Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help With Hijackthis Log, Computer Is Infested With Trojans!


  • Please log in to reply
22 replies to this topic

#1 Flyinlowsup

Flyinlowsup

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 14 September 2007 - 05:19 PM

My computer is infested with what i believe is trojans or some other type of viruses. Ultimate cleaner 2007 somehow got downloaded onto the computer and its obviously a virus. There are also other fake spyware cleaners that got downloaded. And when i click on start, "control panel" is no longer there, so i cant even go in and remove them myself. Heres is my hijackthis log, so if anyone can please help, that would be awesome! Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:10:59 PM, on 9/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1128476691\ee\AOLSoftware.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\Online Services\mebelu22011.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\mgrs.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Web Buying\v1.8.2\webbuying.exe
C:\WINDOWS\system32\regscan.exe
C:\PROGRA~1\PPPATC~1\chkdsk.exe
C:\Program Files\Common Files\s?curity\netdde.exe
C:\Program Files\Ultimate Cleaner\UltimateCleaner.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\info.exe
C:\Documents and Settings\Filipe\Start Menu\Programs\Startup\info.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Filipe\Desktop\HiJackThis(2).exe
C:\PROGRA~1\mcafee.com\agent\McDash.exe
c:\program files\mcafee.com\shared\mghtml.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\FILIPE\Application Data\Mozilla\Profiles\default\8d6emau6.slt\prefs.js)
O2 - BHO: 0 - {42D77D77-C2C1-41E8-1FBF-725D90AA1212} - C:\Program Files\Ybqgieol\qufa.dll
O2 - BHO: IEHlprObj Class - {ABCDECF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\vtr.dll
O2 - BHO: (no name) - {bdb0a17b-8efe-4aa8-aff9-013c655ccaa0} - C:\WINDOWS\system32\cadpyln.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128476691\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [{A2-2F-F7-7C-ZN}] C:\Documents and Settings\Filipe\Local Settings\Temp\thinksnet.exe CHD003
O4 - HKLM\..\Run: [mebelu] C:\Program Files\Online Services\mebelu22011.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvgej.dll,startup
O4 - HKLM\..\Run: [lcdghghu] rundll32.exe "C:\Program Files\lcdghghu\dcjcvkrw.dll",Init
O4 - HKLM\..\Run: [tsfivybu] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\tsfivybu.dll"
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKLM\..\Run: [DoNotDelete] C:\WINDOWS\system32\explore.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.2\webbuying.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe
O4 - HKCU\..\Run: [autoload] C:\WINDOWS\system32\drivers\smss.exe
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\Filipe\smss.exe
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\PPPATC~1\chkdsk.exe" -vt yazb
O4 - HKCU\..\Run: [Ybctj] "C:\Program Files\Common Files\s?curity\netdde.exe"
O4 - HKCU\..\Run: [Ultimate Cleaner] "C:\Program Files\Ultimate Cleaner\UltimateCleaner.exe" hide
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [DoNotDelete] C:\WINDOWS\system32\explore.exe
O4 - HKUS\S-1-5-18\..\Run: [DoNotDelete] C:\WINDOWS\system32\explore.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DoNotDelete] C:\WINDOWS\system32\explore.exe (User 'Default user')
O4 - Startup: info.exe
O4 - Startup: system.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Filipe\Local Settings\Temp\thinksnet.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: info.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Download with &Shareaza - res://C:\Program Files\Shareaza\Plugins\RazaWebHook.dll/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O20 - AppInit_DLLs: C:\WINDOWS\system32\systems.txt
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll
O20 - Winlogon Notify: winmfu32 - C:\WINDOWS\SYSTEM32\winmfu32.dll
O21 - SSODL: ZQuAxic - {545A2F7D-FEF0-85D7-5E97-EE8A73C31A90} - C:\WINDOWS\system32\mqumu.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RmlsaXBl\command.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\rtene.html
O24 - Desktop Component 1: (no name) - http://www.thefoxesden.org/~mfox/pictures/nsx/nsx-f.jpg

--
End of file - 10736 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 14 September 2007 - 06:32 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Flyinlowsup :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Your pc is extremely badly infected to say the least,among the nasties vtr.dll is present which is a Backdoor Trojan
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

They are typically installed without user interaction through security exploits, and may allow an attacker to remotely control the infected machine. Such risks may allow the attacker to install additional malware and use the compromised machine to participate in denial of service attacks, spamming, and bot nets, or to transmit sensitive data to a remote server. The malware may be cloaked and not visible to the user. These risks severely compromise the system by lowering security settings, installing 'backdoors,' infecting system files, or spreading to other networked machines.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.
They should be changed by using a different computer and not the infected one,if not an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech.

Since your computer was compromised read:
How to report ID theft, fraud, drive-by installs, hijacking and malware:
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall:
http://www.dslreports.com/faq/10063

If you want us to go ahead and clean up your system then let me know what you want to do in your next reply.
Posted Image
Posted Image

#3 Flyinlowsup

Flyinlowsup
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 14 September 2007 - 07:09 PM

Wow this is not good at all. Please help me clean this up. What would be the best way to do so?

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 14 September 2007 - 07:16 PM

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#5 Flyinlowsup

Flyinlowsup
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 14 September 2007 - 08:10 PM

Alright, i did it. Here are the log files from each thing:

SDFix: Version 1.104

Run by Filipe on Fri 09/14/2007 at 08:29 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
cmdService
ICF

ImagePath:
C:\WINDOWS\RmlsaXBl\command.exe
C:\WINDOWS\system32\svchost.exe:exe.exe

cmdService - Deleted
ICF - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service
Restoring Missing SharedAccess Service

Rebooting...

Service asc355 - Deleted after Reboot

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\RmlsaXBl\lA5Pur15.vbs - Deleted
C:\WINDOWS\system32\l3acdb2.dll - Deleted
C:\Documents and Settings\Filipe\Local Settings\Temp\win212.tmp.exe - Deleted
C:\Documents and Settings\Filipe\Local Settings\Temp\win216.tmp.exe - Deleted
C:\Program Files\InetGet2\popinstall.exe - Deleted
C:\Program Files\WinPop\UnInstall.exe - Deleted
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe - Deleted
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe - Deleted
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe - Deleted
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe - Deleted
C:\Documents and Settings\Filipe\Start Menu\Programs\Startup\TA_Start.lnk - Deleted
C:\Program Files\Setup.exe - Deleted
C:\Documents and Settings\All Users\Documents\Settings\bot.dll - Deleted
C:\wintemp.log - Deleted
C:\WINDOWS\avp.exe - Deleted
C:\WINDOWS\b104.exe - Deleted
C:\WINDOWS\b122.exe - Deleted
C:\WINDOWS\explore.exe - Deleted
C:\WINDOWS\mgrs.exe - Deleted
C:\WINDOWS\system32\kr_done1 - Deleted
C:\WINDOWS\system32\msnav32.ax - Deleted
C:\WINDOWS\system32\printer.exe - Deleted
C:\WINDOWS\system32\regscan.exe - Deleted
C:\WINDOWS\system32\winmfu32.dll - Deleted
C:\WINDOWS\uninstall_nmon.vbs - Deleted


Folder C:\Documents and Settings\All Users\Documents\Settings - Removed
Folder C:\Program Files\InetGet2 - Removed
Folder C:\Program Files\WinPop - Removed
Folder C:\Temp\fse - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
: ADS Found!

svchost.exe: deleted 51200 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Program Files\Common Files\aolshare\shell\us\shellext.dll
C:\Program Files\America Online 8.0\aolphx.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\America Online 8.0\RBM.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\COMIT\cswitch.exe
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Program Files\Common Files\s?curity\netdde.exe
C:\Program Files\ąppPatch\chkdsk.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1304\A0089593.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1304\A0089594.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1304\A0090732.sys
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1314\A0090754.sys
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1321\A0091714.sys
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1336\A0092996.sys
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1340\A0093018.sys
C:\WINDOWS\SYSTEM32\EE25191AA0.sys
C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp
C:\WINDOWS\SYSTEM32\CONFIG\SAM.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.tmp.LOG

Finished!



ComboFix 07-09-14.2 - "Filipe" 2007-09-14 20:50:46.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.65 [GMT -4:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs.\UltimateCleaner 2007
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs.\UltimateCleaner 2007\Register UltimateCleaner 2007.lnk
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs.\UltimateCleaner 2007\Start UltimateCleaner 2007.lnk
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs.\UltimateCleaner 2007\Uninstall UltimateCleaner 2007.lnk
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\autorun.exe
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\info.exe
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\UltimateCleaner 2007\Register UltimateCleaner 2007.lnk
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\UltimateCleaner 2007\Start UltimateCleaner 2007.lnk
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\UltimateCleaner 2007\Uninstall UltimateCleaner 2007.lnk
C:\DOCUME~1\Filipe\APPLIC~1.\Ultimate Cleaner
C:\DOCUME~1\Filipe\APPLIC~1.\Ultimate Cleaner\settings.dat
C:\DOCUME~1\Filipe\APPLIC~1\macromedia\Flash Player\#SharedObjects\ZDTG58ME\www.broadcaster.com
C:\DOCUME~1\Filipe\APPLIC~1\macromedia\Flash Player\#SharedObjects\ZDTG58ME\www.broadcaster.com\played_list.sol
C:\DOCUME~1\Filipe\APPLIC~1\macromedia\Flash Player\#SharedObjects\ZDTG58ME\www.broadcaster.com\video_queue.sol
C:\DOCUME~1\Filipe\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\Filipe\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\DOCUME~1\Filipe\APPLIC~1\microsoft\internet explorer\quick launch\Start UltimateCleaner 2007.lnk
C:\DOCUME~1\Filipe\APPLIC~1\Ultimate Cleaner\settings.dat
C:\DOCUME~1\Filipe\Desktop\Find Spyware Remover.lnk
C:\DOCUME~1\Filipe\Desktop\Ultimate Cleaner 2007.lnk
C:\DOCUME~1\Filipe\STARTM~1\Programs\Outerinfo
C:\DOCUME~1\Filipe\STARTM~1\Programs\Outerinfo\Terms.lnk
C:\DOCUME~1\Filipe\STARTM~1\Programs\Outerinfo\Uninstall.lnk
C:\DOCUME~1\Filipe\STARTM~1\Programs\Startup\info.exe
C:\DOCUME~1\Filipe\STARTM~1\Programs\Startup\system.exe
C:\Program Files\Common Files\scurit~1
C:\Program Files\Common Files\scurit~1\netdde.exe
C:\Program Files\lcdghghu
C:\Program Files\lcdghghu\dcjcvkrw.dll
C:\Program Files\MSN\qufa.dll
C:\Program Files\MSN\rtene.html
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\pppatc~1
C:\Program Files\pppatc~1\?ppPatch\
C:\Program Files\pppatc~1\chkdsk.exe
C:\Program Files\racle~1
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe
C:\Program Files\ucleaner_setup.exe
C:\Program Files\Ultimate Cleaner
C:\Program Files\Ultimate Cleaner\com\ucsecuredelete.dll
C:\Program Files\Ultimate Cleaner\program.info
C:\Program Files\Ultimate Cleaner\ucleaner.pkg
C:\Program Files\Ultimate Cleaner\UltimateCleaner.db
C:\Program Files\Ultimate Cleaner\UltimateCleaner.exe
C:\Program Files\Ultimate Cleaner\Uninstall.exe
C:\Program Files\web buying
C:\Program Files\web buying\v1.8.2\wbuninst.exe
C:\Program Files\web buying\v1.8.2\webbuying.exe
C:\Program Files\Ybqgieol\qufa.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\appatc~1
C:\WINDOWS\Casino.ico
C:\WINDOWS\ecurit~1
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\Spyware Remover.ico
C:\WINDOWS\system32\cadpyln.dll
C:\WINDOWS\system32\drivers\ApiMon.sys
C:\WINDOWS\system32\eorm.dll
C:\WINDOWS\system32\explore.exe
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe
C:\WINDOWS\SYSTEM32\hesjxhfm.ini
C:\WINDOWS\system32\jbdrqqxb.dll
C:\WINDOWS\system32\mfhxjseh.dll
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\qligqfji.exe
C:\WINDOWS\system32\WinAvXX.exe
C:\WINDOWS\system32\wnsintsv32.exe
C:\WINDOWS\tk58.exe

.
((((((((((((((((((((((((( Files Created from 2007-08-15 to 2007-09-15 )))))))))))))))))))))))))))))))
.

2007-09-14 20:27 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-13 19:34 39,424 --a------ C:\WINDOWS\SYSTEM32\vtr.dll
2007-09-09 20:39 93,696 --a------ C:\WINDOWS\SYSTEM32\drvgej.dll
2007-09-09 20:39 15,360 --a------ C:\WINDOWS\SYSTEM32\drvgejr.dll
2007-09-09 20:32 10,240 --a------ C:\Program Files\hlpsrv.exe
2007-09-06 08:52 14,639 --a------ C:\WINDOWS\SYSTEM32\rt26.exe
2007-09-03 02:11 109,568 --a------ C:\WINDOWS\SYSTEM32\rt29.exe
2007-09-03 02:11 109,568 --a------ C:\WINDOWS\SYSTEM32\rt27.exe
2007-08-21 15:54 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\NetMon
2007-08-21 15:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\tmps7
2007-08-21 15:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\ICM23
2007-08-21 15:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\dllsz
2007-08-21 15:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\cofig1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-14 21:02 --------- d-------- C:\Program Files\Ybqgieol
2007-09-14 21:00 --------- d-------- C:\Program Files\Plaxo
2007-09-14 20:45 --------- d-------- C:\DOCUME~1\Filipe\APPLIC~1\WeatherBug
2007-09-09 20:30 14336 --a------ C:\WINDOWS\SYSTEM32\svchost.exe
2007-09-09 20:30 14336 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\svchost.exe
2007-09-05 18:09 --------- d-------- C:\Program Files\AIM
2007-09-02 00:29 --------- d-------- C:\Program Files\GameSpy Arcade
2007-08-13 19:24 28256 --a------ C:\WINDOWS\system32\drivers\MxlW2k.sys
2007-08-01 19:49 10856 --ahs---- C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
2007-07-27 17:53 --------- d-------- C:\Program Files\PMPro Flash to Audio Extractor
2007-06-26 11:13 851968 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\vgx.dll
2007-06-26 10:09 658944 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2007-06-26 02:08 1104896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-06-19 09:31 282112 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2007-06-17 00:11 51200 --a------ C:\WINDOWS\nircmd.exe
2007-06-14 14:09 96256 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\inseng.dll
2007-06-14 14:09 615424 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-06-14 14:09 55808 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-06-14 14:09 532480 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-06-14 14:09 474112 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
2007-06-14 14:09 449024 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-06-14 14:09 39424 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
2007-06-14 14:09 357888 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
2007-06-14 14:09 3058688 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-06-14 14:09 251392 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iepeers.dll
2007-06-14 14:09 205312 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-06-14 14:09 16384 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-06-14 14:09 151040 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
2007-06-14 14:09 1494528 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
2007-06-14 14:09 146432 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-06-14 14:09 1054208 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
2007-06-14 14:09 1023488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
2007-06-14 10:07 18432 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
2007-06-14 07:54 163840 --a------ C:\Program Files\TTC.dll
2005-10-30 19:23 774144 --a--c--- C:\Program Files\RngInterstitial.dll
2003-09-09 20:39 98304 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\tsfivybu.dll
2005-08-18 17:11:16 56 --sh--r C:\WINDOWS\SYSTEM32\EE25191AA0.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8F78176-DBB8-45E6-CEB1-54B0C9CDCC8B}]
2007-09-14 21:02 70144 --a------ C:\Program Files\Ybqgieol\qufa.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 20:47]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-12-03 06:40]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-10-23 08:39]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2003-03-21 13:50]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2003-03-18 14:53]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2003-08-04 19:25]
"VirusScan Online"="c:\program files\mcafee.com\vso\mcvsshld.exe" [2003-03-21 13:52]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-12-03 06:40]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-09-17 20:22]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-06-04 12:38]
"HostManager"="C:\Program Files\Common Files\AOL\1128476691\ee\AOLSoftware.exe" [2005-11-02 23:01]
"WatchDog"="C:\Program Files\mobile PhoneTools\WatchDog.exe" [2004-08-14 04:42]
"{A2-2F-F7-7C-ZN}"="C:\Documents and Settings\Filipe\Local Settings\Temp\thinksnet.exe" []
"mebelu"="C:\Program Files\Online Services\mebelu22011.exe" [2007-08-07 16:30]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2005-11-02 23:01]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe" [2006-11-16 13:42]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2004-12-10 15:46]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 16:35]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-04 01:40]
"Ybctj"="C:\Program Files\Common Files\s?curity\netdde.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DoNotDelete"=C:\WINDOWS\system32\explore.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 05:44:06]
America Online 8.0 Tray Icon.lnk - C:\Program Files\America Online 8.0\aoltray.exe [2003-10-23 08:38:48]
DESKTOP.INI [2002-09-03 10:00:00]

C:\DOCUME~1\Filipe\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-05-01 16:05:25]

C:\DOCUME~1\Mom&Dad\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ZQuAxic"= {545A2F7D-FEF0-85D7-5E97-EE8A73C31A90} - C:\WINDOWS\system32\mqumu.dll [2006-09-09 20:30 14848]

R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMSM.sys
R3 NaiFiltr;NaiFiltr;C:\WINDOWS\system32\DRIVERS\NaiFiltr.sys
S2 X4HSX32;X4HSX32;\??\C:\Documents and Settings\Filipe\My Documents\My Games\GameTap\bin\Release\X4HSX32.Sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-15 00:59:45 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (D3GL7P31-Filipe).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-09-15 00:59:54 C:\WINDOWS\Tasks\McAfee.com Update Check (D3GL7P31-Filipe).job"
"2007-09-15 01:00:04 C:\WINDOWS\Tasks\McAfee.com Update Check (D3GL7P31-Jamie).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-09-15 01:03:00 C:\WINDOWS\Tasks\McAfee.com Update Check (D3GL7P31-Mom&Dad).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-09-15 01:03:00 C:\WINDOWS\Tasks\McAfee.com Update Check (D3GL7P31-Owner).job"
- c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-14 20:59:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-14 21:03:57 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-14 21:03
C:\ComboFix2.txt ... 2007-06-27 01:09
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:09 PM, on 9/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1128476691\ee\AOLSoftware.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Online Services\mebelu22011.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Filipe\Desktop\HiJackThis(2).exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\FILIPE\Application Data\Mozilla\Profiles\default\8d6emau6.slt\prefs.js)
O2 - BHO: 0 - {B8F78176-DBB8-45E6-CEB1-54B0C9CDCC8B} - C:\Program Files\Ybqgieol\qufa.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128476691\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [{A2-2F-F7-7C-ZN}] C:\Documents and Settings\Filipe\Local Settings\Temp\thinksnet.exe CHD003
O4 - HKLM\..\Run: [mebelu] C:\Program Files\Online Services\mebelu22011.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Ybctj] "C:\Program Files\Common Files\s?curity\netdde.exe"
O4 - HKUS\S-1-5-18\..\Run: [DoNotDelete] C:\WINDOWS\system32\explore.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DoNotDelete] C:\WINDOWS\system32\explore.exe (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Download with &Shareaza - res://C:\Program Files\Shareaza\Plugins\RazaWebHook.dll/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O21 - SSODL: ZQuAxic - {545A2F7D-FEF0-85D7-5E97-EE8A73C31A90} - C:\WINDOWS\system32\mqumu.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 7502 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 14 September 2007 - 08:56 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\SYSTEM32\vtr.dll
C:\WINDOWS\SYSTEM32\drvgej.dll
C:\WINDOWS\SYSTEM32\drvgejr.dll
C:\Program Files\hlpsrv.exe
C:\WINDOWS\SYSTEM32\rt26.exe
C:\WINDOWS\SYSTEM32\rt29.exe
C:\WINDOWS\SYSTEM32\rt27.exe
C:\Program Files\TTC.dll
C:\DOCUME~1\ALLUSE~1\APPLIC~1\tsfivybu.dll

Folder::
C:\WINDOWS\SYSTEM32\tmps7
C:\WINDOWS\SYSTEM32\dllsz
C:\WINDOWS\SYSTEM32\cofig1
C:\Program Files\Ybqgieol

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8F78176-DBB8-45E6-CEB1-54B0C9CDCC8B}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{A2-2F-F7-7C-ZN}"=-
"mebelu"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DoNotDelete"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ZQuAxic"=-

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#7 Flyinlowsup

Flyinlowsup
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 14 September 2007 - 09:11 PM

I copy and pasted that into notepad, and saved the file like you said. When i try to click and drag the CFScript onto the combofix.exe, it just bounces right off of it. It wont drop into it. I saved it under all files too, but the name comes up as cfscript.txt on the desktop. What am i doing wrong?

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 14 September 2007 - 09:17 PM

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\SYSTEM32\vtr.dll
C:\WINDOWS\SYSTEM32\drvgej.dll
C:\WINDOWS\SYSTEM32\drvgejr.dll
C:\Program Files\hlpsrv.exe
C:\WINDOWS\SYSTEM32\rt26.exe
C:\WINDOWS\SYSTEM32\rt29.exe
C:\WINDOWS\SYSTEM32\rt27.exe
C:\Program Files\TTC.dll
C:\DOCUME~1\ALLUSE~1\APPLIC~1\tsfivybu.dll
C:\WINDOWS\SYSTEM32\tmps7
C:\WINDOWS\SYSTEM32\dllsz
C:\WINDOWS\SYSTEM32\cofig1
C:\Program Files\Ybqgieol


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the imformation into the registry,then restart your pc.

REGEDIT4
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8F78176-DBB8-45E6-CEB1-54B0C9CDCC8B}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{A2-2F-F7-7C-ZN}"=-
"mebelu"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DoNotDelete"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ZQuAxic"=-


Restart your pc.
Post a new Hijackthis log please.
Posted Image
Posted Image

#9 Flyinlowsup

Flyinlowsup
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 14 September 2007 - 10:05 PM

OTmoveit results:

File/Folder C:\WINDOWS\SYSTEM32\vtr.dll not found.
File/Folder C:\WINDOWS\SYSTEM32\drvgej.dll not found.
File/Folder C:\WINDOWS\SYSTEM32\drvgejr.dll not found.
File/Folder C:\Program Files\hlpsrv.exe not found.
File/Folder C:\WINDOWS\SYSTEM32\rt26.exe not found.
File/Folder C:\WINDOWS\SYSTEM32\rt29.exe not found.
File/Folder C:\WINDOWS\SYSTEM32\rt27.exe not found.
File/Folder C:\Program Files\TTC.dll not found.
File/Folder C:\DOCUME~1\ALLUSE~1\APPLIC~1\tsfivybu.dll not found.
File/Folder C:\WINDOWS\SYSTEM32\tmps7 not found.
File/Folder C:\WINDOWS\SYSTEM32\dllsz not found.
File/Folder C:\WINDOWS\SYSTEM32\cofig1 not found.
File/Folder C:\Program Files\Ybqgieol not found.

Created on 09/14/2007 23:01:14

#10 Flyinlowsup

Flyinlowsup
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 14 September 2007 - 10:10 PM

I copy and pasted those files into notepad, then merged them into the driectory, then restarted my comp.

Heres a new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:15 PM, on 9/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1128476691\ee\AOLSoftware.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\regscan.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Filipe\Desktop\HiJackThis(2).exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\FILIPE\Application Data\Mozilla\Profiles\default\8d6emau6.slt\prefs.js)
O2 - BHO: 0 - {D78067F6-B21C-40A6-C99B-FEE2FBE26DF6} - C:\Program Files\MSN\qufa.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128476691\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Ybctj] "C:\Program Files\Common Files\s?curity\netdde.exe"
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Download with &Shareaza - res://C:\Program Files\Shareaza\Plugins\RazaWebHook.dll/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O21 - SSODL: ZQuAxic - {545A2F7D-FEF0-85D7-5E97-EE8A73C31A90} - C:\WINDOWS\system32\mqumu.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\rtene.html
O24 - Desktop Component 1: (no name) - C:\Program Files\Ybqgieol\rtene.html

--
End of file - 7349 bytes

Edited by Flyinlowsup, 14 September 2007 - 10:42 PM.


#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 15 September 2007 - 06:59 AM

Make sure all hidden files are showing:
* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Find and delete if present:
C:\WINDOWS\system32\regscan.exe
C:\WINDOWS\system32\mqumu.dll
C:\Program Files\MSN\rtene.html

Restart your pc normally.


Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Ybctj] "C:\Program Files\Common Files\s?curity\netdde.exe"
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O21 - SSODL: ZQuAxic - {545A2F7D-FEF0-85D7-5E97-EE8A73C31A90} - C:\WINDOWS\system32\mqumu.dll
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\rtene.html
O24 - Desktop Component 1: (no name) - C:\Program Files\Ybqgieol\rtene.html

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.

Please run this online virus scan:Activescan using Internet Explorer.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes,click the See Report button, then Save Report, and save it to your desktop.

Post the Activescan in your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#12 Flyinlowsup

Flyinlowsup
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 15 September 2007 - 05:31 PM

My computer is running a lot better now. No more pop ups, and messages about virus cleaners etc. Here are the log files:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/15/2007 at 04:58 PM

Application Version : 3.9.1008

Core Rules Database Version : 3307
Trace Rules Database Version: 1313

Scan type : Complete Scan
Total Scan Time : 00:45:36

Memory items scanned : 384
Memory threats detected : 0
Registry items scanned : 4916
Registry threats detected : 13
File items scanned : 45470
File threats detected : 810

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{64B94229-7967-860A-A0C2-034C02BA876B}
HKCR\CLSID\{64B94229-7967-860A-A0C2-034C02BA876B}
HKCR\CLSID\{64B94229-7967-860A-A0C2-034C02BA876B}\InprocServer32
HKCR\CLSID\{64B94229-7967-860A-A0C2-034C02BA876B}\InprocServer32#ThreadingModel
HKCR\CLSID\{64B94229-7967-860A-A0C2-034C02BA876B}\InprocServer32#t
C:\PROGRAM FILES\YBQGIEOL\YRHVNOMP.DLL
HKCR\CLSID\{64B94229-7967-860A-A0C2-034C02BA876B}
C:\QOOBOX\QUARANTINE\C\WINDOWS\RMLSAXBL\COMMAND.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\CADPYLN.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\SNAPSHOT\MFEX-27.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1362\SNAPSHOT\MFEX-27.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1363\SNAPSHOT\MFEX-27.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1364\SNAPSHOT\MFEX-27.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1365\SNAPSHOT\MFEX-27.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1366\SNAPSHOT\MFEX-27.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1367\SNAPSHOT\MFEX-27.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1368\SNAPSHOT\MFEX-27.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1369\SNAPSHOT\MFEX-27.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1370\SNAPSHOT\MFEX-27.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\A0097007.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\A0097221.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\SNAPSHOT\MFEX-27.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101481.DLL

Trojan.ZQuest
HKLM\Software\Classes\CLSID\{D78067F6-B21C-40A6-C99B-FEE2FBE26DF6}
HKCR\CLSID\{D78067F6-B21C-40A6-C99B-FEE2FBE26DF6}
HKCR\CLSID\{D78067F6-B21C-40A6-C99B-FEE2FBE26DF6}\InProcServer32
HKCR\CLSID\{D78067F6-B21C-40A6-C99B-FEE2FBE26DF6}\InProcServer32#ThreadingModel
C:\PROGRAM FILES\MSN\QUFA.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D78067F6-B21C-40A6-C99B-FEE2FBE26DF6}
C:\PROGRAM FILES\XEROX\MESOVIDU43855.DLL
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MSN\QUFA.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\YBQGIEOL\QUFA.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\A0097220.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1377\A0099245.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1377\A0099246.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1380\A0101323.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101347.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101446.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101479.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101480.DLL
C:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\TTC.DLL
C:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\YBQGIEOL\QUFA.DLL
C:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\YBQGIEOL\QUFA765.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Filipe\Cookies\filipe@ads.k8l[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ads.pointroll[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@www.fashionteen[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@www.jointheporn[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@go.drivecleaner[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@yadro[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@epilot[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@adopt.specificclick[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ads.us.e-planning[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@stats.drivecleaner[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@azjmp[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@burstnet[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ad.outerinfo[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@realmedia[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@klik.klikadvertising[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@thunderbolt.adjuggler[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@1.tracking4rev[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@sales.liveperson[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@67.15.239[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@clicksor[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@cts.metricsdirect[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@www.burstbeacon[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ad.aquamediadirect[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@i.screensavers[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@belnk[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@www.awltovhc[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@www.adtrak[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@overture[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@mpire.112.2o7[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ad.theadhost[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@tacoda[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@icc.intellisrv[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@mattressusa.122.2o7[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@login.tracking101[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@media.licenseacquisition[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ad2.adecn[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@angleinteractive.directtrack[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@adserver[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@directtrack[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@counter.surfcounters[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@purchase.winantispyware[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@mkt10.122.2o7[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@warlog[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@advertising[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@go.winantispyware[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ex=0_[3].txt
C:\Documents and Settings\Filipe\Cookies\filipe@winantivirus[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@dist.belnk[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@lp.zango[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@go.winantivirus[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ads.addynamix[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@adrevolver[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@statcounter[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@zedo[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@mediatraffic[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@www.clickxchange[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ad.media-servers[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@adecn[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ex=0_[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@content.licenseacquisition[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@67.15.239[5].txt
C:\Documents and Settings\Filipe\Cookies\filipe@toseeka[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ads.adgoto[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@winantispyware[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@atwola[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ad.yieldmanager[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ticketsnow[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@interclick[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@franceguide[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@redorbit[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ads.allthatsearch[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@partner2profit[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@questionmarket[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@www.amaena[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@2.marketbanker[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@sextracker[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@doubleclick[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@track[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@media.top-banners[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@www.ticketsnow[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ehg-traderpublishing.hitbox[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@clickstream.stylehive[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@trafficmp[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@cupolaventures.112.2o7[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@shoplocl.adbureau[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@servedby.adxpower[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@cgi-bin[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@adsby.zwoops[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@anad.tacoda[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@html[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@basic[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ad[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@www.zango[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@exitexchange[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@servlet[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@74613876[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@da-tracking[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@adultfriendfinder[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@entrepreneur[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@nextag[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@lynxtrack[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@publishers.clickbooth[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@atdmt[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@heavycom.122.2o7[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@perf.overture[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@fastclick[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@drivecleaner[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@mdlfr[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ehg-westwoodcollege.hitbox[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ad.zanox[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@31767829[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ads.realtechnetwork[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@858432[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@shopping.112.2o7[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@edge.ru4[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ads2.k8l[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@goclick[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@67.15.239[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@tribalfusion[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@roi.admarketplace[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@www.xctrk[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@www.jackpotmadness[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@redirect.clickshield[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ads4.blastro[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@pro-market[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@www.winantivirus[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ehg-zoomerang.hitbox[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@revenuesense[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@list[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@vhost.oddcast[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@sfed.66463.clickshield[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@data1.perf.overture[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@sfed.60416.clickshield[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@web4.realtracker[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@oopp1.78172126173848.clickshield[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@a.websponsors[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ads.e-planning[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@buycom.122.2o7[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@counter1.sextracker[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@newmotioninc.112.2o7[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@linkstattrack[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@mediaplex[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@banners.searchingbooth[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@www2.everythingfreeporn[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@viacomedycentralrl.112.2o7[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ad.ad-flow[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@cgi-bin[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@nfm.directtrack[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@www.drivecleaner[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@www.epilot[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@www.burstnet[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@www.entrepreneur[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ads3.blastro[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@encyclopedia[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@amaena[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@networksolutions.112.2o7[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@adbrite[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@stat.dealtime[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@anat.tacoda[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@pt.crossmediaservices[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@server.iad.liveperson[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@tremor.adbureau[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@stats1.reliablestats[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ads.traderonline[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@www.upspiral[3].txt
C:\Documents and Settings\Filipe\Cookies\filipe@webpower[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@revsci[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ads.monster[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@enhance[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@roiservice[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@bluestreak[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@web-stat[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ehg-lowermybills.hitbox[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ehg-traderelectronicmedia.hitbox[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@statse.webtrendslive[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@www.bestsexsite[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@e-2dj6wgmyohazebq.stats.esomniture[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@specificclick[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ehg-maniatv.hitbox[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@upspiral[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@campagnes[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@entrepreneur.122.2o7[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@screensavers[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@try.screensavers[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@1[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@advertisersclearinghouse.aavalue[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@hitbox[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@upspiral[3].txt
C:\Documents and Settings\Filipe\Cookies\filipe@1068335672[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@dealtime[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@apmebf[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@media.adrevolver[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@cpvfeed[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@stats.privacyprotector[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@clicksfeed[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@network.rpowermedia[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@nbcuniversal.122.2o7[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@7396344[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ehg-mgmmirageoperations.hitbox[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@aff.primaryads[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@klik[2].txt
C:\Documents and Settings\Filipe\Cookies\filipe@sexosinfronteras[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@www.upspiral[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@clickxchange[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@ads.drgnetwork[1].txt
C:\Documents and Settings\Filipe\Cookies\filipe@clickbank[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@-1shz2prbmdj6wvny-1sez2pra2dj6wjnyooczwepw-1dj6x9ny-1seq-2-2.stats.esomniture[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@-1shz2prbmdj6wvny-1sez2pra2dj6wjnysmajcfow-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@1.primaryads[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@247realmedia[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@2o7[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@a.as-us.falkag[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@ad-logics[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@ad.musicmatch[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@ad.yieldmanager[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@adknowledge[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@adopt.specificclick[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@adprofile[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@adrevolver[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@ads.addynamix[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@ads.adsag[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@ads.gorillanation[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@ads.pointroll[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@ads.specificpop[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@adserving.autotrader[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@adultcams[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@adultvision[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@advertising[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@as-eu.falkag[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@as-us.falkag[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@atdmt[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@atwola[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@audiomixer.oddcast[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@azjmp[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@bestoffersnetworks[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@bestoffersnetworks[3].txt
C:\Documents and Settings\Jamie\Cookies\jamie@bluestreak[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@bs.serving-sys[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@btg.btgrab[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@c.enhance[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@casalemedia[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@cassava[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@click.absoluteagency[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@clickthrutraffic[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@cliks[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@creativeby.viewpoint[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@dealtime[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@dist.belnk[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@doubleclick[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@edge.ru4[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@ehg-caratinteractive.hitbox[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@emarketmakers[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@etype.adbureau[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@exitexchange[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@fastclick[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@findwhat[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@fortunecity[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@hit.namimedia[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@hitbox[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@icc.intellisrv[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@image.masterstats[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@indextools[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@intellisrv[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@interclick[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@internetfuel[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@live.adultcams[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@maxserving[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@media.perfettomedia[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@mediamgr.ugo[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@mediaplex[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@mediatrack.revenue[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@media[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@men4sexnow[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@metareward[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@mywebsearch[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@nextag[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@offeroptimizer[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@overture[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@perf.overture[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@perfettomedia[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@pps=NoAdvert[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@project2.realtracker[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@qksrv[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@questionmarket[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@realmedia[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@redorbit[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@revenue[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@revsci[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@rightmedia[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@roiservice[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@server.iad.liveperson[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@sex[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@specificpop[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@stat.dealtime[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@stats.manticoretechnology[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@stats1.iad1.gigaisp[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@stats1.reliablestats[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@statse.webtrendslive[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@tacoda[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@trafficmp[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@tribalfusion[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@valueclick[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@vod.adultvision[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@web2.realtracker[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@webpdp.gator[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@windowsmedia[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@www.adultcams[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@www.burstbeacon[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@www.clickxchange[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@www.findthewebsiteyouneed[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@www.redorbit[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@www.sexwebsites[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@www.yfdmedia[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@www1.paypopup[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkiskajihpq6dj6x9ny-1seq-2-2.stats.esomniture[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4eoczkkowsdj6x9ny-1seq-2-2.stats.esomniture[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkoqmazilqaudj6x9ny-1seq-2-2.stats.esomniture[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkoujcpgeogudj6x9ny-1seq-2-2.stats.esomniture[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyahd5ehoqmdj6x9ny-1seq-2-2.stats.esomniture[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyanajskoqmdj6x9ny-1seq-2-2.stats.esomniture[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlyqoazigoasdj6x9ny-1seq-2-2.stats.esomniture[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmicjazidow2dj6x9ny-1seq-2-2.stats.esomniture[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmikldpahpaidj6x9ny-1seq-2-2.stats.esomniture[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmiqpazghqqydj6x9ny-1seq-2-2.stats.esomniture[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmiunajwcow6dj6x9ny-1seq-2-2.stats.esomniture[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmykmcjsgoq6dj6x9ny-1seq-2-2.stats.esomniture[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnycodzodpgydj6x9ny-1seq-2-2.stats.esomniture[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnygicpsloaudj6x9ny-1seq-2-2.stats.esomniture[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyqgdzwhqq6dj6x9ny-1seq-2-2.stats.esomniture[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyspazchog6dj6x9ny-1seq-2-2.stats.esomniture[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@z1.adserver[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@zedo[2].txt
C:\Documents and Settings\LocalService\Cookies\filipe@btg.btgrab[2].txt
C:\Documents and Settings\LocalService\Cookies\filipe@offeroptimizer[1].txt
C:\Documents and Settings\Mom&Dad\Cookies\mom&dad@btg.btgrab[2].txt
C:\Documents and Settings\Mom&Dad\Cookies\mom&dad@mywebsearch[1].txt
C:\Documents and Settings\Mom&Dad\Cookies\mom&dad@offeroptimizer[1].txt

Adware.Spyware Labs/Virtual Bouncer
C:\Documents and Settings\Filipe\Start Menu\Programs\AdDestroyer

Adware.Web Buying
HKU\.DEFAULT\Software\WebBuying
HKU\S-1-5-18\Software\WebBuying

Adware.RAC
C:\DOCUMENTS AND SETTINGS\FILIPE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\8943O70J\83122[1].EXE

Trojan.ZQuest-Installer
C:\DOCUMENTS AND SETTINGS\FILIPE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\CH6JS9IR\TK58[1].EXE
C:\QOOBOX\QUARANTINE\C\WINDOWS\TK58.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\A0097033.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\A0097231.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1373\A0097243.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1377\A0099244.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1377\A0100244.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1380\A0101322.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101341.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101357.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101501.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101631.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101640.EXE
C:\WINDOWS\TK58.EXE
C:\WINDOWS\Prefetch\TK58.EXE-1D42EE94.pf

Browser Hijacker.Passivecow
C:\DOCUMENTS AND SETTINGS\FILIPE\MY DOCUMENTS\BACKUPS\BACKUP-20060112-151904-632.DLL

Adware.ClickSpring/Outer Info Network
C:\DOCUMENTS AND SETTINGS\FILIPE\MY DOCUMENTS\VIRUS CLEANERES\OIUNINSTALLER.EXE

Adware.ClearSearch
C:\DOCUMENTS AND SETTINGS\JAMIE\LOCAL SETTINGS\TEMP\CLRSCH\FNUNINSTALLER.EXE

Calling Home
C:\DOCUMENTS AND SETTINGS\JAMIE\LOCAL SETTINGS\TEMP\POLMX2.EXE

Trojan.Unknown Origin
C:\PROGRAM FILES\ONLINE SERVICES\MEBELU22011.EXE
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WNSINTSV32.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\UNINSTALL_NMON.VBS.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1345\A0093987.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\A0096083.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101364.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101375.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101381.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101392.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101396.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101405.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101407.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101447.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101476.EXE
C:\WINDOWS\TEMPF.TXT
C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\RT27.EXE
C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\RT29.EXE

Trojan.Net-AVP/AVT
C:\QOOBOX\QUARANTINE\C\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\AUTORUN.EXE.VIR
C:\QOOBOX\QUARANTINE\C\DOCUME~1\FILIPE\STARTM~1\PROGRAMS\STARTUP\SYSTEM.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\PRINTER.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WINAVXX.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101328.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101330.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101339.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101360.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101361.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101362.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101382.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101390.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101400.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101441.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101471.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101506.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101507.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101508.EXE

Trojan.Net-Explore/DND
C:\QOOBOX\QUARANTINE\C\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\INFO.EXE.VIR
C:\QOOBOX\QUARANTINE\C\DOCUME~1\FILIPE\STARTM~1\PROGRAMS\STARTUP\INFO.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\EXPLORE.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101329.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101333.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101334.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101355.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101377.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101394.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101472.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101500.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101510.EXE

Trojan.NetMon/DNSChange
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\NETWORK MONITOR\NETMON.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\SNAPSHOT\MFEX-26.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1362\SNAPSHOT\MFEX-26.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1363\SNAPSHOT\MFEX-26.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1364\SNAPSHOT\MFEX-26.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1365\SNAPSHOT\MFEX-26.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1366\SNAPSHOT\MFEX-26.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1367\SNAPSHOT\MFEX-26.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1368\SNAPSHOT\MFEX-26.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1369\SNAPSHOT\MFEX-26.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1370\SNAPSHOT\MFEX-26.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\A0097006.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\SNAPSHOT\MFEX-26.DAT

Adware.ClickSpring
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\PPPATC~1\CHKDSK.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\A0096081.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\A0096082.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\A0096085.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101494.EXE

Malware.Ultimate Defender
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\UCLEANER_SETUP.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ULTIMATE CLEANER\ULTIMATECLEANER.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1379\A0101274.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1379\A0101293.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1380\A0101305.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101348.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101490.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101509.EXE
C:\WINDOWS\SYSTEM32\OKQIPWGF\OKQIPWGF1.EXE
C:\WINDOWS\SYSTEM32\OKQIPWGF\OKQIPWGF2.EXE
C:\WINDOWS\SYSTEM32\OKQIPWGF\OKQIPWGF3.EXE

Adware.WebBuying Assistant-Installer
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WEB BUYING\V1.8.2\WBUNINST.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WEB BUYING\V1.8.2\WEBBUYING.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\WBUN.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\A0097004.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101495.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101496.EXE

Trojan.Downloader-Gen/RetAd
C:\QOOBOX\QUARANTINE\C\WINDOWS\RETADPU1000106.EXE.VIR

Adware.Adservs
C:\QOOBOX\QUARANTINE\C\WINDOWS\RMLSAXBL\ASAPPSRV.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\SNAPSHOT\MFEX-1.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\SNAPSHOT\MFEX-10.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\SNAPSHOT\MFEX-11.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\SNAPSHOT\MFEX-12.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\SNAPSHOT\MFEX-13.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\SNAPSHOT\MFEX-14.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\SNAPSHOT\MFEX-15.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\SNAPSHOT\MFEX-16.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\SNAPSHOT\MFEX-17.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\SNAPSHOT\MFEX-18.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\SNAPSHOT\MFEX-19.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\SNAPSHOT\MFEX-2.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\SNAPSHOT\MFEX-20.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\SNAPSHOT\MFEX-21.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\SNAPSHOT\MFEX-22.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\SNAPSHOT\MFEX-24.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\SNAPSHOT\MFEX-25.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\SNAPSHOT\MFEX-29.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\SNAPSHOT\MFEX-3.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\SNAPSHOT\MFEX-4.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\SNAPSHOT\MFEX-5.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\SNAPSHOT\MFEX-6.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\SNAPSHOT\MFEX-7.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\SNAPSHOT\MFEX-8.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1361\SNAPSHOT\MFEX-9.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1362\SNAPSHOT\MFEX-1.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1362\SNAPSHOT\MFEX-10.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1362\SNAPSHOT\MFEX-11.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1362\SNAPSHOT\MFEX-12.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1362\SNAPSHOT\MFEX-13.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1362\SNAPSHOT\MFEX-14.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1362\SNAPSHOT\MFEX-15.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1362\SNAPSHOT\MFEX-16.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1362\SNAPSHOT\MFEX-17.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1362\SNAPSHOT\MFEX-18.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1362\SNAPSHOT\MFEX-19.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1362\SNAPSHOT\MFEX-2.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1362\SNAPSHOT\MFEX-20.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1362\SNAPSHOT\MFEX-21.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1362\SNAPSHOT\MFEX-22.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1362\SNAPSHOT\MFEX-24.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1362\SNAPSHOT\MFEX-25.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1362\SNAPSHOT\MFEX-29.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1362\SNAPSHOT\MFEX-3.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1362\SNAPSHOT\MFEX-4.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1362\SNAPSHOT\MFEX-5.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1362\SNAPSHOT\MFEX-6.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1362\SNAPSHOT\MFEX-7.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1362\SNAPSHOT\MFEX-8.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1362\SNAPSHOT\MFEX-9.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1363\SNAPSHOT\MFEX-1.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1363\SNAPSHOT\MFEX-10.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1363\SNAPSHOT\MFEX-11.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1363\SNAPSHOT\MFEX-12.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1363\SNAPSHOT\MFEX-13.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1363\SNAPSHOT\MFEX-14.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1363\SNAPSHOT\MFEX-15.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1363\SNAPSHOT\MFEX-16.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1363\SNAPSHOT\MFEX-17.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1363\SNAPSHOT\MFEX-18.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1363\SNAPSHOT\MFEX-19.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1363\SNAPSHOT\MFEX-2.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1363\SNAPSHOT\MFEX-20.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1363\SNAPSHOT\MFEX-21.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1363\SNAPSHOT\MFEX-22.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1363\SNAPSHOT\MFEX-24.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1363\SNAPSHOT\MFEX-25.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1363\SNAPSHOT\MFEX-29.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1363\SNAPSHOT\MFEX-3.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1363\SNAPSHOT\MFEX-4.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1363\SNAPSHOT\MFEX-5.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1363\SNAPSHOT\MFEX-6.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1363\SNAPSHOT\MFEX-7.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1363\SNAPSHOT\MFEX-8.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1363\SNAPSHOT\MFEX-9.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1364\SNAPSHOT\MFEX-1.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1364\SNAPSHOT\MFEX-10.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1364\SNAPSHOT\MFEX-11.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1364\SNAPSHOT\MFEX-12.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1364\SNAPSHOT\MFEX-13.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1364\SNAPSHOT\MFEX-14.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1364\SNAPSHOT\MFEX-15.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1364\SNAPSHOT\MFEX-16.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1364\SNAPSHOT\MFEX-17.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1364\SNAPSHOT\MFEX-18.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1364\SNAPSHOT\MFEX-19.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1364\SNAPSHOT\MFEX-2.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1364\SNAPSHOT\MFEX-20.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1364\SNAPSHOT\MFEX-21.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1364\SNAPSHOT\MFEX-22.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1364\SNAPSHOT\MFEX-24.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1364\SNAPSHOT\MFEX-25.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1364\SNAPSHOT\MFEX-29.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1364\SNAPSHOT\MFEX-3.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1364\SNAPSHOT\MFEX-4.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1364\SNAPSHOT\MFEX-5.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1364\SNAPSHOT\MFEX-6.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1364\SNAPSHOT\MFEX-7.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1364\SNAPSHOT\MFEX-8.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1364\SNAPSHOT\MFEX-9.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1365\SNAPSHOT\MFEX-1.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1365\SNAPSHOT\MFEX-10.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1365\SNAPSHOT\MFEX-11.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1365\SNAPSHOT\MFEX-12.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1365\SNAPSHOT\MFEX-13.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1365\SNAPSHOT\MFEX-14.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1365\SNAPSHOT\MFEX-15.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1365\SNAPSHOT\MFEX-16.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1365\SNAPSHOT\MFEX-17.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1365\SNAPSHOT\MFEX-18.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1365\SNAPSHOT\MFEX-19.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1365\SNAPSHOT\MFEX-2.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1365\SNAPSHOT\MFEX-20.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1365\SNAPSHOT\MFEX-21.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1365\SNAPSHOT\MFEX-22.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1365\SNAPSHOT\MFEX-24.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1365\SNAPSHOT\MFEX-25.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1365\SNAPSHOT\MFEX-29.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1365\SNAPSHOT\MFEX-3.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1365\SNAPSHOT\MFEX-4.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1365\SNAPSHOT\MFEX-5.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1365\SNAPSHOT\MFEX-6.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1365\SNAPSHOT\MFEX-7.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1365\SNAPSHOT\MFEX-8.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1365\SNAPSHOT\MFEX-9.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1366\SNAPSHOT\MFEX-1.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1366\SNAPSHOT\MFEX-10.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1366\SNAPSHOT\MFEX-11.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1366\SNAPSHOT\MFEX-12.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1366\SNAPSHOT\MFEX-13.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1366\SNAPSHOT\MFEX-14.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1366\SNAPSHOT\MFEX-15.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1366\SNAPSHOT\MFEX-16.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1366\SNAPSHOT\MFEX-17.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1366\SNAPSHOT\MFEX-18.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1366\SNAPSHOT\MFEX-19.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1366\SNAPSHOT\MFEX-2.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1366\SNAPSHOT\MFEX-20.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1366\SNAPSHOT\MFEX-21.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1366\SNAPSHOT\MFEX-22.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1366\SNAPSHOT\MFEX-24.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1366\SNAPSHOT\MFEX-25.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1366\SNAPSHOT\MFEX-29.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1366\SNAPSHOT\MFEX-3.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1366\SNAPSHOT\MFEX-4.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1366\SNAPSHOT\MFEX-5.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1366\SNAPSHOT\MFEX-6.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1366\SNAPSHOT\MFEX-7.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1366\SNAPSHOT\MFEX-8.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1366\SNAPSHOT\MFEX-9.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1367\SNAPSHOT\MFEX-1.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1367\SNAPSHOT\MFEX-10.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1367\SNAPSHOT\MFEX-11.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1367\SNAPSHOT\MFEX-12.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1367\SNAPSHOT\MFEX-13.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1367\SNAPSHOT\MFEX-14.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1367\SNAPSHOT\MFEX-15.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1367\SNAPSHOT\MFEX-16.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1367\SNAPSHOT\MFEX-17.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1367\SNAPSHOT\MFEX-18.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1367\SNAPSHOT\MFEX-19.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1367\SNAPSHOT\MFEX-2.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1367\SNAPSHOT\MFEX-20.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1367\SNAPSHOT\MFEX-21.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1367\SNAPSHOT\MFEX-22.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1367\SNAPSHOT\MFEX-24.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1367\SNAPSHOT\MFEX-25.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1367\SNAPSHOT\MFEX-29.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1367\SNAPSHOT\MFEX-3.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1367\SNAPSHOT\MFEX-4.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1367\SNAPSHOT\MFEX-5.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1367\SNAPSHOT\MFEX-6.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1367\SNAPSHOT\MFEX-7.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1367\SNAPSHOT\MFEX-8.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1367\SNAPSHOT\MFEX-9.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1368\SNAPSHOT\MFEX-1.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1368\SNAPSHOT\MFEX-10.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1368\SNAPSHOT\MFEX-11.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1368\SNAPSHOT\MFEX-12.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1368\SNAPSHOT\MFEX-13.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1368\SNAPSHOT\MFEX-14.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1368\SNAPSHOT\MFEX-15.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1368\SNAPSHOT\MFEX-16.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1368\SNAPSHOT\MFEX-17.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1368\SNAPSHOT\MFEX-18.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1368\SNAPSHOT\MFEX-19.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1368\SNAPSHOT\MFEX-2.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1368\SNAPSHOT\MFEX-20.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1368\SNAPSHOT\MFEX-21.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1368\SNAPSHOT\MFEX-22.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1368\SNAPSHOT\MFEX-24.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1368\SNAPSHOT\MFEX-25.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1368\SNAPSHOT\MFEX-29.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1368\SNAPSHOT\MFEX-3.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1368\SNAPSHOT\MFEX-4.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1368\SNAPSHOT\MFEX-5.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1368\SNAPSHOT\MFEX-6.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1368\SNAPSHOT\MFEX-7.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1368\SNAPSHOT\MFEX-8.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1368\SNAPSHOT\MFEX-9.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1369\SNAPSHOT\MFEX-1.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1369\SNAPSHOT\MFEX-10.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1369\SNAPSHOT\MFEX-11.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1369\SNAPSHOT\MFEX-12.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1369\SNAPSHOT\MFEX-13.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1369\SNAPSHOT\MFEX-14.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1369\SNAPSHOT\MFEX-15.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1369\SNAPSHOT\MFEX-16.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1369\SNAPSHOT\MFEX-17.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1369\SNAPSHOT\MFEX-18.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1369\SNAPSHOT\MFEX-19.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1369\SNAPSHOT\MFEX-2.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1369\SNAPSHOT\MFEX-20.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1369\SNAPSHOT\MFEX-21.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1369\SNAPSHOT\MFEX-22.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1369\SNAPSHOT\MFEX-24.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1369\SNAPSHOT\MFEX-25.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1369\SNAPSHOT\MFEX-29.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1369\SNAPSHOT\MFEX-3.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1369\SNAPSHOT\MFEX-4.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1369\SNAPSHOT\MFEX-5.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1369\SNAPSHOT\MFEX-6.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1369\SNAPSHOT\MFEX-7.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1369\SNAPSHOT\MFEX-8.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1369\SNAPSHOT\MFEX-9.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1370\SNAPSHOT\MFEX-1.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1370\SNAPSHOT\MFEX-10.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1370\SNAPSHOT\MFEX-11.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1370\SNAPSHOT\MFEX-12.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1370\SNAPSHOT\MFEX-13.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1370\SNAPSHOT\MFEX-14.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1370\SNAPSHOT\MFEX-15.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1370\SNAPSHOT\MFEX-16.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1370\SNAPSHOT\MFEX-17.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1370\SNAPSHOT\MFEX-18.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1370\SNAPSHOT\MFEX-19.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1370\SNAPSHOT\MFEX-2.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1370\SNAPSHOT\MFEX-20.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1370\SNAPSHOT\MFEX-21.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1370\SNAPSHOT\MFEX-22.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1370\SNAPSHOT\MFEX-24.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1370\SNAPSHOT\MFEX-25.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1370\SNAPSHOT\MFEX-29.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1370\SNAPSHOT\MFEX-3.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1370\SNAPSHOT\MFEX-4.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1370\SNAPSHOT\MFEX-5.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1370\SNAPSHOT\MFEX-6.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1370\SNAPSHOT\MFEX-7.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1370\SNAPSHOT\MFEX-8.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1370\SNAPSHOT\MFEX-9.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\A0097005.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\SNAPSHOT\MFEX-1.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\SNAPSHOT\MFEX-10.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\SNAPSHOT\MFEX-11.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\SNAPSHOT\MFEX-12.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\SNAPSHOT\MFEX-13.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\SNAPSHOT\MFEX-14.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\SNAPSHOT\MFEX-15.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\SNAPSHOT\MFEX-16.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\SNAPSHOT\MFEX-17.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\SNAPSHOT\MFEX-18.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\SNAPSHOT\MFEX-19.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\SNAPSHOT\MFEX-2.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\SNAPSHOT\MFEX-20.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\SNAPSHOT\MFEX-21.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\SNAPSHOT\MFEX-22.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\SNAPSHOT\MFEX-24.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\SNAPSHOT\MFEX-25.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\SNAPSHOT\MFEX-29.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\SNAPSHOT\MFEX-3.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\SNAPSHOT\MFEX-4.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\SNAPSHOT\MFEX-5.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\SNAPSHOT\MFEX-6.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\SNAPSHOT\MFEX-7.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\SNAPSHOT\MFEX-8.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1371\SNAPSHOT\MFEX-9.DAT
C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\TMPS7\CES005DR.EXE

Trojan.Downloader-Gen/HitItQuitIt
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\LJJJIJI.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\LJJKHIF.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\PMNOOOO.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\QOMNOOP.DLL.VIR

Trojan.Downloader-Gen/BundleBase
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\O02PREZ\O02PREZ1065.EXE.VIR

Adware.eZula
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\OUGKEKBX.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\PYTUPRXT.EXE.VIR

Trojan.Downloader-Gen/TStamp
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\QLIGQFJI.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101484.EXE

Adware.WebBuying-Installer
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\S7\WBB22.EXE.VIR

Trojan.Downloader-SP2F/Resident
C:\RECYCLER\S-1-5-21-342964207-1147840483-2400990687-1007\DC10.DLL

Trojan.Downloader-Gen/Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1345\A0093986.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101376.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101393.EXE

Adware.Search2Find
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1379\A0101264.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1379\A0101265.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1379\A0101266.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1379\A0101267.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1379\A0101271.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1379\A0101290.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1380\A0101300.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1380\A0101302.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1380\A0101304.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101344.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101473.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101528.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101529.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101530.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101531.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101532.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101535.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101536.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101537.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101538.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101539.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101540.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0101541.LNK

Trojan.Downloader-NoName
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1379\A0101268.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1380\A0101312.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1380\A0101324.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101350.EXE
C:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\HLPSRV.EXE

Adware.ZenoSearch-NVON
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101356.EXE

Trojan.Downloader-Gen/WinPop
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101366.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101399.EXE

Trojan.Downloader-Gen/AVP
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101374.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101391.EXE

Trojan.Downloader-MGRS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101378.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1381\A0101397.EXE

Adware.Aurora-Installer
C:\WINDOWS\BZGQGFPRF.EXE

Trojan.Downloader-Gen/AllowCookie
C:\WINDOWS\SYSTEM32\MGQAULSA.EXE

Trojan.Net-NUSR
C:\WINDOWS\SYSTEM32\NUSRMGR.EXE

Adware.Spyware Labs
C:\WINDOWS\SYSTEM32\SMAM.EXE

Adware.WebRebates
C:\WINDOWS\SYSTEM32\WEBREBATES.DLL

Trojan.Hoster
C:\WINDOWS\UNINSTALL_WH.EXE

Trojan.Downloader-Gen/MobRules
C:\_OTMOVEIT\MOVEDFILES\DOCUME~1\ALLUSE~1\APPLIC~1\TSFIVYBU.DLL
C:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\YBQGIEOL\YRHVNOMP.DLL

Trojan.Downloader-Gen/BigTkt
C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\DRVGEJR.DLL

Trojan.Downloader-Gen/NoMultiTask
C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\VTR.DLL





Activescan log:

Incident Status Location

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix\nircmd.exe
Virus:Generic Malware Disinfected C:\Documents and Settings\Filipe\Application Data\Macromedia\Shockwave Player\xtras\download\TheGrooveAlliance\3DGrooveXtrav181\Groove.x32
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[servedby.advertising.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[.advertising.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[.realmedia.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[.atdmt.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[.realmedia.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[.adrevolver.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[ad.yieldmanager.com/]
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[citi.bridgetrack.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[.adultfriendfinder.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[.doubleclick.net/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[.247realmedia.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[.zedo.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[.casalemedia.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[.tribalfusion.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[.serving-sys.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[.2o7.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[.mediaplex.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[.xiti.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[.fastclick.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[.media.fastclick.net/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[.statcounter.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[.atwola.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[.trafficmp.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[.ads.pointroll.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[.questionmarket.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[statse.webtrendslive.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[.go.com/]
Spyware:Cookie/TargetSaver Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[.targetsaver.com/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-1.txt[.bfast.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[.doubleclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[servedby.advertising.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[.advertising.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[.realmedia.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[.atdmt.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[.realmedia.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[.adrevolver.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[ad.yieldmanager.com/]
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[citi.bridgetrack.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[.adultfriendfinder.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[.247realmedia.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[.zedo.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[.casalemedia.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[.tribalfusion.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[.serving-sys.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[.2o7.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[.mediaplex.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[.xiti.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[.fastclick.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[.media.fastclick.net/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[.statcounter.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[.atwola.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[.trafficmp.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[.ads.pointroll.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[.questionmarket.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[statse.webtrendslive.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[.go.com/]
Spyware:Cookie/TargetSaver Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[.targetsaver.com/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-2.txt[.bfast.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[.doubleclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[servedby.advertising.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[.advertising.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[.realmedia.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[.atdmt.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[.realmedia.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[.adrevolver.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[ad.yieldmanager.com/]
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[citi.bridgetrack.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[.adultfriendfinder.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[.247realmedia.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[.zedo.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[.casalemedia.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[.tribalfusion.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[.serving-sys.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[.2o7.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[.mediaplex.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[.xiti.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[.fastclick.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[.media.fastclick.net/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[.statcounter.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[.atwola.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[.trafficmp.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[.ads.pointroll.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[.questionmarket.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[statse.webtrendslive.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[.go.com/]
Spyware:Cookie/TargetSaver Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[.targetsaver.com/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies-3.txt[.bfast.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[.advertising.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[.atdmt.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[.statcounter.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[.trafficmp.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[.realmedia.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[.adrevolver.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[.fastclick.net/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[.2o7.net/]
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[.anm.co.uk/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[.casalemedia.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[.burstnet.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[.overture.com/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[.bfast.com/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[.winantispyware.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[.apmebf.com/]
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[citi.bridgetrack.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[.zedo.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Filipe\Application Data\Mozilla\Firefox\Profiles\default.94u\cookies.txt[.xiti.com/]
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Filipe\Cookies\filipe@tickle[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Filipe\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Filipe\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Filipe\My Documents\Virus cleaneres\ComboFix.exe[nircmd.exe]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Firefox\Profiles\gerec21d.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Firefox\Profiles\gerec21d.default\cookies.txt[.advertising.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Firefox\Profiles\gerec21d.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Firefox\Profiles\gerec21d.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Firefox\Profiles\gerec21d.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Firefox\Profiles\gerec21d.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Firefox\Profiles\gerec21d.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Firefox\Profiles\gerec21d.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Firefox\Profiles\gerec21d.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Firefox\Profiles\gerec21d.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Firefox\Profiles\gerec21d.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Firefox\Profiles\gerec21d.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Firefox\Profiles\gerec21d.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Firefox\Profiles\gerec21d.default\cookies.txt[.zedo.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Firefox\Profiles\gerec21d.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Firefox\Profiles\gerec21d.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Firefox\Profiles\gerec21d.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Firefox\Profiles\gerec21d.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Firefox\Profiles\gerec21d.default\cookies.txt[.overture.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Firefox\Profiles\gerec21d.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[.serving-sys.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[.2o7.net/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[.servedby.advertising.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[.advertising.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[.atwola.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[.atdmt.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[.mediaplex.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[statse.webtrendslive.com/S133378]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[.casalemedia.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[statse.webtrendslive.com/dcsuy22seau4fibba68ia3qp2_7e5d]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[statse.webtrendslive.com/dcsmrkwrqoifwzvt3t8mkqxl4_8d4k]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[.zedo.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[.fastclick.net/]
Spyware:Cookie/Euniverseads Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[.euniverseads.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[.targetnet.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[.bfast.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[.apmebf.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[.revenue.net/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[.statcounter.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[.valueclick.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[.bluestreak.com/]
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Jamie\Application Data\Mozilla\Profiles\default\mic4h161.slt\cookies.txt[.centrport.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jamie\Application Data\Netscape\NSB\Profiles\izhvzytg.default\cookies.txt[.advertising.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Jamie\Application Data\Netscape\NSB\Profiles\izhvzytg.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jamie\Application Data\Netscape\NSB\Profiles\izhvzytg.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jamie\Application Data\Netscape\NSB\Profiles\izhvzytg.default\cookies.txt[.servedby.advertising.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jamie\Application Data\Netscape\NSB\Profiles\izhvzytg.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jamie\Application Data\Netscape\NSB\Profiles\izhvzytg.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jamie\Application Data\Netscape\NSB\Profiles\izhvzytg.default\cookies.txt[.atwola.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Jamie\Application Data\Netscape\NSB\Profiles\izhvzytg.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Jamie\Application Data\Netscape\NSB\Profiles\izhvzytg.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Jamie\Application Data\Netscape\NSB\Profiles\izhvzytg.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Jamie\Cookies\jamie@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Jamie\Cookies\jamie@888[2].txt
Spyware:Cookie/Abetterinternet Not disinfected C:\Documents and Settings\Jamie\Cookies\jamie@abetterinternet[1].txt
Spyware:Cookie/Barelylegal Not disinfected C:\Documents and Settings\Jamie\Cookies\jamie@c.fsx[1].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Jamie\Cookies\jamie@centrport[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Jamie\Cookies\jamie@cgi-bin[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Jamie\Cookies\jamie@com[2].txt
Spyware:Cookie/Dbbsrv Not disinfected C:\Documents and Settings\Jamie\Cookies\jamie@dbbsrv[1].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Jamie\Cookies\jamie@domainsponsor[2].txt
Spyware:Cookie/Euniverseads Not disinfected C:\Documents and Settings\Jamie\Cookies\jamie@euniverseads[2].txt
Spyware:Cookie/Gator Not disinfected C:\Documents and Settings\Jamie\Cookies\jamie@gator[1].txt
Spyware:Cookie/Incredifind Not disinfected C:\Documents and Settings\Jamie\Cookies\jamie@incredifind[2].txt
Spyware:Cookie/Peel Not disinfected C:\Documents and Settings\Jamie\Cookies\jamie@peel[2].txt
Spyware:Cookie/Santa Monica networks inc Not disinfected C:\Documents and Settings\Jamie\Cookies\jamie@smni[1].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Jamie\Cookies\jamie@tickle[2].txt
Spyware:Cookie/TopRebates.com Not disinfected C:\Documents and Settings\Jamie\Cookies\jamie@www.toprebates[2].txt
Spyware:Spyware/ClearSearch Not disinfected C:\Documents and Settings\Jamie\Local Settings\Temp\ClrSch\FNuninstaller.EX_[C:\AB9.tme]
Virus:Generic Malware Disinfected C:\Documents and Settings\Jamie\Local Settings\Temp\comver.dll
Virus:Trj/Downloader.GK Disinfected C:\Documents and Settings\Jamie\Local Settings\Temp\polmx2.cab
Adware:Adware/Transponder Not disinfected C:\Documents and Settings\Jamie\Local Settings\Temp\polmx2.inf
Adware:Adware/ImiBar Not disinfected C:\Documents and Settings\Jamie\Local Settings\Temp\systb.dll
Adware:Adware/Twain-Tech Not disinfected C:\Documents and Settings\Jamie\Local Settings\Temp\THI6D86.tmp\preInsTT.exe
Adware:Adware/Twain-Tech Not disinfected C:\Documents and Settings\Jamie\Local Settings\Temp\THI6D86.tmp\twaintec.cab
Adware:Adware/Twain-Tech Not disinfected C:\Documents and Settings\Jamie\Local Settings\Temp\THI6D86.tmp\twaintec.dll
Adware:Adware/WUpd Not disinfected C:\Documents and Settings\Jamie\Local Settings\Temporary Internet Files\Content.IE5\4BSPEZOF\728x90[2].htm
Adware:Adware/WUpd Not disinfected C:\Documents and Settings\Jamie\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\160x600[3].htm
Adware:Adware/WUpd Not disinfected C:\Documents and Settings\Jamie\Local Settings\Temporary Internet Files\Content.IE5\8NLJMAND\728x90[1].htm
Adware:Adware/WUpd Not disinfected C:\Documents and Settings\Jamie\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\336x280[1].htm
Adware:Adware/WUpd Not disinfected C:\Documents and Settings\Jamie\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\728x90[1].htm
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Mom&Dad\Application Data\Mozilla\Profiles\default\ye3npgzu.slt\cookies.txt[.atwola.com/]
Spyware:Cookie/Qsrch Not disinfected C:\Documents and Settings\Mom&Dad\Cookies\mom&dad@newnet.qsrch[1].txt
Spyware:Cookie/TopRebates.com Not disinfected C:\Documents and Settings\Mom&Dad\Cookies\mom&dad@www.toprebates[2].txt
Virus:Trj/WmaDownloader.F Disinfected C:\Program Files\Shareaza\Downloads\((((( we fly high 1 21.wma
Virus:Trj/WmaDownloader.F Disinfected C:\Program Files\Shareaza\Downloads\(2) converting vegetarians 22.wma
Virus:Trj/WmaDownloader.F Disinfected C:\Program Files\Shareaza\Downloads\- SnowBall - every time we touch remix 05.wma
Virus:Trj/WmaDownloader.F Disinfected C:\Program Files\Shareaza\Downloads\- TiGhT - live to win 1 11.wma
Virus:Trj/WmaDownloader.F Disinfected C:\Program Files\Shareaza\Downloads\01 rao kao 1 31.wma
Adware:Adware/AdvertMem Not disinfected C:\Program Files\Shareaza\Downloads\@ every time we touch 18.zip[setup.exe]
Virus:Trj/WmaDownloader.F Disinfected C:\Program Files\Shareaza\Downloads\everyone's equal 1 29.wma
Virus:Trj/WmaDownloader.F Disinfected C:\Program Files\Shareaza\Downloads\party hard 43.wma
Adware:Adware/AdvertMem Not disinfected C:\Program Files\Shareaza\Downloads\pepsi commercial 1 17.zip[install.exe]
Adware:Adware/AdvertMem Not disinfected C:\Program Files\Shareaza\Downloads\www.freewarez.to live to win 1 04.zip[setup.exe]
Virus:Trj/WmaDownloader.F Disinfected C:\Program Files\Shareaza\Downloads\[new release] party hard 19.wma
Adware:Adware/AdvertMem Not disinfected C:\Program Files\Shareaza\Downloads\_cracked_ every time we touch remix 05.zip[install.exe]
Virus:Trj/WmaDownloader.F Disinfected C:\Program Files\Shareaza\Downloads\_live_ rao kao 1 13.wma
Adware:Adware/AdvertMem Not disinfected C:\Program Files\Shareaza\Downloads\_uncensored_ party hard 00.zip[setup.exe]
Virus:Trj/WmaDownloader.F Disinfected C:\Program Files\Shareaza\Downloads\~~~~~~~~ live to win 1 29.wma
Virus:Generic Malware Disinfected C:\QooBox\Quarantine\C\Program Files\Ultimate Cleaner\com\ucsecuredelete.dll.vir
Adware:Adware/DeluxeComunications Not disinfected C:\QooBox\Quarantine\C\WINDOWS\b136.exe.vir
Adware:Adware/ConsumerAlertSystem Not disinfected C:\QooBox\Quarantine\C\WINDOWS\pf78.exe.vir
Adware:Adware/Yazzle Not disinfected C:\QooBox\Quarantine\C\WINDOWS\retadpu2000219.exe.vir
Adware:Adware/DollarRevenue Not disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\atmtd.dll.vir
Adware:Adware/DollarRevenue Not disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\atmtd.dll._.vir
Virus:Trj/Downloader.PUT Disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\f02WtR\f02WtR1065.exe.vir
Adware:Adware/TTC Not disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\S2\mwspasrt83122.exe.vir
Virus:Trj/Downloader.MDW Disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\S4\wen2.exe.vir
Adware:Adware/Yazzle Not disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\S7\wr620.exe.vir
Spyware:Spyware/7r7t Not disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tpuninstall.exe.vir
Virus:Generic Malware Disinfected C:\QooBox\Quarantine\catchme2007-06-27_ 10616.90.zip[core.sys]
Virus:Bck/Agent.GBW Disinfected C:\RECYCLER\S-1-5-21-342964207-1147840483-2400990687-1007\Dc9.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Adware:Adware/WinAntiVirus2007 Not disinfected C:\SDFix\backups\backups.zip[backups/autorun.exe]
Virus:Trj/Generic.B Disinfected C:\SDFix\backups\backups.zip[backups/avp.exe]
Virus:Generic Trojan Disinfected C:\SDFix\backups\backups.zip[backups/b104.exe]
Adware:Adware/Winpopup Not disinfected C:\SDFix\backups\backups.zip[backups/b122.exe]
Virus:Trj/Clicker.AFN Disinfected C:\SDFix\backups\backups.zip[backups/explore.exe]
Adware:Adware/CommAd Not disinfected C:\SDFix\backups\backups.zip[backups/lA5Pur15.vbs]
Adware:Adware/SpywareNo Not disinfected C:\SDFix\backups\backups.zip[backups/movedfile.ren]
Virus:Generic Trojan Disinfected C:\SDFix\backups\backups.zip[backups/popinstall.exe]
Adware:Adware/WinAntiVirus2007 Not disinfected C:\SDFix\backups\backups.zip[backups/printer.exe]
Virus:Trj/Downloader.MDW Disinfected C:\SDFix\backups\backups.zip[backups/UnInstall.exe]
Adware:Adware/SearchAid Not disinfected C:\SDFix\backups\backups.zip[backups/uninstall_nmon.vbs]
Adware:Adware/Yazzle Not disinfected C:\SDFix\backups\backups.zip[backups/win216.tmp.exe]
Adware:Adware/Yazzle Not disinfected C:\SDFix\backups\backups.zip[backups/win216.tmp.exe][¦++\Yazzle1162OinAdmin.exe]
Adware:Adware/SpywareNo Not disinfected C:\SDFix\backups\backups.zip[backups/winmfu32.dll]
Adware:Adware/Yazzle Not disinfected C:\SDFix\backups\backups.zip[backups/Yazzle1162OinAdmin.exe]
Adware:Adware/Yazzle Not disinfected C:\SDFix\backups\backups.zip[backups/Yazzle1162OinUninstaller.exe]
Adware:Adware/Yazzle Not disinfected C:\SDFix\backups\backups.zip[backups/Yazzle1281OinAdmin.exe]
Adware:Adware/Yazzle Not disinfected C:\SDFix\backups\backups.zip[backups/Yazzle1281OinUninstaller.exe]
Adware:Adware/WinAntiVirus2007 Not disinfected C:\SDFix\backups\HOSTS
Potentially unwanted tool:Application/Processor Not disinfected C:\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\smitRem.exe[smitRem/Process.exe]
Adware:adware/ncase Not disinfected C:\WINDOWS\180ax_gdf.dat
Adware:adware/clickalchemy Not disinfected C:\WINDOWS\alchem.ini
Adware:adware/bookedspace Not disinfected C:\WINDOWS\cfgmgr52.ini
Adware:Adware/WUpd Not disinfected C:\WINDOWS\Downloaded Program Files\BridgeX.inf
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\Downloaded Program Files\SAHUninstall_.exe
Adware:adware/ebgames Not disinfected C:\WINDOWS\games.exe
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\INF\alchem.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\INF\biini.inf
Adware:Adware/BTGrab Not disinfected C:\WINDOWS\INF\btgrab.inf
Adware:Adware/Transponder Not disinfected C:\WINDOWS\INF\polmx2.inf
Adware:adware/ieplugin Not disinfected C:\WINDOWS\kwv2.dat
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Adware:Adware/SearchFast Not disinfected C:\WINDOWS\search.exe
Adware:adware/igetnet Not disinfected C:\WINDOWS\SYSTEM\rules.dat
Adware:Adware/BookedSpace Not disinfected C:\WINDOWS\SYSTEM32\bsd.exe
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\SYSTEM32\gss.exe
Virus:Trj/Downloader.PUT Disinfected C:\WINDOWS\SYSTEM32\ICM23\nnx22011.exe
Adware:Adware/KeenValue Not disinfected C:\WINDOWS\SYSTEM32\in10b6s.dll
Virus:Trj/Multidropper.BED Disinfected C:\WINDOWS\SYSTEM32\Setup8823.exe
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\SYSTEM32\xmltok.dll
Virus:Trj/Agent.GAP Disinfected C:\WINDOWS\SYSTEM32\~.exe
Virus:Trj/Downloader.PNC Disinfected C:\_OTMoveIt\MovedFiles\WINDOWS\SYSTEM32\cofig1\rrws88.exe



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:30:57 PM, on 9/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1128476691\ee\AOLSoftware.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Filipe\Desktop\HiJackThis(2).exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\FILIPE\Application Data\Mozilla\Profiles\default\8d6emau6.slt\prefs.js)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128476691\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Download with &Shareaza - res://C:\Program Files\Shareaza\Plugins\RazaWebHook.dll/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6669 bytes

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 16 September 2007 - 07:40 AM

Delete everything inside these two folders:
C:\Documents and Settings\Jamie\Local Settings\Temp
C:\Program Files\Shareaza\Downloads

Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\180ax_gdf.dat
C:\WINDOWS\alchem.ini
C:\WINDOWS\cfgmgr52.ini
C:\WINDOWS\games.exe
C:\WINDOWS\Downloaded Program Files\BridgeX.inf
C:\WINDOWS\Downloaded Program Files\SAHUninstall_.exe
C:\WINDOWS\INF\alchem.inf
C:\WINDOWS\INF\biini.inf
C:\WINDOWS\INF\btgrab.inf
C:\WINDOWS\INF\polmx2.inf
C:\WINDOWS\kwv2.dat
C:\WINDOWS\search.exe
C:\WINDOWS\SYSTEM\rules.dat
C:\WINDOWS\SYSTEM32\bsd.exe
C:\WINDOWS\SYSTEM32\gss.exe
C:\WINDOWS\SYSTEM32\in10b6s.dll
C:\WINDOWS\SYSTEM32\xmltok.dll
C:\Documents and Settings\Jamie\Local Settings\Temp\ClrSch
C:\Documents and Settings\Jamie\Local Settings\Temp\polmx2.inf
C:\Documents and Settings\Jamie\Local Settings\Temp\systb.dll
C:\Documents and Settings\Jamie\Local Settings\Temp\THI6D86.tmp\preInsTT.exe
C:\Documents and Settings\Jamie\Local Settings\Temp\THI6D86.tmp\twaintec.cab
C:\Documents and Settings\Jamie\Local Settings\Temp\THI6D86.tmp\twaintec.dll
C:\Program Files\Shareaza\Downloads\@ every time we touch 18.zip[setup.exe]
C:\Program Files\Shareaza\Downloads\pepsi commercial 1 17.zip[install.exe]
C:\Program Files\Shareaza\Downloads\www.freewarez.to live to win 1 04.zip[setup.exe]
C:\Program Files\Shareaza\Downloads\_cracked_ every time we touch remix 05.zip[install.exe]
C:\Program Files\Shareaza\Downloads\_uncensored_ party hard 00.zip[setup.exe]


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Clear your 'System Restore' points by doing the following:
Right-click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Select 'Turn Off System Restore On All Drives'.
Select 'Apply'.
You will then get the following warning:
"You have chosen to turn off System Restore.
If you continue,all existing restore points will be deleted,and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?".
Then select 'Yes',your 'System Restore' directories will be purged.

Restart your pc.

Turn 'System Restore' back on:

Right click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Unselect 'Turn Off System Restore On All Drives'.
Select 'Apply',then click 'Ok'.


Download the trial version of Spy Sweeper:
http://www.webroot.com/shoppingcart/tryme....&vcode=DT14

Install it using the Standard Install option.
You will be asked for your e-mail address,it's safe to give it.
If you receive alerts from your firewall,allow all activities for Spy Sweeper.

You will be prompted to check for updated definitions,please do so,this may take several minutes so please be patient.

Once the updates have been installed,click on 'Options' and check/enable 'Full Sweep [Reccommended]'.
Click on 'Sweep',then 'Start Full Sweep' and allow it to fully scan your system.

When the sweep has finished,click 'Select All' and then click 'Quarantine Selected'.
Under the 'Summary' tab, select 'View Session Log'.
Click 'Save to File' and save the log to your desktop.

Exit Spy Sweeper.
Restart your pc,then copy and paste the SpySweeper log into your next reply.
Also post a new Hijackthis log.

Edited by RichieUK, 16 September 2007 - 07:53 PM.

Posted Image
Posted Image

#14 Flyinlowsup

Flyinlowsup
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 16 September 2007 - 07:42 PM

When i try to delete everything inside C:\Documents and Settings\Jamie\Local Settings\Temp, it says im not a specified user, and when i try to delete everything inside C:\Program Files\Shareaza\Downloads, the window freezes and i have to bring up the task manager to delete the window. I didnt try to do the rest after this happened. What should i do about the things i just mentioned?

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 16 September 2007 - 07:54 PM

I've edited the OTMoveIt instructions,so carry on there please.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users