Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo, And Ad Highjack W/adult Content


  • This topic is locked This topic is locked
17 replies to this topic

#1 mp2002

mp2002

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 08 March 2008 - 11:49 AM

Hello, this is my first post and I am not very computer savvy so I will hopefully give you the info. needed. Appreciate any help anyone can offer.

I am running Microsoft Windows XP Home Edition 5.1.2600 Serv. Pack 2. I have been having some issues with trojans and vundo but AVG always said it was quarantining so I didn't worry too much but the past week or so I have been bombarded by ads on all websites that start out as a regular google ad and then flip to adult content ads (very, very graphic content). Then my temp internet files fill up to over 100 files within minutes along w/cookies.

I spent all night last night reading fixes on here so I have done the following:

- Currently have AVG rootkit, 7.5, and antispyware.
- Yesterday I downloaded Adware 2007 and then Super Antispyware after reading on here and nothing fixed the problem.
- Computer now is very, very slow.
- I then deleted my Google toolbar and desktop and switched to Yahoo Search and it seems to have cleared up most of
the adult content problem but every screen I go to I have to click about 5 times to go forward or back
w/the pop up screen restricted toolbar coming up.
- All the antispyware found Vundo (and lots of other infections) and I quarantined everything each time. I tried to follow
other thread fixes and run the VundoFix but after I download the fix to my desktop and try to run it I get the following
error:
Run-time error '339': component 'comdlg32.ocs' or one of its dependencies not correctly registered: a file is missing or
invalid.
- I had issues about a year ago and we basically deleted everything and started over. Since that time I have always
received rundll error codes (3 different ones) at start up but I just cancel out. Yesterday I followed the autorun fix
posted to someone else on a diff. thread and have removed them but I get a new one everytime I reboot now so I just
keep doing that fix.

This is probably too much info. for you all but wanted you to know what I have done.

Also, any advice on the best antispyware and virus protection? I currently have all the free ones listed above. I am willing to buy the advanced versions but don't know which one to get. I thought it was bad to have more than one because they got in each others way but I would like to avoid this kind of problem.

I have the superantispyware report I ran last night in safe mode but didn't want to post if you didn't want it since this note is already so long. Please help anyone! Thanks.

BC AdBot (Login to Remove)

 


m

#2 mp2002

mp2002
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 08 March 2008 - 11:53 AM

Sorry, forgot to mention that I ran the SuperAntiSpyware in safe mode per directions to others in their posts. :thumbsup:

Also, I had an outdated version of Java so I updated that last night as well.

Edited by mp2002, 08 March 2008 - 11:55 AM.


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:58 PM

Posted 08 March 2008 - 11:59 AM

Yes please post the SAS scan log. We will go on from there. Also you may want to Uninstall AdAware from Contol Panel as the latest version has been causing some folks a slowdown. We can always put it back later.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 mp2002

mp2002
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 08 March 2008 - 12:24 PM

Thanks so much and sorry it is very long....I think I have a big mess! (Also, since getting rid of the google the adult adware seems to be under control since I logged on this AM - at least so far!) Right before I rebooted to safe mode I deleted the temp files and cookies but in the time it took me to do that and then log off a bunch of cookies must have come through. I always update my cookie settings to medium everytime I log on to the internet but when I get off and then come back it changes to allow all. This AM I changed it to prompt before allowing and had to turn it off because I couldn't post because all I kept getting was cookie prompts and couldn't post. Is this normal do you know? I do a lot of shopping on the net.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/08/2008 at 08:06 AM

Application Version : 4.0.1154

Core Rules Database Version : 3416
Trace Rules Database Version: 1408

Scan type : Complete Scan
Total Scan Time : 03:41:37

Memory items scanned : 211
Memory threats detected : 1
Registry items scanned : 4441
Registry threats detected : 172
File items scanned : 271744
File threats detected : 178

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\AWVVW.DLL
C:\WINDOWS\SYSTEM32\AWVVW.DLL

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{80A076A3-2DCA-4C82-BC58-BCBA520A89AE}
HKCR\CLSID\{80A076A3-2DCA-4C82-BC58-BCBA520A89AE}
HKCR\CLSID\{80A076A3-2DCA-4C82-BC58-BCBA520A89AE}\InprocServer32
HKCR\CLSID\{80A076A3-2DCA-4C82-BC58-BCBA520A89AE}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{80A076A3-2DCA-4C82-BC58-BCBA520A89AE}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DC192567-65F9-4AB6-ADB7-E13575F81726}

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}
HKCR\CLSID\{CF46BFB3-2ACC-441B-B82B-36B9562C7FF1}
HKCR\CLSID\{CF46BFB3-2ACC-441B-B82B-36B9562C7FF1}\InprocServer32
HKCR\CLSID\{CF46BFB3-2ACC-441B-B82B-36B9562C7FF1}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\ADKNUICS.DLL
HKCR\CLSID\{CF46BFB3-2ACC-441B-B82B-36B9562C7FF1}

Adware.Vundo-Variant/Small-A
HKLM\Software\Classes\CLSID\{f063a0c2-7eba-4b73-89e1-55f64f90732e}
HKCR\CLSID\{F063A0C2-7EBA-4B73-89E1-55F64F90732E}
HKCR\CLSID\{F063A0C2-7EBA-4B73-89E1-55F64F90732E}\InprocServer32
HKCR\CLSID\{F063A0C2-7EBA-4B73-89E1-55F64F90732E}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\UREEQKSP.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f063a0c2-7eba-4b73-89e1-55f64f90732e}
C:\WINDOWS\SYSTEM32\FEKDRLES.DLL

Browser Hijacker.Internet Explorer Zone Hijack
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click#http
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click#https
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click#http
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click#https
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect#http
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect#https

Adware.Vundo-Variant/C
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\awvvw

Adware.Tracking Cookie
C:\Documents and Settings\Margaret Burt\Cookies\margaret_burt@ehg-dig.hitbox[1].txt
C:\Documents and Settings\Margaret Burt\Cookies\margaret_burt@hitbox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adinterax[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adrevolver[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.adoption[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.as4x.tmcs[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.channel4[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.gorillanation[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.lowes[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.medscape[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.mm.ap[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.sheknows[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.specificclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads1.rodale[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adserver[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adv.webmd[2].txt
C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt
C:\Documents and Settings\Owner\Cookies\owner@banner2.inet-traffic[2].txt
C:\Documents and Settings\Owner\Cookies\owner@bannerspace[1].txt
C:\Documents and Settings\Owner\Cookies\owner@banner[2].txt
C:\Documents and Settings\Owner\Cookies\owner@bizrate[1].txt
C:\Documents and Settings\Owner\Cookies\owner@boscovs75mid.crossmediaservices[1].txt
C:\Documents and Settings\Owner\Cookies\owner@classaction.findlaw[1].txt
C:\Documents and Settings\Owner\Cookies\owner@coolsavings[2].txt
C:\Documents and Settings\Owner\Cookies\owner@creativeby.viewpoint[2].txt
C:\Documents and Settings\Owner\Cookies\owner@csavings.adbureau[2].txt
C:\Documents and Settings\Owner\Cookies\owner@delawareonline.homefinder[1].txt
C:\Documents and Settings\Owner\Cookies\owner@exitexchange[1].txt
C:\Documents and Settings\Owner\Cookies\owner@findlaw[1].txt
C:\Documents and Settings\Owner\Cookies\owner@hc2.humanclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@icc.intellisrv[2].txt
C:\Documents and Settings\Owner\Cookies\owner@indextools[1].txt
C:\Documents and Settings\Owner\Cookies\owner@inet-traffic[1].txt
C:\Documents and Settings\Owner\Cookies\owner@intellisrv[1].txt
C:\Documents and Settings\Owner\Cookies\owner@jcpenney1902outstanding.crossmediaservices[1].txt
C:\Documents and Settings\Owner\Cookies\owner@kohls70shop.crossmediaservices[2].txt
C:\Documents and Settings\Owner\Cookies\owner@maxserving[1].txt
C:\Documents and Settings\Owner\Cookies\owner@mediax[1].txt
C:\Documents and Settings\Owner\Cookies\owner@metareward[1].txt
C:\Documents and Settings\Owner\Cookies\owner@nandomedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@nextag[1].txt
C:\Documents and Settings\Owner\Cookies\owner@parentingteens.about[1].txt
C:\Documents and Settings\Owner\Cookies\owner@rightmedia[2].txt
C:\Documents and Settings\Owner\Cookies\owner@specificclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@stats.klsoft[1].txt
C:\Documents and Settings\Owner\Cookies\owner@stats.manticoretechnology[1].txt
C:\Documents and Settings\Owner\Cookies\owner@superstats[2].txt
C:\Documents and Settings\Owner\Cookies\owner@teenadvice.about[1].txt
C:\Documents and Settings\Owner\Cookies\owner@teenlifelines[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tripod[2].txt
C:\Documents and Settings\Owner\Cookies\owner@webstats.bcd2000[1].txt
C:\Documents and Settings\Owner\Cookies\owner@windowsmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.bulkclicks[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.findarticles[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.petfinder[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.strugglingteens[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.troubledteen[2].txt

Trojan.WinAntiSpyware/WinAntiVirus 2006/2007
HKCR\CLSID\{_CLSID_WAShellExecuteCheck}
HKCR\CLSID\{_CLSID_WAShellExecuteCheck}#AppID
HKCR\CLSID\{_CLSID_WAShellExecuteCheck}\LocalServer32
HKCR\CLSID\{_CLSID_WAShellExecuteCheck}\Programmable
HKLM\SYSTEM\CurrentControlSet\Services\FOPN
HKLM\SYSTEM\CurrentControlSet\Services\FOPN#Type
HKLM\SYSTEM\CurrentControlSet\Services\FOPN#Start
HKLM\SYSTEM\CurrentControlSet\Services\FOPN#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\FOPN#Tag
HKLM\SYSTEM\CurrentControlSet\Services\FOPN#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\FOPN#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\FOPN#Group
HKLM\SYSTEM\CurrentControlSet\Services\FOPN#Overflow
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\blocked
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\WINDOWS
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\WINDOWS\SOFTWAREDISTRIBUTION\DATASTORE
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\WINDOWS\SOFTWAREDISTRIBUTION\DATASTORE\LOGS
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WBEM\LOGS
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\WINDOWS\PREFETCH
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\APPLICATION DATA\GRISOFT\AVG7DATA
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WBEM\REPOSITORY\FS
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\WINDOWS\TASKS
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\APPLICATION DATA\AVG7\LOG
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\APPLICATION DATA\LAVASOFT\AD-AWARE 2007
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\SYSTEM VOLUME INFORMATION\_RESTORE{B1908A88-BCD2-416A-8FA3-53766C19522C}
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CONFIG
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\APPLICATION DATA\MICROSOFT\NETWORK\DOWNLOADER
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\WINDOWS\TEMP
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUME~1\MARGAR~1\LOCALS~1\TEMP
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\APPLICATION DATA\SUPERANTISPYWARE.COM\SUPERANTISPYWARE\APPLOGS
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\USERS\MARGARET BURT\DATA
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\USERS
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\APPLICATION DATA\REAL\RNADMIN
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\LOCAL SETTINGS\APPLICATION DATA
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\APPLICATION DATA\GRISOFT\AVG7DATA\AVG7UPD
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\$VAULT$.AVG
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\COMMON FILES\WISE INSTALLATION WIZARD
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\APPLICATION DATA\HP PRODUCT ASSISTANT
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\APPLICATION DATA\HP\PRODUCTASSISTANT\DATA
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\APPLICATION DATA\HP\DIGITAL IMAGING\HP PHOTOSMART C4200 SERIES\1204420092\DATA
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\XFI18HMH
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\05GWKULL
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\COOKIES
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUME~1\MARGAR~1\LOCALS~1\TEMP\MPROJECTOR1052735601
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\B1RDSHQS
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\WINDOWS\SOFTWAREDISTRIBUTION\WUREDIR\7971F918-A847-4430-9279-4A52D1EFE18D
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\Q8LTG9OM
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\PROGRA~1\HEWLET~1\AIO\HPIS\LOG
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\USERS\MARGARET BURT\DATA\4557
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\PROGRA~1\HEWLET~1\AIO\HPIS\WWWROOT
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\TEMP
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\PROGRA~1\HEWLET~1\AIO\HPIS\ETC
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WBEM\REPOSITORY
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\HEWLETT-PACKARD\AIO\HPIS\LOG
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\GRISOFT\AVG ANTI-SPYWARE 7.5
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\LOGFILES\WUDF
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\NETWORKSERVICE.NT AUTHORITY\LOCAL SETTINGS
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\LOCAL SETTINGS
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\LOCALSERVICE.NT AUTHORITY\LOCAL SETTINGS
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\APPLICATION DATA\LAVASOFT\LICENSE
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\ADMINISTRATOR
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT2
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\LOCAL SETTINGS\HISTORY\HISTORY.IE5
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\RECYCLER\S-1-5-21-1220945662-113007714-682003330-1005
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\DESKTOP
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\J9QSG0WG
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\PKUNHAM5
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\9WOK0PL6
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\3KZD8XTT
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\FAVORITES
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\APPLICATION DATA\MACROMEDIA\SHOCKWAVE PLAYER
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUME~1\MARGAR~1\LOCALS~1\TEMP\CABGENERIC\DIRONE\DEFAULT
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\INTERACTUAL\INTERACTUAL PLAYER
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\INTERACTUAL\INTERACTUAL PLAYER\WEBLINKS
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\INTERACTUAL\INTERACTUAL PLAYER\SKINS
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\PROGRA~1\HEWLET~1\AIO\HPIS\COMMON\LOG
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\DESKTOP\AUTORUNS
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\LOCAL SETTINGS\HISTORY\HISTORY.IE5\MSHIST012008030820080309
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\SUPERANTISPYWARE
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\DESKTOP
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\RECENT
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\APPLICATION DATA\REAL\REALPLAYER
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\APPLICATION DATA\SUPERANTISPYWARE.COM\SUPERANTISPYWARE
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\WINDOWS\INSTALLER
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\CONFIG.MSI
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\WINDOWS\INSTALLER\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\START MENU\PROGRAMS\SUPERANTISPYWARE
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\SYSTEM VOLUME INFORMATION\_RESTORE{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1135
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\SUPERANTISPYWARE\PLUGINS
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\SYSTEM VOLUME INFORMATION\_RESTORE{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1135\SNAPSHOT\REPOSITORY\FS
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\SYSTEM VOLUME INFORMATION\_RESTORE{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1135\SNAPSHOT\REPOSITORY
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\SYSTEM VOLUME INFORMATION\_RESTORE{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1134
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\SYSTEM VOLUME INFORMATION\_RESTORE{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1135\SNAPSHOT
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\GOOGLE\GOOGLE DESKTOP SEARCH\GCDTMP5
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP SEARCH
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS MEDIA\11.0
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\APPLICATION DATA\MICROSOFT\WINDOWS\THEMES
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\WINDOWS\SECURITY\LOGS
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\7BKADN01
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\9F3THMXU
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\Q2SJ4BIT
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\MARGARET BURT\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\NP3E59Q7
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DLLCACHE
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\SYSTEMROOT\LASTGOOD.TMP\SYSTEM32\SPOOL\DRIVERS\W32X86\3
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\SYSTEMROOT\LASTGOOD.TMP
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\SYSTEMROOT\LASTGOOD.TMP\SYSTEM32
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\SYSTEMROOT\LASTGOOD.TMP\TWAIN_32\LEXMARK\2200 SERIES
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUME~1\MARGAR~1\LOCALS~1\TEMP\WER8D96.DIR00
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\JAVA\JRE1.6.0_05\BIN
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\JAVA\JRE1.6.0_05\LIB
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\SYSTEM VOLUME INFORMATION\_RESTORE{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1134\SNAPSHOT\REPOSITORY\FS
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\JAVA\JRE1.6.0_05\BIN\CLIENT
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\SYSTEM VOLUME INFORMATION\_RESTORE{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1134\SNAPSHOT\REPOSITORY
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\SYSTEM VOLUME INFORMATION\_RESTORE{B1908A88-BCD2-416A-8FA3-53766C19522C}\RP1134\SNAPSHOT
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\PROGRA~1\JAVA\JRE16~2.0_0\BIN
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\PROGRA~1\JAVA\JRE16~2.0_0\BIN\CLIENT
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\JAVA\JRE1.6.0_05\LIB\ZI\AMERICA\INDIANA
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#???
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#???????C????????
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\JAVA\JRE1.6.0_05\LIB\ZI\AMERICA
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\JAVA\JRE1.6.0_05\LIB\ZI\ATLANTIC
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\JAVA\JRE1.6.0_05
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\JAVA\JRE1.6.0_05\LIB\ZI\AUSTRALIA
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\JAVA\JRE1.6.0_05\LIB\ZI\AFRICA
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\Security
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\Enum
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\Enum#NextInstance
C:\WINDOWS\system32\drivers\FOPN.sys

Trojan.Unknown Origin
HKLM\Software\xpre
HKLM\Software\xpre#execount

Adware.IPWins
HKU\S-1-5-21-1220945662-113007714-682003330-1005\Software\IpWins

Adware.Web Buying
HKU\S-1-5-21-1220945662-113007714-682003330-1005\Software\WebBuying

Trojan.WinAntiSpyware 2007
C:\Program Files\Common Files\WinAntiSpyware 2007\err.log
C:\Program Files\Common Files\WinAntiSpyware 2007
C:\Documents and Settings\Margaret Burt\Application Data\WinAntiSpyware 2007\Logs\update.log
C:\Documents and Settings\Margaret Burt\Application Data\WinAntiSpyware 2007\Logs
C:\Documents and Settings\Margaret Burt\Application Data\WinAntiSpyware 2007
C:\DOCUMENTS AND SETTINGS\MARGARET BURT\LOCAL SETTINGS\TEMP\WINANTISPYWARE2007SETUP.EXE

Adware.WinTouch/XInside
C:\Program Files\InetGet2

Adware.Mirar/NetNucleus
C:\DOCUMENTS AND SETTINGS\MARGARET BURT\LOCAL SETTINGS\TEMP\MIRARPREFETCHOR.EXE

Adware.k8l
C:\PROGRAM FILES\MSN\PROKY.HTML

Adware.eZula
C:\WINDOWS\SYSTEM32\ACOPIHLP.EXE
C:\WINDOWS\SYSTEM32\AIJHVCGH.EXE
C:\WINDOWS\SYSTEM32\AIRAOHOF.EXE
C:\WINDOWS\SYSTEM32\AMNMIWHT.EXE
C:\WINDOWS\SYSTEM32\AQCRTGMV.EXE
C:\WINDOWS\SYSTEM32\ASSRXNBU.EXE
C:\WINDOWS\SYSTEM32\BBQSYSPK.EXE
C:\WINDOWS\SYSTEM32\BDRYTSUC.EXE
C:\WINDOWS\SYSTEM32\BIXDECGR.EXE
C:\WINDOWS\SYSTEM32\BVRSJMCW.EXE
C:\WINDOWS\SYSTEM32\BVXMFPKM.EXE
C:\WINDOWS\SYSTEM32\BWPNONTQ.EXE
C:\WINDOWS\SYSTEM32\CBDDMBLT.EXE
C:\WINDOWS\SYSTEM32\CCVMPHIN.EXE
C:\WINDOWS\SYSTEM32\DLKLGFYM.EXE
C:\WINDOWS\SYSTEM32\DNXVICCD.EXE
C:\WINDOWS\SYSTEM32\DRFFMCVI.EXE
C:\WINDOWS\SYSTEM32\DTGUJQEK.EXE
C:\WINDOWS\SYSTEM32\DXSNCBTR.EXE
C:\WINDOWS\SYSTEM32\EAGQRYBU.EXE
C:\WINDOWS\SYSTEM32\EHYEXJPW.EXE
C:\WINDOWS\SYSTEM32\EIGMVCCR.EXE
C:\WINDOWS\SYSTEM32\EOPPFDQB.EXE
C:\WINDOWS\SYSTEM32\EPAYEUHT.EXE
C:\WINDOWS\SYSTEM32\ERRNRWCJ.EXE
C:\WINDOWS\SYSTEM32\ESRFKHTV.EXE
C:\WINDOWS\SYSTEM32\FDWAHPAE.EXE
C:\WINDOWS\SYSTEM32\FSNSHBYU.EXE
C:\WINDOWS\SYSTEM32\FWPDDMAA.EXE
C:\WINDOWS\SYSTEM32\GEOFNMTD.EXE
C:\WINDOWS\SYSTEM32\GHWNXGIR.EXE
C:\WINDOWS\SYSTEM32\GMPRHOAN.EXE
C:\WINDOWS\SYSTEM32\GPRSTJGA.EXE
C:\WINDOWS\SYSTEM32\GQPBVOWA.EXE
C:\WINDOWS\SYSTEM32\HDCGPPQX.EXE
C:\WINDOWS\SYSTEM32\HETOAUNX.EXE
C:\WINDOWS\SYSTEM32\HHIYKLIL.EXE
C:\WINDOWS\SYSTEM32\HRYPDMBV.EXE
C:\WINDOWS\SYSTEM32\HUKVAQLD.EXE
C:\WINDOWS\SYSTEM32\HYQPRGEQ.EXE
C:\WINDOWS\SYSTEM32\IBHOLHPP.EXE
C:\WINDOWS\SYSTEM32\IMAUTLVB.EXE
C:\WINDOWS\SYSTEM32\IVNABFUS.EXE
C:\WINDOWS\SYSTEM32\IYQGWQCV.EXE
C:\WINDOWS\SYSTEM32\JTTQTPTS.EXE
C:\WINDOWS\SYSTEM32\JVYVGJQW.EXE
C:\WINDOWS\SYSTEM32\KAEMLBDR.EXE
C:\WINDOWS\SYSTEM32\KCFAPANM.EXE
C:\WINDOWS\SYSTEM32\KGCXCGQJ.EXE
C:\WINDOWS\SYSTEM32\KQSNPVTY.EXE
C:\WINDOWS\SYSTEM32\KUUIJFON.EXE
C:\WINDOWS\SYSTEM32\LBBLBJMJ.EXE
C:\WINDOWS\SYSTEM32\LPEQNURI.EXE
C:\WINDOWS\SYSTEM32\LRXHOCIV.EXE
C:\WINDOWS\SYSTEM32\LSSEFICM.EXE
C:\WINDOWS\SYSTEM32\LXSSJBON.EXE
C:\WINDOWS\SYSTEM32\MMPBERPW.EXE
C:\WINDOWS\SYSTEM32\MRNEAXLA.EXE
C:\WINDOWS\SYSTEM32\NFDQFEGM.EXE
C:\WINDOWS\SYSTEM32\NOQLXSGR.EXE
C:\WINDOWS\SYSTEM32\OANUVPTH.EXE
C:\WINDOWS\SYSTEM32\OBUNKUPJ.EXE
C:\WINDOWS\SYSTEM32\OPFUWJJC.EXE
C:\WINDOWS\SYSTEM32\OUGPMHVO.EXE
C:\WINDOWS\SYSTEM32\PAEAMHUM.EXE
C:\WINDOWS\SYSTEM32\PCGJXMPQ.EXE
C:\WINDOWS\SYSTEM32\QCVPOYEB.EXE
C:\WINDOWS\SYSTEM32\QISCFALG.EXE
C:\WINDOWS\SYSTEM32\QPSIKSPN.EXE
C:\WINDOWS\SYSTEM32\RDFWVHAS.EXE
C:\WINDOWS\SYSTEM32\RDIAHPLN.EXE
C:\WINDOWS\SYSTEM32\RDYPTWGF.EXE
C:\WINDOWS\SYSTEM32\REBKCHKH.EXE
C:\WINDOWS\SYSTEM32\RUJGLUWK.EXE
C:\WINDOWS\SYSTEM32\SDXBLRUT.EXE
C:\WINDOWS\SYSTEM32\SGWFFKCN.EXE
C:\WINDOWS\SYSTEM32\SIRHHYPT.EXE
C:\WINDOWS\SYSTEM32\SMURJQDS.EXE
C:\WINDOWS\SYSTEM32\SNRJXVUU.EXE
C:\WINDOWS\SYSTEM32\SPRPFQTL.EXE
C:\WINDOWS\SYSTEM32\SQFBJGGR.EXE
C:\WINDOWS\SYSTEM32\TEMIDOOQ.EXE
C:\WINDOWS\SYSTEM32\TTAMXSBM.EXE
C:\WINDOWS\SYSTEM32\TTPOBOFA.EXE
C:\WINDOWS\SYSTEM32\TYKBPGHU.EXE
C:\WINDOWS\SYSTEM32\UFEDTXNO.EXE
C:\WINDOWS\SYSTEM32\UPWQPYVD.EXE
C:\WINDOWS\SYSTEM32\UQXGUVXR.EXE
C:\WINDOWS\SYSTEM32\UTJGDJRI.EXE
C:\WINDOWS\SYSTEM32\UUXWFEQU.EXE
C:\WINDOWS\SYSTEM32\UXVDNOMF.EXE
C:\WINDOWS\SYSTEM32\VQQNEQOS.EXE
C:\WINDOWS\SYSTEM32\VRYEOTGT.EXE
C:\WINDOWS\SYSTEM32\VSUPVOVK.EXE
C:\WINDOWS\SYSTEM32\VXNTEYXW.EXE
C:\WINDOWS\SYSTEM32\WBEXHHCX.EXE
C:\WINDOWS\SYSTEM32\WJYLOBRJ.EXE
C:\WINDOWS\SYSTEM32\WXSHDSPH.EXE
C:\WINDOWS\SYSTEM32\XKPCYTEP.EXE
C:\WINDOWS\SYSTEM32\XMSNCMCF.EXE
C:\WINDOWS\SYSTEM32\XUHEKHPE.EXE
C:\WINDOWS\SYSTEM32\XUTQSERS.EXE
C:\WINDOWS\SYSTEM32\YETTLLNS.EXE
C:\WINDOWS\SYSTEM32\YKXWCLRF.EXE
C:\WINDOWS\SYSTEM32\YMMFTYFA.EXE
C:\WINDOWS\SYSTEM32\YSYWEMLK.EXE

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\MCRH.TMP

#5 mp2002

mp2002
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 08 March 2008 - 12:32 PM

I deleted the Adware 2007. I don't need it I just read somewhere else that it might detect my problem and loaded it right before I found this site and it recommended the SAS. Thanks again.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:58 PM

Posted 08 March 2008 - 06:13 PM

So after the scan are the popups gane? PC working normally again?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 mp2002

mp2002
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 08 March 2008 - 06:46 PM

There are still all kinds of ads but they are no longer adult content (that's an improvement at least!!!). But the computer has gotten very slow. For example, even when I read on these threads there are ads inside the posts sometimes with the words wrapping around the ads. Do you have any idea why I couldn't get the Vundo fix to run and get the error message posted above?

It takes about 3-4 minutes to go from one page to another anywhere (loading one page to another). And when I hit the back page arrow I have to hit it 4-6 times for it to actually do the requested action. I keep getting a "done but w/error on page" message but it never goes anywhere until I hit it a bunch of times.

Hope this makes sense. I've never had computer react this slow or this contrary.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:58 PM

Posted 08 March 2008 - 09:26 PM

We will do another scan then

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link
  • Double-click on Download_mbam-setup.exe to install the application. (If using Windows Vista, be sure to "Run As Administrator")
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process and, if asked to restart the computer, please do so immediately.

Edited by Grinler, 18 February 2010 - 01:50 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 mp2002

mp2002
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 09 March 2008 - 12:01 AM

Ran the new report, thx. Aren't these the same as some of the others removed in previous scans? How do they get removed permanently, is that possible?

Malwarebytes' Anti-Malware 1.07
Database version: 470

Scan type: Quick Scan
Objects scanned: 199774
Time elapsed: 1 hour(s), 50 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 20
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 8
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.CouponBar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.CouponBar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.CouponBar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.CouponBar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ApiMon (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DomainService (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DomainService (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\CAC (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.starsdoor.com (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\B1 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\B2 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\B3 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\B4 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\SalesMonitor (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\SalesMonitor\Data (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinAntiSpyware 2007 (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinAntiSpyware 2007\Data (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\CouponPrinter.ocx (Adware.CouponBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinAntiSpyware 2007\Data\Abbr (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinAntiSpyware 2007\Data\ProductCode (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
C:\WINDOWS\wr.txt (Malware.Trace) -> Quarantined and deleted successfully.

#10 mp2002

mp2002
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 09 March 2008 - 02:16 AM

I think my computer has gotten much slower just since running this last scan. Whenever I try to do anything I get the running clock for at least 5 minutes along with the Done but w/errors on page message. The address line at the bottom is always working and flashing new addresses like for all the ads. It took me about 15 minutes to get inside this thread and to say I wanted to post.

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:58 PM

Posted 09 March 2008 - 02:54 PM

Let's clean up some file scraps and see if things speed up a bit. Let me know.
Also have you looked to see if the hard drive needs tobe defragmented? Start>All Programs>Accesories>System Tools>Disk Defragmenter

Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 mp2002

mp2002
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 10 March 2008 - 04:47 PM

Hi, sorry took so long to get back but it took a whole day to defragment so I have done that and I have done the cleaner recommended. I ran the defragment all day yesterday and through the night. When I logged on this AM the adult ads are back with music. I really thought removing the google toolbar fixed it but now it is back and no one else has been on the computer. They were gone for a day and a half or so. Computer is still running very slow w/lots of ads.

I ran the SAS again and it said there was still adware so I quarantined that again. Any additional thoughts? I am worried because I have 2 young nephews who come over and play games on this computer and since the ad hijack is on every screen I won't be able to let them on this computer until I get rid of the adult ad hijack issue. I am afraid I may have to wipe it completely clean.

Thanks.

#13 mp2002

mp2002
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 10 March 2008 - 04:57 PM

Hi, just discovered I can no longer send e-mails. I keep getting the following error no matter what e-mail I try to send to:

mailcenter3.comcast.net/?cmd=composeManage&sid=c0&popup=yes - Internet explorer cannot d - Windows Internet Explorer.

Help!

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:58 PM

Posted 10 March 2008 - 06:32 PM

To honest with you this PC is so badly infected a Full format and partition is probably your best bet. One- it'll take a few hours and two- the HJT team is so swamped right now that they will ba a day or so before they even respond to your log.The decision is yours. I don't know what else you have on the PC and how important it is. But if you want to proceed to the Hijack team we will provide you those instructions.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 mp2002

mp2002
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 10 March 2008 - 07:51 PM

I think I would like to try the HJT route first bcause I would lose so much stuff (unless it is really complicated!) Thx.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users