARE\Fun Web Products#JpegConversionLib
   HKLM\SOFTWARE\Fun Web Products#CacheDir
   HKLM\SOFTWARE\Fun Web Products\MSNMessenger
   HKLM\SOFTWARE\Fun Web Products\MSNMessenger#DLLFile
   HKLM\SOFTWARE\Fun Web Products\MSNMessenger#DLLDir
   HKLM\SOFTWARE\Fun Web Products\ScreenSaver
   HKLM\SOFTWARE\Fun Web Products\ScreenSaver#ImagesDir
   HKLM\SOFTWARE\Fun Web Products\Settings
   HKLM\SOFTWARE\Fun Web Products\Settings\CursorManiaBtn
   HKLM\SOFTWARE\Fun Web Products\Settings\CursorManiaBtn#LastHTMLMenuURL
   HKLM\SOFTWARE\Fun Web Products\Settings\CursorManiaBtn#HTMLMenuRevision
   HKLM\SOFTWARE\Fun Web Products\Settings\CursorManiaBtn#ETag
   HKLM\SOFTWARE\Fun Web Products\Settings\Promos
   HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextNone.numActive
   HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextNone.0
   HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyFreqNone
   HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextUninstalled.numActive
   HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextUninstalled.0
   HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyFreqUninstalled
   HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.numActive
   HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.numActive2
   HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.1
   HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.2
   HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.3
   HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.4
   HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.5
   HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.6
   HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.7
   HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.8
   HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn
   HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn#HTMLMenuPosDeleted
   HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn#LastHTMLMenuURL
   HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn#HTMLMenuRevision
   HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn#ETag
   HKLM\SOFTWARE\FunWebProducts
   HKLM\SOFTWARE\FunWebProducts\Installer
   HKLM\SOFTWARE\FunWebProducts\Installer#Dir
   HKLM\SOFTWARE\FunWebProducts\Installer#sr
   HKLM\SOFTWARE\FunWebProducts\Installer#pl
   HKLM\SOFTWARE\FunWebProducts\Installer#CurInstall
   HKLM\SOFTWARE\FunWebProducts\Installer#CheckForConnection
   HKLM\SOFTWARE\FunWebProducts\Installer#CacheDir
   HKU\S-1-5-21-2990146027-3927655144-4261030477-1005\SOFTWARE\MyWebSearch
   HKLM\SOFTWARE\MyWebSearch
   HKLM\SOFTWARE\MyWebSearch\bar
   HKLM\SOFTWARE\MyWebSearch\bar#UseFWB
   HKLM\SOFTWARE\MyWebSearch\bar#pid
   HKLM\SOFTWARE\MyWebSearch\bar#fwp
   HKLM\SOFTWARE\MyWebSearch\bar#tiec
   HKLM\SOFTWARE\MyWebSearch\bar#Dir
   HKLM\SOFTWARE\MyWebSearch\bar#PluginPath
   HKLM\SOFTWARE\MyWebSearch\bar#UninstallString
   HKLM\SOFTWARE\MyWebSearch\bar#Id
   HKLM\SOFTWARE\MyWebSearch\bar#CurInstall
   HKLM\SOFTWARE\MyWebSearch\bar#SettingsDir
   HKLM\SOFTWARE\MyWebSearch\bar#sr
   HKLM\SOFTWARE\MyWebSearch\bar#pl
   HKLM\SOFTWARE\MyWebSearch\bar#CacheDir
   HKLM\SOFTWARE\MyWebSearch\bar#ConfigDateStamp
   HKLM\SOFTWARE\MyWebSearch\bar#HTMLMenuRevision
   HKLM\SOFTWARE\MyWebSearch\bar#sscLabel
   HKLM\SOFTWARE\MyWebSearch\bar#sscURL
   HKLM\SOFTWARE\MyWebSearch\bar#Flags
   HKLM\SOFTWARE\MyWebSearch\bar#HistoryDir
   HKLM\SOFTWARE\MyWebSearch\bar#Maximized
   HKLM\SOFTWARE\MyWebSearch\bar#Visible
   HKLM\SOFTWARE\MyWebSearch\SearchAssistant
   HKLM\SOFTWARE\MyWebSearch\SearchAssistant#pid
   HKLM\SOFTWARE\MyWebSearch\SearchAssistant#fwp
   HKLM\SOFTWARE\MyWebSearch\SearchAssistant#Dir
   HKLM\SOFTWARE\MyWebSearch\SearchAssistant#esh
   HKLM\SOFTWARE\MyWebSearch\SearchAssistant#lsp
   HKLM\SOFTWARE\MyWebSearch\SearchAssistant#Id
   HKLM\SOFTWARE\MyWebSearch\SearchAssistant#CurInstall
   HKLM\SOFTWARE\MyWebSearch\SearchAssistant#sr
   HKLM\SOFTWARE\MyWebSearch\SearchAssistant#pl
   HKLM\SOFTWARE\MyWebSearch\SearchAssistant#ConfigDateStamp
   HKLM\SOFTWARE\MyWebSearch\SearchAssistant#ABS
   HKLM\SOFTWARE\MyWebSearch\SearchAssistant#DES
   HKLM\SOFTWARE\MyWebSearch\SearchAssistant#sscEnabled
   HKLM\SOFTWARE\MyWebSearch\SearchAssistant#eintl
   HKLM\SOFTWARE\MyWebSearch\SearchAssistant#fs
   HKLM\SOFTWARE\MyWebSearch\SkinTools
   HKLM\SOFTWARE\MyWebSearch\SkinTools#PlayerPath
   HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}
   HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}\TreatAs
   HKCR\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3}
   HKCR\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3}\TreatAs
   HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}
   HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0
   HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0
   HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0\win32
   HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\FLAGS
   HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\HELPDIR
   HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
   HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid
   HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32
   HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib
   HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib#Version
   HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}
   HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid
   HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid32
   HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib
   HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib#Version
   HKLM\Software\FocusInteractive
   HKLM\Software\FocusInteractive\bar
   HKLM\Software\FocusInteractive\bar\Switches
   HKLM\Software\FocusInteractive\bar\Switches#incmail.exe
   HKLM\Software\FocusInteractive\bar\Switches#msimn.exe
   HKLM\Software\FocusInteractive\bar\Switches#msn.exe
   HKLM\Software\FocusInteractive\bar\Switches#outlook.exe
   HKLM\Software\FocusInteractive\bar\Switches#waol.exe
   HKLM\Software\FocusInteractive\bar\Switches#aim.exe
   HKLM\Software\FocusInteractive\bar\Switches#icq.exe
   HKLM\Software\FocusInteractive\bar\Switches#icqlite.exe
   HKLM\Software\FocusInteractive\bar\Switches#msmsgs.exe
   HKLM\Software\FocusInteractive\bar\Switches#msnmsgr.exe
   HKLM\Software\FocusInteractive\bar\Switches#ypager.exe
   HKLM\Software\FocusInteractive\bar\Switches#au
   HKLM\Software\FocusInteractive\bar\Switches#mwsSrcAs.dll
   HKLM\Software\FocusInteractive\bar\Switches#ps
   HKLM\Software\FocusInteractive\bar\Switches#ok
   HKLM\Software\FocusInteractive\bar\Switches#od
   HKLM\Software\FocusInteractive\bar\Switches#nk
   HKLM\Software\FocusInteractive\bar\Switches#nd
   HKLM\Software\FocusInteractive\Email-IM
   HKLM\Software\FocusInteractive\Email-IM\0
   HKLM\Software\FocusInteractive\Email-IM\0#Toolbar
   HKLM\Software\FocusInteractive\Email-IM\0#AppName
   HKLM\Software\FocusInteractive\Outlook
   C:\Program Files\MyWebSearch\bar\History\search3
   C:\Program Files\MyWebSearch\bar\History
   C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
   C:\Program Files\MyWebSearch\bar\Settings
   C:\Program Files\MyWebSearch\bar
   C:\Program Files\MyWebSearch
   C:\Program Files\FunWebProducts\ScreenSaver\Images
   C:\Program Files\FunWebProducts\ScreenSaver
   C:\Program Files\FunWebProducts\Shared
   C:\Program Files\FunWebProducts

Browser Hijacker.Deskbar
   HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
   HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid
   HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32
   HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib
   HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib#Version

Trojan.DNS-Changer (Hi-Jacked DNS)
   HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{451623F4-A7AF-4D6E-8A4B-6B4575F5FD17}#NAMESERVER
   HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{53E4B888-81F5-4200-87CD-2C5DCA401DC6}#NAMESERVER
   HKLM\SYSTEM\CONTROLSET002\SERVICES\TCPIP\PARAMETERS\INTERFACES\{451623F4-A7AF-4D6E-8A4B-6B4575F5FD17}#NAMESERVER
   HKLM\SYSTEM\CONTROLSET002\SERVICES\TCPIP\PARAMETERS\INTERFACES\{53E4B888-81F5-4200-87CD-2C5DCA401DC6}#NAMESERVER

Rootkit.Agent/Gen-GXServ
   HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys
   HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys#start
   HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys#type

Adware.Tracking Cookie
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\NL2MS9T0.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\VIZMOZLP.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\TD88FARK.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\5UNIQ3PY.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\AQ2K7NVL.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\4QHFHBY9.txt [ Cookie:[email protected]/eurosport/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\7K9NIXSE.txt [ Cookie:[email protected]/pagead/conversion/1072624510/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\RTPROEIF.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\UX2NPDNX.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\XEDU7OPJ.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\N666H9UK.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\YKRNLY1A.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\2OO7FP33.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\9ISSDHK4.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\VA0ILD7Q.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\ECZW16ZX.txt [ Cookie:[email protected]/eurosport/yahoouk/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\HBRK4EZV.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\6SQOBDUQ.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\JKLMM9UF.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\003ANIMN.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\8WBMCXQ0.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\QXS1ATMQ.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\JJZFARUJ.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\L6HD2PGI.txt [ Cookie:[email protected]/pagead/conversion/1070752702/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\7XI1690K.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\BGO1091I.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\FDJ4ZMMS.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\GPTLCRJW.txt [ Cookie:[email protected]/pagead/conversion/1028445026/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\QFX1V5IB.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\376S5A3A.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\0HA5WH2B.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\D1703L9M.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\HLJK5C0Q.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\FS3SQV2O.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\KNJMQBND.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\FJDP3W68.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\TAZYW5P4.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\V25SZ4EC.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\3B5OJ109.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\OKONVCT7.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\4XR97HUD.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\2N1A73WF.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\6450ZJKQ.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\XJOUQGIU.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\RRT5HV3T.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\UNFSLYYK.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\XX0W20XM.txt [ Cookie:[email protected]/cgi-bin ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\GO22OT12.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\2MDXBWS6.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\Cookies\5OIRHYJN.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@atdmt[2].txt [ Cookie:[email protected]/ ]
   account.goodgamestudios.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
   core.insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
   ds.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
   ec.atdmt.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
   gw.callingbanners.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
   ia.media-imdb.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
   media.mtvnservices.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
   media.scanscout.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
   media1.clubpenguin.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
   media1.thegamehomepage.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
   memecounter.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
   msnbcmedia.msn.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
   s0.2mdn.net [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
   secure-uk.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
   secure-us.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
   serving-sys.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
   spe.atdmt.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
   tracking.onefeed.co.uk [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KMVXMYBS ]
   .bs.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .at.atwola.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .advertising.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .advertising.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .advertising.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .surveymonkey.122.2o7.net [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .popcapgames.122.2o7.net [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .atdmt.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .linksynergy.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .linksynergy.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .linksynergy.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .linksynergy.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .doubleclick.net [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .fastclick.net [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .fastclick.net [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .server.cpmstar.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   www.underdogmedia.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .atdmt.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .serving-sys.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .pointroll.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .pointroll.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .invitemedia.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .invitemedia.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .server.cpmstar.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .server.cpmstar.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .server.cpmstar.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .apmebf.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .invitemedia.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .serving-sys.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .serving-sys.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .adbrite.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .zedo.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .zedo.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .revsci.net [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .pro-market.net [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .pro-market.net [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .collective-media.net [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .invitemedia.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .invitemedia.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .invitemedia.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .invitemedia.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .collective-media.net [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .zedo.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .zedo.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .zedo.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .zedo.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .zedo.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .smartadserver.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .smartadserver.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .smartadserver.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .smartadserver.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .adbrite.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .advertising.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .advertising.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .ru4.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .serving-sys.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .serving-sys.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .serving-sys.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .tribalfusion.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .media6degrees.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .media6degrees.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .media6degrees.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .at.atwola.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .invitemedia.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   .lucidmedia.com [ C:\DOCUMENTS AND SETTINGS\AMANDA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\EIWDTQ9M.DEFAULT\COOKIES.SQLITE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /112.2O7 ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /112.2O7 ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /122.2O7 ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /122.2O7 ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /192COM.112.2O7 ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /192COM.112.2O7 ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@247REALMEDIA[1].TXT [ /247REALMEDIA ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@247REALMEDIA[2].TXT [ /247REALMEDIA ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@2O7[2].TXT [ /2O7 ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@2O7[3].TXT [ /2O7 ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@77TRACKING[1].TXT [ /77TRACKING ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /A1.INTERCLICK ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@ACRONYMFINDER[1].TXT [ /ACRONYMFINDER ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /AD.360YIELD ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /AD.360YIELD ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /AD.APPROVEDFOOD ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /AD.YIELDMANAGER ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /AD.YIELDMANAGER ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /AD.YIELDMANAGER ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /AD1.EMEDIATE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /AD2.POPCAP ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@ADBRITE[1].TXT [ /ADBRITE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@ADBRITE[2].TXT [ /ADBRITE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@ADCENTRICONLINE[1].TXT [ /ADCENTRICONLINE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@ADECN[1].TXT [ /ADECN ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@ADFORM[1].TXT [ /ADFORM ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@ADFORM[3].TXT [ /ADFORM ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@ADINTERAX[2].TXT [ /ADINTERAX ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@ADINTERAX[3].TXT [ /ADINTERAX ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADS.AD4GAME ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADS.ADACADO ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADS.ADACADO ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADS.ADK2 ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADS.AS4X.TMCS.TICKETMASTER ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADS.AUDIENCE2MEDIA ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADS.AUDIENCE2MEDIA ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADS.CNN ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADS.GAMESBANNERNET ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADS.GAMESFREE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADS.GLISPA ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADS.GOHOLIDAYS ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADS.MONSTER ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADS.ODEON.CO ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADS.POINTROLL ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADS.POINTROLL ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADS.PUBMATIC ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADS.PUBMATIC ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADS.RAASNET ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADS.TELEGRAPH.CO ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADS.UNDERTONE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /ADS.UNDERTONE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADS1.MUMSNET ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADS1.MUMSNET ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADSERVER.ADTECHUS ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /ADSERVER.ADTECHUS ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADSERVER.MORE4KIDS ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADSERVER1.MOKONO ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@ADTECH[1].TXT [ /ADTECH ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@ADTECH[3].TXT [ /ADTECH ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@ADVERTISING[1].TXT [ /ADVERTISING ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@ADVERTISING[2].TXT [ /ADVERTISING ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@ADVERTISING[3].TXT [ /ADVERTISING ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@ADVERTISING[4].TXT [ /ADVERTISING ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@ADVIVA[1].TXT [ /ADVIVA ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@ADVIVA[2].TXT [ /ADVIVA ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@ADVIVA[3].TXT [ /ADVIVA ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADX.BIXEE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /ADX.IBIBO ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@ADXPOSE[1].TXT [ /ADXPOSE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@ADXPOSE[2].TXT [ /ADXPOSE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /AIMFAR.SOLUTION.WEBORAMA ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /AIMFAR.SOLUTION.WEBORAMA ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /AMZNMOTHERCARE.122.2O7 ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /AMZNMOTHERCARE.122.2O7 ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@ANDERSELITE[1].TXT [ /ANDERSELITE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@APMEBF[1].TXT [ /APMEBF ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@APMEBF[2].TXT [ /APMEBF ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /AR.ATWOLA ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /AR.ATWOLA ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /AT.ATWOLA ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /AT.ATWOLA ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@ATDMT[1].TXT [ /ATDMT ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@ATDMT[2].TXT [ /ATDMT ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@ATDMT[3].TXT [ /ATDMT ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@ATDMT[4].TXT [ /ATDMT ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@AUDIENCE2MEDIA[1].TXT [ /AUDIENCE2MEDIA ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@AZJMP[1].TXT [ /AZJMP ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /BANNERS.BATTLEON ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /BIZRATE.CO ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@BIZRATE[2].TXT [ /BIZRATE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@BIZRATE[3].TXT [ /BIZRATE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /BMUK.BURSTNET ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /BMUK.BURSTNET ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@BRAVENET[1].TXT [ /BRAVENET ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /BS.SERVING-SYS ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /BS.SERVING-SYS ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@BURSTNET[2].TXT [ /BURSTNET ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@BURSTNET[3].TXT [ /BURSTNET ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@CASALEMEDIA[2].TXT [ /CASALEMEDIA ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@CASALEMEDIA[3].TXT [ /CASALEMEDIA ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /CDISCOUNT.CO ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@CLICKFUSE[2].TXT [ /CLICKFUSE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@CLICKFUSE[3].TXT [ /CLICKFUSE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@CLICKLIVERPOOL[2].TXT [ /CLICKLIVERPOOL ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /CMPMEDICA.112.2O7 ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /CMPMEDICA.112.2O7 ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /CN.CLICKABLE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@COLLECTIVE-MEDIA[1].TXT [ /COLLECTIVE-MEDIA ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@COLLECTIVE-MEDIA[2].TXT [ /COLLECTIVE-MEDIA ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /CONTENT.YIELDMANAGER ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /CONTENT.YIELDMANAGER ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][4].TXT [ /CONTENT.YIELDMANAGER ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][5].TXT [ /CONTENT.YIELDMANAGER ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /COUNTER.SURFCOUNTERS ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /COUNTERS.GIGYA ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /COUNTERS.GIGYA ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@COUNTRYCODE[2].TXT [ /COUNTRYCODE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /CZ5.CLICKZS ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /DC.TREMORMEDIA ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /DEBENHAMS.122.2O7 ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@DIRECTTRACK[1].TXT [ /DIRECTTRACK ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@DISCOUNTTHEATRE[2].TXT [ /DISCOUNTTHEATRE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /DISCOUNTVOUCHERS.CO ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][3].TXT [ /DISCOUNTVOUCHERS.CO ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@DMTRACKER[1].TXT [ /DMTRACKER ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@DMTRACKER[2].TXT [ /DMTRACKER ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@DMTRACKER[3].TXT [ /DMTRACKER ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@DOUBLECLICK[1].TXT [ /DOUBLECLICK ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\AMANDA@DOUBLECLICK[3].TXT [ /DOUBLECLICK ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEK4CGCJGFQ.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEK4EKDPCFO.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEK4ENAZMKP.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEK4EPC5WEQ.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEK4GMD5WAQ.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEK4KKCZELP.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEKICMCJGHO.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEKIKOCPECO.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEKIWOCZWKO.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEKOCLAZKBP.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEKOEGCPSGP.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEKOGPCJOBO.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEKOOHAJKEP.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEKOQJDZCAO.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEKYGPCPEFO.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /E-2DJ6AEKYOGCZEEQ.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEKYOLDJKKO.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEKYSNDPSKO.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEKYUJDPOKO.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AEKYUOCZCCO.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AELIAGC5SBO.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6AELYEPD5WFO.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WAKIKJDZWEP.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WAKIQGC5SLO.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WAKOCODPWHP.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WALICPAZWCQ.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WALOGKCZMCP.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WAMIEKCZEEO.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /E-2DJ6WBK4QJDJKEP.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WBKIWPCPIHP.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /E-2DJ6WBKOUGCZACP.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WBL4UNCPSKQ.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /E-2DJ6WCK4UJC5OLP.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WCL4OJCJWBQ.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WCL4UIDJMHO.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WCLOCGCZKGP.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WCLOQNAJCBQ.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WCMICPCPAEP.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WCMIEKAZWLQ.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /E-2DJ6WCMYGKC5AAP.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][1].TXT [ /E-2DJ6WDK4OLCPKBP.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\COOKIES\[email protected][2].TXT [ /E-2DJ6WDKOCNCJADP.STATS.ESOMNITURE ]
   C:\DOCUMENTS AND SETTINGS\AMANDA\CO

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
You can uninstall these because they are no longer required:

Java(TM) 6 Update 13
Java(TM) 6 Update 33
Java(TM) 6 Update 5
Java(TM) 6 Update 7
While you are there you should also uninstall nectar search toolbar because it could contain spyware.
***************************************************************
Please run MBAM again and clean the infections. Please post the new log.

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
**********************************************************
Download Combofix from any of the links below, and save it to your DESKTOP. 

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with  ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

• Close any open windows and double click ComboFix.exe to run it.
  
  You will see the following image:
  

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to  have this pre-installed on your machine before doing any malware  removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair  mode that will allow us to more easily help you should your computer  have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

[benni9000]

I have removed the following:

Java(TM) 6 Update 33
Java(TM) 6 Update 5
Java(TM) 6 Update 7
nectar search toolbar

Unfortunatly I couldn't uninstall Java(TM) 6 Update 13.  I got a fatal instalation error.

MBAM log.

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.26.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Benni :: TRINITY [administrator]

Protection: Enabled

27/06/2012 17:25:32
mbam-log-2012-06-27 (17-25-32).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 243687
Time elapsed: 12 minute(s), 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Security Check by screen317 log

Results of screen317's Security Check version 0.99.42 
 Windows XP Service Pack 3 x86   
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````[/u]
 Windows Firewall Disabled! 
avast! Antivirus   
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````[/u]
 SUPERAntiSpyware     
 Malwarebytes Anti-Malware version 1.61.0.1400 
 CCleaner     
 Java(TM) 6 Update 13 
 Java version out of Date!
 Adobe Flash Player    11.3.300.262 
 Adobe Reader 9 Adobe Reader out of Date!
 Mozilla Firefox 12.0 Firefox out of Date! 
````````Process Check: objlist.exe by Laurent````````[/u] 
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbamgui.exe 
 Tall Emu Online Armor OAcat.exe
 Tall Emu Online Armor oasrv.exe
 Tall Emu Online Armor oaui.exe
 Tall Emu Online Armor OAhlp.exe
 AVAST Software Avast AvastSvc.exe 
 AVAST Software Avast avastUI.exe 
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C:: 15% Defragment your hard drive soon!
````````````````````End of Log``````````````````````[/u]


Combofix log - while this was running MBAM picked up some files it reconed were infected and I quarantined them.  Was this right or have I made a mess of things?

ComboFix 12-06-27.01 - Benni 27/06/2012  18:29:36.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1918.1086 [GMT 1:00]
Running from: c:\downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Online Armor Firewall *Enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Benni\Application Data\PriceGong
c:\documents and settings\Benni\Application Data\PriceGong\Data\1.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Benni\Application Data\PriceGong\Data\11.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\1391.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\173.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\2229.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\a.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Benni\Application Data\PriceGong\Data\b.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Benni\Application Data\PriceGong\Data\c.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Benni\Application Data\PriceGong\Data\d.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Benni\Application Data\PriceGong\Data\e.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Benni\Application Data\PriceGong\Data\f.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Benni\Application Data\PriceGong\Data\g.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Benni\Application Data\PriceGong\Data\h.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Benni\Application Data\PriceGong\Data\i.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Benni\Application Data\PriceGong\Data\j.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Benni\Application Data\PriceGong\Data\k.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Benni\Application Data\PriceGong\Data\l.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Benni\Application Data\PriceGong\Data\m.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Benni\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Benni\Application Data\PriceGong\Data\n.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Benni\Application Data\PriceGong\Data\o.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Benni\Application Data\PriceGong\Data\p.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Benni\Application Data\PriceGong\Data\q.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Benni\Application Data\PriceGong\Data\r.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Benni\Application Data\PriceGong\Data\s.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Benni\Application Data\PriceGong\Data\t.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Benni\Application Data\PriceGong\Data\u.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Benni\Application Data\PriceGong\Data\v.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Benni\Application Data\PriceGong\Data\w.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Benni\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\x.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Benni\Application Data\PriceGong\Data\y.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Benni\Application Data\PriceGong\Data\z.txt
c:\documents and settings\Benni\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Benni\WINDOWS
c:\program files\Search Guard Plus
c:\program files\Search Guard Plus\fbsProtection.xml
c:\program files\Search Guard Plus\fbsSearchProvider.xml
c:\program files\Search Guard Plus\FbsSearchProviderIE8.exe
c:\program files\Search Guard Plus\SearchGuardPlus.exe
c:\program files\Search Guard Plus\SearchGuardPlus.ico
c:\program files\Search Guard Plus\uninstalSGP.exe
c:\program files\Search Guard PlusU
c:\program files\Search Guard PlusU\SGPU.ico
c:\program files\Search Guard PlusU\sgpUpdater.exe
c:\program files\Search Guard PlusU\sgpUpdater.xml
c:\program files\Search Guard PlusU\sgpUpdaters.exe
c:\program files\Search Guard PlusU\uninstalSGPU.exe
c:\program files\SGPSA
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\test
.
.
(((((((((((((((((((((((((   Files Created from 2012-05-27 to 2012-06-27  )))))))))))))))))))))))))))))))
.
.
2012-06-26 21:56 . 2012-06-26 21:56   0   ----a-w-   c:\windows\system32\REN8F.tmp
2012-06-26 21:56 . 2012-06-26 21:56   0   ----a-w-   c:\windows\system32\REN8E.tmp
2012-06-26 21:56 . 2012-06-26 21:56   0   ----a-w-   c:\windows\system32\REN8D.tmp
2012-06-23 18:33 . 2012-06-23 18:33   476936   ----a-w-   c:\windows\system32\npdeployJava1.dll
2012-06-23 18:04 . 2012-06-23 18:04   --------   d-----w-   c:\documents and settings\Benni\Application Data\Malwarebytes
2012-06-23 18:03 . 2012-06-23 18:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2012-06-23 18:03 . 2012-06-23 18:03   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-06-23 18:03 . 2012-04-04 14:56   22344   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-06-23 16:20 . 2012-06-23 16:20   --------   d-----w-   c:\documents and settings\Benni\Application Data\SUPERAntiSpyware.com
2012-06-23 16:20 . 2012-06-23 16:20   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-06-23 16:20 . 2012-06-23 16:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-06-23 08:25 . 2012-06-23 17:57   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
2012-06-23 08:25 . 2012-06-23 08:25   --------   d-----w-   c:\documents and settings\Benni\Application Data\OnlineArmor
2012-06-23 08:25 . 2012-05-30 13:43   44592   ----a-w-   c:\windows\system32\drivers\oahlp32.sys
2012-06-23 08:25 . 2012-05-30 13:43   31912   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2012-06-23 08:25 . 2012-05-30 13:43   27632   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2012-06-23 08:25 . 2012-05-30 13:43   208312   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2012-06-23 08:24 . 2012-06-24 09:53   --------   d-----w-   c:\program files\Online Armor
2012-06-22 20:22 . 2012-06-23 07:05   --------   d-----w-   c:\program files\stinger
2012-06-14 16:21 . 2012-05-11 14:42   521728   ------w-   c:\windows\system32\dllcache\jsdbgui.dll
2012-05-30 12:59 . 2012-05-30 12:59   4966600   ----a-w-   c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-23 19:05 . 2012-04-04 10:04   426184   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-06-23 19:05 . 2011-10-25 20:54   70344   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-23 18:33 . 2010-07-04 12:21   472840   ----a-w-   c:\windows\system32\deployJava1.dll
2012-06-02 14:19 . 2007-07-30 18:18   22040   ----a-w-   c:\windows\system32\wucltui.dll.mui
2012-06-02 14:19 . 2007-07-30 18:19   15384   ----a-w-   c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 14:19 . 2004-08-11 16:12   329240   ----a-w-   c:\windows\system32\wucltui.dll
2012-06-02 14:19 . 2004-08-11 16:12   219160   ----a-w-   c:\windows\system32\wuaucpl.cpl
2012-06-02 14:19 . 2004-08-11 16:12   210968   ----a-w-   c:\windows\system32\wuweb.dll
2012-06-02 14:19 . 2007-07-30 18:19   45080   ----a-w-   c:\windows\system32\wups2.dll
2012-06-02 14:19 . 2007-07-30 18:19   15384   ----a-w-   c:\windows\system32\wuapi.dll.mui
2012-06-02 14:19 . 2004-08-11 16:12   53784   ----a-w-   c:\windows\system32\wuauclt.exe
2012-06-02 14:19 . 2004-08-11 16:12   35864   ----a-w-   c:\windows\system32\wups.dll
2012-06-02 14:19 . 2004-08-11 16:00   97304   ----a-w-   c:\windows\system32\cdm.dll
2012-06-02 14:19 . 2007-07-30 18:18   17944   ----a-w-   c:\windows\system32\wuaueng.dll.mui
2012-06-02 14:19 . 2004-08-11 16:12   577048   ----a-w-   c:\windows\system32\wuapi.dll
2012-06-02 14:19 . 2004-08-11 16:12   1933848   ----a-w-   c:\windows\system32\wuaueng.dll
2012-05-31 13:22 . 2004-08-11 16:00   599040   ----a-w-   c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2004-08-11 16:00   916992   ----a-w-   c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2004-08-11 16:00   1863168   ----a-w-   c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2004-08-11 16:00   43520   ------w-   c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2004-08-11 16:00   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2004-08-11 16:00   385024   ------w-   c:\windows\system32\html.iec
2012-05-05 18:41 . 2012-05-05 18:41   2476   ----a-w-   C:\cc_20120505_194122.reg
2012-05-04 13:16 . 2004-08-11 16:00   2148352   ----a-w-   c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-03 21:59   2026496   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2004-08-11 16:11   139656   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-04-14 20:05 . 2012-04-14 20:05   6452   ----a-w-   C:\cc_20120414_210534.reg
2012-03-29 19:31 . 2012-03-29 19:31   1624   ----a-w-   C:\cc_20120329_203128.reg
2012-05-13 22:14 . 2012-04-06 16:17   97208   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-07 00:15   123536   ----a-w-   c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-07 4241512]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-11-12 268640]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"@OnlineArmor GUI"="c:\program files\Online Armor\OAui.exe" [2012-05-30 2346592]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Benni\Start Menu\Programs\Startup\
ctfmon.lnk - c:\windows\system32\rundll32.exe [2004-8-11 33280]
PowerReg Scheduler.exe [2010-12-28 256000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-6-26 50688]
Skype.lnk - c:\windows\Installer\{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}\SkypeIcon.exe [2012-3-24 371272]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2012-05-30 361800]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54   551296   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 14:20   73728   ----a-w-   c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_MULTI_SZ      msv1_0 wvauth
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Benni^Start Menu^Programs^Startup^ctfmon.lnk]
path=c:\documents and settings\Benni\Start Menu\Programs\Startup\ctfmon.lnk
backup=c:\windows\pss\ctfmon.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37   843712   ----a-w-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58   37296   ----a-w-   c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-09-23 17:27   159744   ----a-w-   c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12   15360   ----a-w-   c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2008-02-22 11:43   1245184   ----a-w-   c:\program files\Dell\QuickSet\quickset.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-10-18 14:30   136176   ----atw-   c:\documents and settings\Benni\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-09-13 10:51   1450096   ------w-   c:\program files\Ahead\InCD\InCD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 03:40   218032   ----a-w-   c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-27 04:09   421736   ----a-w-   c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KADxMain]
2006-11-02 13:05   282624   ----a-w-   c:\windows\system32\KADxMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50   155648   ----a-w-   c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PD0620 STISvc]
2005-05-10 17:03   36864   ----a-r-   c:\windows\system32\P0620Pin.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2008-02-26 09:57   128296   ------w-   c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 13:28   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecureUpgrade]
2007-09-14 09:53   218424   ----a-w-   c:\program files\Wave Systems Corp\SecureUpgrade.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-12-05 16:24   405504   ----a-w-   c:\program files\Sigmatel\C-Major Audio\WDM\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WavXMgr]
2007-09-10 08:55   92160   ----a-w-   c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 tclondrv;tclondrv;c:\windows\system32\drivers\tclondrv.sys [02/03/2010 21:54 20352]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [06/11/2011 20:06 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [06/11/2011 20:06 337880]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [23/06/2012 09:25 208312]
R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [23/06/2012 09:25 44592]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [23/06/2012 09:25 27632]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [23/06/2012 09:25 31912]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 17:27 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 22:55 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [12/08/2011 00:38 116608]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [19/12/2006 14:21 79432]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [06/11/2011 20:06 20696]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [23/06/2012 19:03 654408]
R2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [23/06/2012 09:24 210920]
R2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [23/06/2012 09:24 4382968]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [11/08/2004 17:00 5120]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [02/11/2006 12:32 97536]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [23/06/2012 19:03 22344]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [18/09/2010 17:59 136176]
S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [30/05/2012 13:56 3048136]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [29/02/2012 09:50 158856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [04/04/2012 11:04 250056]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [18/09/2010 17:59 136176]
S3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\drivers\btblan.sys [16/02/2012 14:02 33792]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [13/05/2012 23:14 129976]
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 19:05]
.
2012-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2012-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-18 16:59]
.
2012-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-18 16:59]
.
2012-06-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2990146027-3927655144-4261030477-1005Core.job
- c:\documents and settings\Benni\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-01-02 14:30]
.
2012-06-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2990146027-3927655144-4261030477-1005UA.job
- c:\documents and settings\Benni\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-01-02 14:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
uInternet Connection Wizard,ShellNext = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
DPF: {888078C6-70B2-4F88-8EE7-1F50DDEA6120} - hxxps://as.photoprintit.de/ips-opdata/activex/ImageUploader6.cab
FF - ProfilePath - c:\documents and settings\Benni\Application Data\Mozilla\Firefox\Profiles\rusocneo.default\
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?hl=en&source=iglk
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&SearchSource=2&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{8020143D-5926-4394-A04D-DD0B649DA121} - (no file)
WebBrowser-{8020143D-5926-4394-A04D-DD0B649DA121} - (no file)
WebBrowser-{D70F2DE6-51E2-42D4-9077-4CA06CAFC836} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-27 18:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5 977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,39,3c,dc,5a,e8,6b,65,4b,b6,b9,4f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839 E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,39,3c,dc,5a,e8,6b,65,4b,b6,b9,4f,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(768)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
.
- - - - - - - > 'lsass.exe'(824)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
Completion time: 2012-06-27  19:01:08
ComboFix-quarantined-files.txt  2012-06-27 18:01
.
Pre-Run: 73,205,567,488 bytes free
Post-Run: 73,671,028,736 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - A436A629F9FA163B0CD50B5027C100F9

[SuperDave]

Unfortunatly I couldn't uninstall Java(TM) 6 Update 13.  I got a fatal instalation error.

I had that problem about a month ago. I ended up uninstalling Java and then downloaded the newest version. Please try this:

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
***********************************************
Update your Adobe Reader. get.adobe.com/reader.

Be sure to uncheck the Free McAfee Security Scan so it isn't installed.
***********************************************

Total Fragmentation on Drive C:: 15% Defragment your hard drive soon!

You can using the defragger on your computer or this one.

Defraggler is very effective and easy to use.

Important! Be sure to uncheck Install optional Yahoo! Toolbar or Google Chrome during the install process to avoid installing them.

Note: Be sure to clean out temp files and restart the computer just before beginning a defrag.
******************************************

while this was running MBAM picked up some files it reconed were infected and I quarantined them.  Was this right or have I made a mess of things?

No problem.

ComboFix is running from the wrong location. Please delete it, download and new one and save it to your DESKTOP.

Re-running ComboFix to remove infections:

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the quotebox below into it:
  

  KillAll::
  
  File::
  c:\windows\system32\REN8F.tmp
  c:\windows\system32\REN8E.tmp
  c:\windows\system32\REN8D.tmp
  
  
• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.

*****************************************************
Please download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it



Click the "Scan" button to start scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives



On completion of the scan click save log, save it to your desktop and post in your next reply

[benni9000]

I checked which Java I had installed.  Apparently I didn't have it, but it was in my control panel.  I have run javara and remeoved all the old versions.  Java (TM) 6 update 13 is still in my add remove programs directory and still won't uninstall.  The latest version is installed but If I try to open it from control panel Online Armour blocks the file java.cpl in C:\WINDOWS\system32.  I accidentally blocked it when I first installed it and haven't jet figured out how to allow it to run.

Adobe reader X (10.1.3) installed

Defrag completed

deleted combofix and re-downloaded to desktop.  copied that script to notepad.  Disabled MBAM and Avast and draged CFscript to combofix as displayed.  Combofix ran and froze up.  Had to turn the pc off.  Tried again but left it for an hour and it still did nothing.  Tried it with online armour also disabled and the result was still the same.

do you want me to carry on with the rest of your instructions tomorrow?

[SuperDave]

I accidentally blocked it when I first installed it and haven't jet figured out how to allow it to run.

You will have to get into Armour and remove the block. I'm not sure how to do that because I use Comodo.

do you want me to carry on with the rest of your instructions tomorrow?

Yes please.

Copy and paste the text in the code box below into Notepad.

Code: [Select]

@echo off
del c:\windows\system32\REN8F.tmp
c:\windows\system32\REN8E.tmp
c:\windows\system32\REN8D.tmp

exit
Then click File > Save as
Save to the Desktop as blackpudding.bat
And Save as type: All Files.

Double-click on blackpudding.bat to run it.

[benni9000]

Sorry for the delay.  I haven't given up.  Just had lots of other stuff to do.

I managed to fix the javacpl.cpl block issue.

ASW LOG

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-30 19:17:53
-----------------------------
19:17:53.531    OS Version: Windows 5.1.2600 Service Pack 3
19:17:53.531    Number of processors: 2 586 0x6802
19:17:53.531    ComputerName: TRINITY  UserName: Benni
19:18:02.156    Initialize success
19:18:03.437    AVAST engine defs: 12063000
19:18:24.671    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
19:18:24.687    Disk 0 Vendor: TOSHIBA_MK1252GSX LV011D Size: 114473MB BusType: 3
19:18:24.750    Disk 0 MBR read successfully
19:18:24.750    Disk 0 MBR scan
19:18:24.750    Disk 0 Windows XP default MBR code
19:18:24.750    Disk 0 Partition 1 00     DE Dell Utility Dell 8.0      109 MB offset 63
19:18:24.765    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS       114361 MB offset 224910
19:18:24.765    Disk 0 scanning sectors +234436545
19:18:24.859    Disk 0 scanning C:\WINDOWS\system32\drivers
19:18:35.765    Service scanning
19:18:57.250    Modules scanning
19:19:06.937    Disk 0 trace - called modules:
19:19:06.953    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
19:19:06.953    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8abd9ab8]
19:19:06.953    3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000089[0x8abe4f18]
19:19:06.953    5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8abe3b00]
19:19:07.546    AVAST engine scan C:\WINDOWS
19:19:14.593    AVAST engine scan C:\WINDOWS\system32
19:21:20.703    AVAST engine scan C:\WINDOWS\system32\drivers
19:21:39.984    AVAST engine scan C:\Documents and Settings\Benni
19:27:55.031    AVAST engine scan C:\Documents and Settings\All Users
19:29:10.750    Scan finished successfully
19:30:04.468    Disk 0 MBR has been saved successfully to "C:\Iain\MBR.dat"
19:30:04.562    The log file has been saved successfully to "C:\Iain\aswMBR.txt"

Ran Blackpudding.bat

Got a message saying "Windows canot open this file"  REN8E.tmp.  to open this file windows needs to know what program created it.  get the option of Use web service to find appropriate program or Select program from list.  I clicked cancel as I have no idea what to do.

Got a message saying "Windows canot open this file"  REN8D.tmp.  to open this file windows needs to know what program created it.  get the option of Use web service to find appropriate program or Select program from list.  I clicked cancel as I have no idea what to do.

no futher messages from running Blackpudding.bat

And I still can't seem to uninstall Java 6 Update 13.  Having said that I can't find it either.  If I go to Add/Remove programs and click on Java 6 update 13 then click on support information the pop up window tells me there's a read me file in C:\program files\java\jre1.6.0 13.  the jre1.6.0 13 does not exist.  Has this become a rogue entry in my add/remove programs list?
 

[SuperDave]

Has this become a rogue entry in my add/remove programs list?

I don't really know why this happened. As I mentioned before, this also happened to me. However, it is nothing serious

Please download: HiJackThis to your Desktop.

• Double Click the HijackThis icon, located on your Desktop.
  
• By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
• Accept the license agreement.
• Click the Open the Misc Tools section button.
  
• Click on the Open Uninstall Manager button.
  
• Click Java(TM) 6 Update 13 and delete this program.
  

******************************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

[benni9000]

Deleted Java 6 update 13 using Hijackthis.

Sysprot Log

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: ADE99000
Module End: ADEB1000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: BA648000
Module End: BA64A000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAddBootEntry
Address: ADEF1DF8
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwAllocateVirtualMemory
Address: ADF7EA5A
Driver Base: ADF73000
Driver End: ADFC4000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwAssignProcessToJobObject
Address: ADEF285E
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwClose
Address: ADF1ED5D
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwConnectPort
Address: AE1CC64C
Driver Base: AE1CA000
Driver End: AE1FB000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateEvent
Address: ADEF72E4
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateEventPair
Address: ADEF7330
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateFile
Address: AE1D3316
Driver Base: AE1CA000
Driver End: AE1FB000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateIoCompletion
Address: ADEF7422
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateKey
Address: ADF1E711
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateMutant
Address: ADEF7252
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreatePort
Address: AE1CC46A
Driver Base: AE1CA000
Driver End: AE1FB000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateProcess
Address: AE1CDEE8
Driver Base: AE1CA000
Driver End: AE1FB000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateProcessEx
Address: AE1CA978
Driver Base: AE1CA000
Driver End: AE1FB000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateSection
Address: ADEF7374
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateSemaphore
Address: ADEF729A
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateThread
Address: AE1CB634
Driver Base: AE1CA000
Driver End: AE1FB000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateTimer
Address: ADEF73DC
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwDebugActiveProcess
Address: AE1CBD22
Driver Base: AE1CA000
Driver End: AE1FB000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwDeleteBootEntry
Address: ADEF1E44
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwDeleteKey
Address: ADF1F423
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwDeleteValueKey
Address: ADF1F6D9
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwDuplicateObject
Address: ADEF49A8
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwEnumerateKey
Address: ADF1F28E
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwEnumerateValueKey
Address: ADF1F0F9
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwFreeVirtualMemory
Address: ADF7EB34
Driver Base: ADF73000
Driver End: ADFC4000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwLoadDriver
Address: ADEF1AD6
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwModifyBootEntry
Address: ADEF1E90
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwNotifyChangeKey
Address: ADEF4D1C
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwNotifyChangeMultipleKeys
Address: ADEF2B02
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenEvent
Address: ADEF730E
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenEventPair
Address: ADEF7352
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenFile
Address: AE1D3694
Driver Base: AE1CA000
Driver End: AE1FB000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwOpenIoCompletion
Address: ADEF7446
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenKey
Address: ADF1EA6D
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenMutant
Address: ADEF7278
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenProcess
Address: ADEF4518
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenSection
Address: ADEF73AE
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenSemaphore
Address: ADEF72C2
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenThread
Address: ADEF474C
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenTimer
Address: ADEF7400
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwProtectVirtualMemory
Address: ADF7ECA0
Driver Base: ADF73000
Driver End: ADFC4000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwQueryKey
Address: ADF1EF74
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwQueryObject
Address: ADEF29CE
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwQueryValueKey
Address: ADF1EDC6
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwQueueApcThread
Address: AE1CDA44
Driver Base: AE1CA000
Driver End: AE1FB000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwRenameKey
Address: ADF88B68
Driver Base: ADF73000
Driver End: ADFC4000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwRequestPort
Address: AE1CCCB0
Driver Base: AE1CA000
Driver End: AE1FB000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwRequestWaitReplyPort
Address: AE1CD018
Driver Base: AE1CA000
Driver End: AE1FB000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwRestoreKey
Address: ADF1DD84
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwResumeThread
Address: AE1CC0CE
Driver Base: AE1CA000
Driver End: AE1FB000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSecureConnectPort
Address: AE1CC86E
Driver Base: AE1CA000
Driver End: AE1FB000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSetBootEntryOrder
Address: ADEF1EDC
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSetBootOptions
Address: ADEF1F28
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSetContextThread
Address: AE1CBBCC
Driver Base: AE1CA000
Driver End: AE1FB000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSetSystemInformation
Address: ADEF1B46
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSetSystemPowerState
Address: ADEF1CEA
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSetValueKey
Address: ADF1F52A
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwShutdownSystem
Address: ADEF1C92
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSuspendProcess
Address: AE1CC1FE
Driver Base: AE1CA000
Driver End: AE1FB000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSuspendThread
Address: AE1CBF7A
Driver Base: AE1CA000
Driver End: AE1FB000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSystemDebugControl
Address: ADEF1D5A
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwTerminateProcess
Address: ADF7ED60
Driver Base: ADF73000
Driver End: ADFC4000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwTerminateThread
Address: AE1CBA66
Driver Base: AE1CA000
Driver End: AE1FB000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwUnloadDriver
Address: AE1CD518
Driver Base: AE1CA000
Driver End: AE1FB000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwVdmControl
Address: ADEF1F74
Driver Base: ADED9000
Driver End: ADF73000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwWriteVirtualMemory
Address: ADF7EBE0
Driver Base: ADF73000
Driver End: ADFC4000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwClose
At Address: 805BC55E
Jump To: ADF91C8C
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

Hooked Function: ObMakeTemporaryObject
At Address: 805BC55E
Jump To: ADF91C8C
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

Hooked Function: ObInsertObject
At Address: 805C2FE2
Jump To: ADF9374C
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

Hooked Function: ObCloseHandle
At Address: 805BC55E
Jump To: ADF91C8C
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

******************************************************************************************
******************************************************************************************
No hidden files/folders found

[SuperDave]

How's your computer running now?

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[benni9000]

Here is the ESET Log

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=58554bdb09dce644811fbe806f8fc97c
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-07-03 12:16:40
# local_time=2012-07-03 01:16:40 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 107290 107290 0 0
# compatibility_mode=768 16777215 100 0 75885219 75885219 0 0
# compatibility_mode=6401 16777213 66 100 348807 2879305 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=120787
# found=0
# cleaned=0
# scan_time=9941


The computer seems to be running fine now with the exception of a missing RUNDLL file upon start up.  I have mentioned this before in my original post and in my shortend version.

I got Metropolitan Police malware on my laptop.  I followed the "read this before requesting malware removal help" post which seems to have stopped it, Now I just need to get rid of the damage?  I think there are still some files left on my laptop from the malware and I am missing a RUNDLL file from the windows directory.

I have attache a jpg of the error window as I couldn't seem to get it into the post.

I believe the RUNDLL file was the source of my malware issue.  I will explain my reasoning though I could be wrong.  When I got the malware it locked up the laptop.  It didn't however start until the internet connection was live.  So with the internet disconnected I looked in my startup folder by going right mouse button on Start and browsing all users.  I found a short cut called cpfmon.  I deleted cos I didn't know what it was.  Came straight back.  So I searched C drive for cpfmon and found a few other files withe the same name.  I deleted them and then connected to the internet.  No malware issue.  When I restarted and connected I got the malware back.  So I looked at the properties of the cpfmon shortcut and found where it was linked to, it was a RUNDLL file in the windows directory.  Hence why I think the RUNDLL file was the source of the malware or at least what it had infected.

Apart from this missing file everything is ok that I can see.  I appreciate all the help you have given.

Thank you

[year+ old attachment deleted by admin]

[SuperDave]

I'm happy that everything is working well but I want to check further on that alert and then we'll so some cleanup.

[SuperDave]

Please download SystemLook from one of the links below and save it to your desktop.

Link # 1
Link # 2

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double-click SystemLook.exe to run it.

Copy the contents of the following codebox into the main textfield.

Code: [Select]

:filefind
jork_0_typ_col.exe
Click the Look button to start the scan.

Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).

When finished, a notepad window will open with the results of the scan. Please post the log. The log can also be found on your desktop entitled SystemLook.txt

[benni9000]

SystemLook 30.07.11 by jpshortstuff
Log created at 18:17 on 05/07/2012 by Benni
Administrator - Elevation successful

========== filefind ==========

Searching for "jork_0_typ_col.exe"
No files found.

-= EOF =-

[SuperDave]

Double-click SystemLook.exe to run it.

Copy the contents of the following codebox into the main textfield.

Code: [Select]

:regfind
jork_0_typ_col.exe
Click the Look button to start the scan.

Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).

When finished, a notepad window will open with the results of the scan. Please post the log. The log can also be found on your desktop entitled SystemLook.txt
 

[benni9000]

Nothing exciting I'm afraid

SystemLook 30.07.11 by jpshortstuff
Log created at 19:39 on 06/07/2012 by Benni
Administrator - Elevation successful

========== regfind ==========

Searching for "jork_0_typ_col.exe"
No data found.

-= EOF =-

[SuperDave]

Please download SystemLook from one of the links below and save it to your desktop.

Link # 1
Link # 2

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double-click SystemLook.exe to run it.

Copy the contents of the following codebox into the main textfield.

Code: [Select]

:regfind
"error loading"
Click the Look button to start the scan.

Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).

When finished, a notepad window will open with the results of the scan. Please post the log. The log can also be found on your desktop entitled SystemLook.txt
 

[benni9000]

I'm afraid there is still no joy

SystemLook 30.07.11 by jpshortstuff
Log created at 18:08 on 08/07/2012 by Benni
Administrator - Elevation successful

========== regfind ==========

Searching for ""error loading""
No data found.

-= EOF =-

[SuperDave]

Please do this even if you don't have your OS disk.Please let me know what happens.

Do you have an XP CD?

If so, place it in your CD ROM drive and follow the instructions below:
•Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
*Let this run undisturbed until the window with the blue  progress bar goes away
SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

[benni9000]

Unfortunatly I don't have the XP CD.  I got the lap top with an XP downgrade as I didn't want Windows Vista.  I have the Vista CD though.

I followed the FSC /Scannow instructions.  It went through it all.  There was no message after it finished so I assume everything was ok.

[SuperDave]

Unfortunatly I don't have the XP CD.  I got the lap top with an XP downgrade as I didn't want Windows Vista.  I have the Vista CD though.

I followed the FSC /Scannow instructions.  It went through it all.  There was no message after it finished so I assume everything was ok.

If it didn't ask for the XP disk that means all the OS files are ok. I'm at a loss as to what's causing this error.

[benni9000]

Ok.  No worries.  Other than that message on startup everything seems to be working ok.  I really appreciate the time and effort you've spent helping me sort my laptop out.

Thank you

[SuperDave]

We should do some cleanup before you go.

Download this program and run it Uninstall ComboFix .It will remove ComboFix for you
*******************************************
To turn off Windows XP System Restore:

NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
5. Click Apply.
6.  When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
5. Click Apply, and then click OK.
************************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
************************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!