Last week my computer was infected with an outerinfo infection. As a result of this my computer was operaing very slowly (almost not at all). I experienced multiple crashed and was getting "transferagent.exe" error messages and debugger messages. Logging onto the internet was a nightmare and I was getting more pop ups than my patience could tolerate. Initially, I attempted to do a system restore (prior to finding your site), but did not have any restore dates to go back to. The problem was getting worse and I was beginning to think my computer was toast. At that time, I was fortunate enough to find your site and went through the process to clean my computer. This has actually taken several days as I have a lot of files and all of the scans took a long time.
I will list out the complete steps I have taken, including all reqested logs below. Each requested log will be listed below each step. *******I have had to come in and add an edit, as the last half of my post (with the remaining requested steps) has been cut off. As I do not want to "bump" my topic or add a reply", I will wait for you to respond. I will resubmit the Malwarebytes scan, the Panda Activescan, the Trend Micro virus scan, and the Hijack log at that time. Also my note on the Windows update was also lost. I was unable to add it as I already have Service Pack2. also did the reboot test. Things appear to be much better and running more smoothly, but I get a lot of Internet Explorer pop ups (and I use Firefox as my browser). I also have been getting the following message: "Error loading C:\WNDOWS\system3hrhjmau.dll. The specified module cannot be found. Please advise. I appreciate all of your help and will be patient during this process. As such I will check in daily for posts. Please let me know what I should do next. Thanks!
Renea (AKA tanaleefive)
1. I have run the outerinfo uninstaller.
2. I have downloaded and installed ComboFix and run the program (a copy of the log is below).
ComboFix 08-04-17.1 - Renea 2008-04-18 18:40:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1.#QNAN [GMT -7:00]
Running from: C:\Documents and Settings\Renea\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Renea\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Renea\My Documents\ICROSO~1
C:\Documents and Settings\Renea\My Documents\ICROSO~1\?icrosoft\
C:\Documents and Settings\Renea\My Documents\ICROSO~1\wuaclt.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\mantec~1
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cfx32.ocx
C:\WINDOWS\system32\gnibjoyu.dll
C:\WINDOWS\SYSTEM32\iixidxcw.ini
C:\WINDOWS\system32\lftqxbjt.dll
C:\WINDOWS\system32\mantec~1
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ttgthmnl.dll
C:\WINDOWS\SYSTEM32\uyojbing.ini
C:\WINDOWS\system32\wcxdixii.dll
C:\WINDOWS\system32\ylgbmvrq.dll
C:\WINDOWS\SYSTEM32\yxbeffhk.ini
C:\WINDOWS\SYSTEM32\yxbeffhk.ini2
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NETWORK_MONITOR
-------\Service_TnIDriver
((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.
2008-04-18 19:13 . 2008-04-18 19:13 345 --ahs---- C:\WINDOWS\SYSTEM32\orutwxyb.ini
2008-04-18 19:12 . 2008-04-18 19:13 274,432 --a------ C:\WINDOWS\SYSTEM32\byxwturo.dll
2008-04-18 19:08 . 2008-04-18 19:08 22 --a------ C:\WINDOWS\pskt.ini
2008-04-17 23:42 . 2008-04-18 18:22 <DIR> d-------- C:\Documents and Settings\Renea\Application Data\AdwareAlert
2008-04-17 23:27 . 2008-04-17 23:27 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2008-04-17 23:27 . 2008-03-31 12:42 22,512 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\adwarealert.sys
2008-04-17 23:02 . 2008-04-17 23:04 <DIR> d-------- C:\Documents and Settings\Stephen Snodgrass\Application Data\AdwareAlert
2008-04-17 23:00 . 2008-04-17 23:00 <DIR> d-------- C:\Program Files\AdwareAlert
2008-04-17 22:16 . 2008-04-17 22:24 1,529,413 ---hs---- C:\WINDOWS\SYSTEM32\bcxyuxto.ini
2008-04-15 21:14 . 2008-04-15 21:14 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico
2008-04-15 20:59 . 2008-04-15 20:59 110,623 --a------ C:\WINDOWS\SYSTEM32\bgxwcnev.dll
2008-04-15 20:54 . 2008-04-17 21:39 1,529,249 ---hs---- C:\WINDOWS\SYSTEM32\gsjyynuc.ini
2008-04-15 20:50 . 2008-04-15 20:50 105,561 --a------ C:\WINDOWS\SYSTEM32\cttcvajb.dll
2008-04-15 18:49 . 2008-04-15 20:07 <DIR> d-------- C:\Program Files\Outerinfo(2)
2008-04-15 18:09 . 2008-04-15 18:09 34,099 --a------ C:\WINDOWS\SYSTEM32\efcbbcbx.dll
2008-04-15 18:05 . 2008-04-15 18:05 396,267 --a------ C:\WINDOWS\SYSTEM32\khffebxy.dll
2008-04-15 18:01 . 2008-04-15 21:45 <DIR> d--hs---- C:\WINDOWS\U3RlcGhlbiAgU25vZGdyYXNz
2008-04-15 18:01 . 2008-04-15 21:01 63,839 --a------ C:\WINDOWS\SYSTEM32\{9a7dd64f-1c4b-6df0-faf7-0310516cb0f1}.dll-uninst.exe
2008-04-15 18:00 . 2008-04-15 18:00 <DIR> d-------- C:\WINDOWS\SYSTEM32\sFi
2008-04-15 18:00 . 2008-04-15 20:59 <DIR> d-------- C:\WINDOWS\SYSTEM32\pinz1
2008-04-15 18:00 . 2008-04-15 18:00 <DIR> d-------- C:\WINDOWS\SYSTEM32\IDE2
2008-04-15 18:00 . 2008-04-15 18:00 <DIR> d-------- C:\WINDOWS\SYSTEM32\ExTmp
2008-04-15 18:00 . 2008-04-15 18:00 <DIR> d-------- C:\WINDOWS\SYSTEM32\bharebio01
2008-04-15 18:00 . 2008-04-15 18:00 <DIR> d-------- C:\TEMP\wdlw14
2008-04-15 18:00 . 2008-04-15 18:00 34,099 --a------ C:\WINDOWS\SYSTEM32\fcccbabc.dll
2008-04-10 08:17 . 2008-04-10 08:17 330,752 --a------ C:\WINDOWS\SYSTEM32\{9a7dd64f-1c4b-6df0-faf7-0310516cb0f1}.dll
2008-03-20 08:14 . 2004-05-31 03:59 <DIR> d--h----- C:\Documents and Settings\TEMP\WLANProfiles
2008-03-20 08:14 . 2008-03-20 08:15 <DIR> d-------- C:\Documents and Settings\TEMP
2008-03-20 08:14 . 2008-04-18 18:36 1,024 --ah----- C:\Documents and Settings\TEMP\ntuser.dat.LOG
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-18 05:10 --------- d-----w C:\Program Files\Plaxo
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-03-07 00:34 --------- d-----w C:\Documents and Settings\Renea\Application Data\CyberLink
2008-03-02 01:36 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2005-06-01 21:18 483,401 ----a-w C:\Documents and Settings\Stephen Snodgrass\gotomypc.exe
2005-07-29 23:24 472 --sha-r C:\WINDOWS\U3RlcGhlbiAgU25vZGdyYXNz\oal5w315v2E0oZcSt3xVsrhW.vbs
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{52e4403d-459d-3737-2fa2-bfb78657be67}]
2008-04-10 08:17 330752 --a------ C:\WINDOWS\system32\{9a7dd64f-1c4b-6df0-faf7-0310516cb0f1}.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B99C882-F7B5-48DF-9950-0245D04BE81B}]
2008-04-18 19:13 274432 --a------ C:\WINDOWS\system32\byxwturo.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AECDF9CC-D471-4320-8F83-EAD7BFA9B4DA}]
2008-04-15 18:05 396267 --a------ C:\WINDOWS\system32\khffebxy.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d693195b-e520-4990-a6b3-0917f1b9879d}]
2008-04-18 19:22 94784 --a------ C:\WINDOWS\system32\rixvubha.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}]
2008-04-15 18:00 34099 --a------ C:\WINDOWS\system32\fcccbabc.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-09 15:35 68856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 14:46 135168]
"AdwareAlert"="C:\Program Files\AdwareAlert\AdwareAlert.exe" [2008-04-17 13:35 7173360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-02-02 13:32 155648]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 14:24 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 11:30 335872]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-14 23:04 122933]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-18 23:01 110592]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2004-03-04 18:59 487424]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 15:32 86016]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 08:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-12-12 12:22 217088]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 08:05 53248]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-10-06 08:05 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 15:48 32881]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 16:41 163840]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-12 12:01 180269]
"bgsmsnd.exe"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe" [2005-06-30 14:56 114688]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2005-11-02 23:32 372813]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-18 21:39 282624]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"BM175e83d4"="C:\WINDOWS\system32\wmbhqhhh.dll" [2008-04-18 19:18 96320]
"146db048"="C:\WINDOWS\system32\lbchyjio.dll" [2008-04-18 19:19 87616]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]
C:\Documents and Settings\Stephen Snodgrass\Start Menu\Programs\Startup\
logon.bat [2006-04-10 11:50:55 33]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-08-03 23:18:27 113664]
Amazon Unbox.lnk - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2007-07-11 17:25:20 97320]
eFax Live Menu 3.3.lnk - C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe [2004-07-23 00:46:42 17408]
eFax Tray Menu 3.3.lnk - C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe [2004-07-23 00:44:32 40960]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:16:08 471040]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32 74308]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}"= C:\WINDOWS\system32\fcccbabc.dll [2008-04-15 18:00 34099]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcccbabc]
fcccbabc.dll 2008-04-15 18:00 34099 C:\WINDOWS\SYSTEM32\fcccbabc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2004-01-12 04:55 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\byxwturo
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Sybase\\SQL Anywhere 7\\win32\\dbeng7.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Sybase\\SQL Anywhere 9\\win32\\dbeng9.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{14b757d2-9545-11dc-8478-00038a000015}]
\Shell\AutoRun\command - E:\Launch.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{641e3920-abb3-11db-83fc-00038a000015}]
\Shell\AutoRun\command - E:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-04-19 02:10:57 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2008-04-19 02:26:55 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-18 19:07:49
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\byxwturo.dll 274432 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
-> C:\WINDOWS\system32\fcccbabc.dll
PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\lbchyjio.dll
-> C:\WINDOWS\system32\wmbhqhhh.dll
-> C:\WINDOWS\system32\byxwturo.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\SYSTEM32\S24EvMon.exe
C:\WINDOWS\SYSTEM32\scardsvr.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\etlisrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$OASIS\Binn\sqlservr.exe
C:\Program Files\Trend Micro\Client Server Security Agent\NTRtScan.exe
C:\WINDOWS\SYSTEM32\RegSrvc.exe
C:\Program Files\Trend Micro\Client Server Security Agent\TmListen.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\SYSTEM32\ZCfgSvc.exe
C:\WINDOWS\SYSTEM32\1XConfig.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\WINDOWS\Temp\II455D.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WinZip\WZQKPICK.EXE
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-04-18 19:30:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-19 02:29:26
Pre-Run: 21,239,816,192 bytes free
Post-Run: 22,551,789,568 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
.
2008-04-18 04:47:41 --- E O F ---
3. I have installed the Windows XP Recovery Console (this was done prior to running the combofix scan).
4. I have downloaded, installed and run the SuperAntiSpyware Home edition, scanned my system, and quarantined the results (a copy of the log is below).
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 04/19/2008 at 12:57 PM
Application Version : 4.0.1154
Core Rules Database Version : 3442
Trace Rules Database Version: 1434
Scan type : Custom Scan
Total Scan Time : 04:29:53
Memory items scanned : 578
Memory threats detected : 12
Registry items scanned : 7171
Registry threats detected : 125
File items scanned : 82341
File threats detected : 261
Trojan.Vundo-Variant/F
C:\WINDOWS\SYSTEM32\FCCCBABC.DLL
C:\WINDOWS\SYSTEM32\FCCCBABC.DLL
C:\WINDOWS\SYSTEM32\SSQOPOLI.DLL
C:\WINDOWS\SYSTEM32\SSQOPOLI.DLL
C:\WINDOWS\SYSTEM32\XXYWTQNN.DLL
C:\WINDOWS\SYSTEM32\XXYWTQNN.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\fcccbabc
C:\WINDOWS\SYSTEM32\DBVGQHSI.DLL
C:\WINDOWS\SYSTEM32\EFCBBCBX.DLL
C:\WINDOWS\SYSTEM32\WMBHQHHH.DLL
Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\KHFFEBXY.DLL
C:\WINDOWS\SYSTEM32\KHFFEBXY.DLL
Adware.Vundo-Variant/Small-A
C:\WINDOWS\SYSTEM32\HRHWJMAU.DLL
C:\WINDOWS\SYSTEM32\HRHWJMAU.DLL
HKLM\Software\Classes\CLSID\{d2de688a-ab9a-4a7e-8d5a-91f5114afd91}
HKCR\CLSID\{D2DE688A-AB9A-4A7E-8D5A-91F5114AFD91}
HKCR\CLSID\{D2DE688A-AB9A-4A7E-8D5A-91F5114AFD91}\InprocServer32
HKCR\CLSID\{D2DE688A-AB9A-4A7E-8D5A-91F5114AFD91}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\MBPIFABP.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2de688a-ab9a-4a7e-8d5a-91f5114afd91}
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP727\A0123300.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP731\A0125331.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP731\A0125332.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP731\A0125333.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP731\A0125334.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP731\A0125335.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP734\A0127299.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP736\A0127343.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP736\A0127344.DLL
C:\WINDOWS\SYSTEM32\LBCHYJIO.DLL
C:\WINDOWS\SYSTEM32\RIXVUBHA.DLL
Adware.Adservs
C:\WINDOWS\U3RLCGHLBIAGU25VZGDYYXNZ\ASAPPSRV.DLL
C:\WINDOWS\U3RLCGHLBIAGU25VZGDYYXNZ\ASAPPSRV.DLL
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP723\A0122226.DLL
C:\WINDOWS\SYSTEM32\EXTMP\BMV35GUI.EXE
C:\WINDOWS\SYSTEM32\ITMP\VBA35GUI.EXE
Trojan.Unclassified/BrowserDriver
C:\WINDOWS\SYSTEM32\RWWNW64D.EXE
C:\WINDOWS\SYSTEM32\RWWNW64D.EXE
[{DB-B0-0E-E7-DW}] C:\WINDOWS\SYSTEM32\RWWNW64D.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP722\A0121243.EXE
C:\WINDOWS\SYSTEM32\TRCTMP\KMDMNS2.EXE
Trojan.NetMon/DNSChange
C:\PROGRAM FILES\NETWORK MONITOR\NETMON.EXE
C:\PROGRAM FILES\NETWORK MONITOR\NETMON.EXE
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#Type
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#Start
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Security
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000\Control#*NewlyCreated*
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000\Control#ActiveService
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#Contact
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#NoRemove
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#UninstallString
C:\Program Files\Network Monitor
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP723\A0121255.EXE
Unclassified.Unknown Origin
C:\WINDOWS\U3RLCGHLBIAGU25VZGDYYXNZ\COMMAND.EXE
C:\WINDOWS\U3RLCGHLBIAGU25VZGDYYXNZ\COMMAND.EXE
HKLM\Software\Classes\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}
HKCR\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}
HKCR\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}
HKCR\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}#AppID
HKCR\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\InprocServer32
HKCR\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\InprocServer32#ThreadingModel
HKCR\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\ProgID
HKCR\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\Programmable
HKCR\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\TypeLib
HKCR\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\VersionIndependentProgID
C:\PROGRAM FILES\CPV\CPV8.DLL
HKLM\Software\Classes\CLSID\{3D87B50D-542A-45b6-96E9-F03CFAA8C962}
HKCR\CLSID\{3D87B50D-542A-45B6-96E9-F03CFAA8C962}
HKCR\CLSID\{3D87B50D-542A-45B6-96E9-F03CFAA8C962}
HKCR\CLSID\{3D87B50D-542A-45B6-96E9-F03CFAA8C962}\Implemented Categories
HKCR\CLSID\{3D87B50D-542A-45B6-96E9-F03CFAA8C962}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKCR\CLSID\{3D87B50D-542A-45B6-96E9-F03CFAA8C962}\InprocServer32
HKCR\CLSID\{3D87B50D-542A-45B6-96E9-F03CFAA8C962}\InprocServer32#ThreadingModel
HKCR\CLSID\{3D87B50D-542A-45B6-96E9-F03CFAA8C962}\Programmable
C:\WINDOWS\SYSTEM32\MYSS_SB.DLL
HKLM\Software\Classes\CLSID\{6156A32A-C512-4e23-AA9A-2315F4265681}
HKCR\CLSID\{6156A32A-C512-4E23-AA9A-2315F4265681}
HKCR\CLSID\{6156A32A-C512-4E23-AA9A-2315F4265681}
HKCR\CLSID\{6156A32A-C512-4E23-AA9A-2315F4265681}\InprocServer32
HKCR\CLSID\{6156A32A-C512-4E23-AA9A-2315F4265681}\InprocServer32#ThreadingModel
HKCR\CLSID\{6156A32A-C512-4E23-AA9A-2315F4265681}\Programmable
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6156A32A-C512-4e23-AA9A-2315F4265681}
HKU\S-1-5-21-2691493660-4031562367-1574305365-1008\Software\Microsoft\Internet Explorer\Explorer Bars\{3D87B50D-542A-45b6-96E9-F03CFAA8C962}
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP723\A0121256.EXE
Adware.DeeWoo/ThinkAdz
C:\WINDOWS\SYSTEM32\SCNTSKDN.EXE
C:\WINDOWS\SYSTEM32\SCNTSKDN.EXE
Trojan.Downloader-Gen/FakeAlert-A
C:\DOCUMENTS AND SETTINGS\RENEA\APPLICATION DATA\MICROSOFT\WINDOWS\RAYIOU.EXE
C:\DOCUMENTS AND SETTINGS\RENEA\APPLICATION DATA\MICROSOFT\WINDOWS\RAYIOU.EXE
Trojan.Net-Wintouch/V2
C:\DOCUMENTS AND SETTINGS\RENEA\APPLICATION DATA\WINTOUCH\WINTOUCH.EXE
C:\DOCUMENTS AND SETTINGS\RENEA\APPLICATION DATA\WINTOUCH\WINTOUCH.EXE
[WinTouch] C:\DOCUMENTS AND SETTINGS\RENEA\APPLICATION DATA\WINTOUCH\WINTOUCH.EXE
Trojan.Downloader-Gen/MROFIN
[runner1] C:\WINDOWS\MROFINU572.EXE
C:\WINDOWS\MROFINU572.EXE
C:\QOOBOX\QUARANTINE\C\WINDOWS\MROFINU572.EXE.TMP.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\MROFINU572.EXE.VIR
C:\WINDOWS\MROFINU1000106.EXE
C:\WINDOWS\MROFINU572.EXE.TMP
Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}
HKCR\CLSID\{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}
HKCR\CLSID\{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}\InprocServer32
HKCR\CLSID\{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}
HKCR\CLSID\{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}
Adware.AdRotate/System
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52e4403d-459d-3737-2fa2-bfb78657be67}
HKCR\CLSID\{52E4403D-459D-3737-2FA2-BFB78657BE67}
HKCR\CLSID\{52E4403D-459D-3737-2FA2-BFB78657BE67}
HKCR\CLSID\{52E4403D-459D-3737-2FA2-BFB78657BE67}\InProcServer32
HKCR\CLSID\{52E4403D-459D-3737-2FA2-BFB78657BE67}\InProcServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\{9A7DD64F-1C4B-6DF0-FAF7-0310516CB0F1}.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP718\A0121162.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP721\A0121213.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP722\A0121246.DLL
Trojan.Vundo-Variant/G
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9ACC364-C196-4467-9EA4-63BA78DB641A}
HKCR\CLSID\{F9ACC364-C196-4467-9EA4-63BA78DB641A}
HKCR\CLSID\{F9ACC364-C196-4467-9EA4-63BA78DB641A}\InprocServer32
HKCR\CLSID\{F9ACC364-C196-4467-9EA4-63BA78DB641A}\InprocServer32#ThreadingModel
Adware.Tracking Cookie
C:\Documents and Settings\Renea\Cookies\[email protected][2].txt
C:\Documents and Settings\Renea\Cookies\renea@insightexpressai[1].txt
C:\Documents and Settings\Renea\Cookies\renea@doubleclick[1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][2].txt
C:\Documents and Settings\Renea\Cookies\renea@adrevolver[2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\renea@apmebf[1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][2].txt
C:\Documents and Settings\Renea\Cookies\renea@gomyhit[4].txt
C:\Documents and Settings\Renea\Cookies\renea@clicksor[2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\renea@exitexchange[2].txt
C:\Documents and Settings\Renea\Cookies\renea@atdmt[2].txt
C:\Documents and Settings\Renea\Cookies\renea@adnetserver[1].txt
C:\Documents and Settings\Renea\Cookies\renea@realmedia[2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][3].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\renea@casalemedia[2].txt
C:\Documents and Settings\Renea\Cookies\renea@questionmarket[2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\renea@interclick[2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\renea@azjmp[2].txt
C:\Documents and Settings\Renea\Cookies\renea@indiads[1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\renea@tribalfusion[1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\renea@shopica[1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\renea@fastclick[2].txt
C:\Documents and Settings\Renea\Cookies\renea@serving-sys[1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\renea@precisionclick[1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][2].txt
C:\Documents and Settings\Renea\Cookies\renea@overture[1].txt
C:\Documents and Settings\Renea\Cookies\renea@media6degrees[2].txt
C:\Documents and Settings\Renea\Cookies\renea@tacoda[2].txt
C:\Documents and Settings\Renea\Cookies\renea@adecn[2].txt
C:\Documents and Settings\Renea\Cookies\renea@avsystemcare[2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\renea@gomyhit[1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][2].txt
C:\Documents and Settings\Renea\Cookies\renea@eyewonder[1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][2].txt
C:\Documents and Settings\Renea\Cookies\renea@247realmedia[1].txt
C:\Documents and Settings\Renea\Cookies\renea@trafficmp[1].txt
C:\Documents and Settings\Renea\Cookies\renea@imrworldwide[2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][2].txt
C:\Documents and Settings\Renea\Cookies\renea@antispywaremaster[1].txt
C:\Documents and Settings\Renea\Cookies\renea@advertising[1].txt
C:\Documents and Settings\Renea\Cookies\renea@zedo[1].txt
C:\Documents and Settings\Renea\Cookies\renea@antispywaresuite[1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\renea@mediaplex[1].txt
C:\Documents and Settings\Renea\Cookies\renea@gomyhit[3].txt
C:\Documents and Settings\Renea\Cookies\[email protected][2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\renea@statcounter[1].txt
C:\Documents and Settings\Renea\Cookies\renea@adbrite[2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\renea@specificclick[2].txt
C:\Documents and Settings\Renea\Cookies\renea@adlegend[2].txt
C:\Documents and Settings\Renea\Cookies\renea@findwhat[1].txt
C:\Documents and Settings\LocalService\Cookies\system@advertising[2].txt
C:\Documents and Settings\LocalService\Cookies\system@atwola[2].txt
C:\Documents and Settings\LocalService\Cookies\system@clickagents[1].txt
C:\Documents and Settings\LocalService\Cookies\system@crossmediaservices[1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\system@doubleclick[1].txt
C:\Documents and Settings\LocalService\Cookies\system@enhance[2].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt
C:\Documents and Settings\LocalService\Cookies\system@findwhat[1].txt
C:\Documents and Settings\LocalService\Cookies\system@mediatraffic[1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt
C:\Documents and Settings\LocalService\Cookies\system@realmedia[2].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@247realmedia[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@2o7[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@2o7[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@adbrite[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@adlegend[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@adrevolver[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@advertising[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@atdmt[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@atwola[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@bizrate[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@casalemedia[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@centralmediaserver[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@discountgolfshoes[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@doubleclick[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@eyewonder[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@fastclick[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@hitbox[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@imrworldwide[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@insightexpressai[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@kontera[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][3].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@mediaplex[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@nextag[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@overture[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@partner2profit[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@questionmarket[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@realmedia[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@revenue[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@revsci[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@roiservice[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][3].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@specificclick[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@statcounter[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@tacoda[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@trafficmp[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@tribalfusion[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][3].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][4].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@youporn[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@zedo[1].txt
Adware.ClickSpring
HKLM\Software\ClickSpring
HKLM\Software\ClickSpring#UBWKR
C:\DOCUMENTS AND SETTINGS\RENEA\APPLICATION DATA\ADWAREALERT\QUARANTINE\17-04-2008-23-48-51\692.QIT
C:\QOOBOX\QUARANTINE\C\DOCUMENTS AND SETTINGS\RENEA\MY DOCUMENTS\ICROSO~1\WUACLT.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP718\A0121164.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP720\A0121182.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP721\A0121238.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP723\A0121257.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP723\A0121258.EXE
Trojan.cmdService
HKLM\SYSTEM\CurrentControlSet\Services\cmdService
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#Type
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#Start
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Security
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#NextInstance
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#Contact
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#NoRemove
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#UninstallString
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000\Control#*NewlyCreated*
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000\Control#ActiveService
Trojan.ZenoSearch
C:\WINDOWS\system32\msnav32.ax
Trojan.Unknown Origin
HKLM\Software\xpre
HKLM\Software\xpre#execount
C:\DOCUMENTS AND SETTINGS\RENEA\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\C9M7KX6B\INSTALLER[1].EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP724\A0122247.VBS
C:\WINDOWS\SYSTEM32\SFI\CSEE145.EXE
C:\WINDOWS\U3RLCGHLBIAGU25VZGDYYXNZ\OAL5W315V2E0OZCST3XVSRHW.VBS
C:\WINDOWS\UNINSTALL_NMON.VBS
Trojan.Downloader-Gen/RetAd
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#runner1 [ C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139 ]
RootKit.TnCore/Trace
C:\WINDOWS\system32\drivers\core.cache.dsk
Rogue.SysCleaner
HKU\S-1-5-21-2691493660-4031562367-1574305365-1008\Software\WinTouch
HKU\S-1-5-21-2691493660-4031562367-1574305365-1008\Software\Microsoft\Windows\CurrentVersion\Run#WinTouch [ C:\Documents and Settings\Renea\Application Data\WinTouch\WinTouch.exe ]
Adware.WinTouch/XInside
C:\Documents and Settings\Renea\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\Renea\Application Data\WinTouch\WTUninstaller.exe
C:\Documents and Settings\Renea\Application Data\WinTouch
Trojan.Unclassified/NVCOI
C:\Program Files\CPV
C:\Program Files\Temporary
Rogue.AntiSpywareMaster
C:\Program Files\AntiSpywareMaster
C:\DOCUMENTS AND SETTINGS\RENEA\LOCAL SETTINGS\TEMP\WINVSNET.EXE
C:\DOCUMENTS AND SETTINGS\RENEA\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\C9M7KX6B\WINVSNET[1].EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP721\A0121221.EXE
Adware.OuterInfo-Installer
C:\DOCUMENTS AND SETTINGS\RENEA\DESKTOP\OIUNINSTALLER.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP721\A0121206.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP735\A0127316.EXE
Adware.Yazzle-Installer
C:\DOCUMENTS AND SETTINGS\RENEA\LOCAL SETTINGS\TEMP\YAZZSNET.EXE
C:\DOCUMENTS AND SETTINGS\RENEA\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\KPABW9QF\YAZZSNET[1].EXE
Trojan.Unclassified/Dropper
C:\DOCUMENTS AND SETTINGS\RENEA\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\8DARKL23\WTREC.PROD.V10006.11DEC2007.EXE[1].C516A643C558A4D4DAA4EFAFD47EFF15
C:\DOCUMENTS AND SETTINGS\RENEA\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\KPABW9QF\WTUNINSTALLER.PROD.V10008.28DEC2007.EXE[1].6E13E72A172C38497DBF3A6E4FA179D5
Adware.WinTouch-Installer
C:\DOCUMENTS AND SETTINGS\RENEA\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\C9M7KX6B\WINTOUCHINSTALLER[1].EXE
Malware.LocusSoftware Inc/Gen
C:\DOCUMENTS AND SETTINGS\RENEA\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\KPABW9QF\INSTALL_EN[2].EXE
Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP727\A0123299.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP734\A0127298.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP736\A0128298.DLL
Trojan.Downloader-Gen/Bundle Installer
C:\WINDOWS\B155.EXE
C:\WINDOWS\B156.EXE
Adware.ClickSpring/Yazzle
C:\WINDOWS\PREFETCH\YAZZLE1281OINADMIN.EXE-27312430.PF
C:\WINDOWS\PREFETCH\YAZZLE1281OINUNINSTALLER.EXE-21B1415A.PF
Adware.Dropper/BHAREBIO
C:\WINDOWS\SYSTEM32\BHAREBIO01\BHAREBIO011065.EXE
Rootkit.TNCore-Variant/A
C:\WINDOWS\SYSTEM32\DRIVERS\NTFSS.SYS
Rootkit.TNCore-Installer
C:\WINDOWS\SYSTEM32\IDE2\MDLLCOM2.EXE
C:\WINDOWS\SYSTEM32\SLNEW\GPEDIRE1.EXE
Adware.Unknown Origin
C:\WINDOWS\SYSTEM32\ZXDNT3D.CFG
Trojan.SVCHost/Fake
C:\WINDOWS\STEM~1\SVCHOST.EXE
5. I have downloaded the ATF cleaner and cleaned the Firefox browser and the Explorer browser. (no log produced)
6. I created a system restore checkpoint.
7. I have downloaded, installed and run the Malwarebytes' Anti-Malware Free Version (a copy of the log is below).
Malwarebytes' Anti-Malware 1.11
Database version: 656
Scan type: Quick Scan
Objects scanned: 35594
Time elapsed: 46 minute(s), 8 second(s)
Memory Processes Infected: 2
Memory Modules Infected: 3
Registry Keys Infected: 43
Registry Values Infected: 8
Registry Data Items Infected: 0
Folders Infected: 46
Files Infected: 1791
Memory Processes Infected:
c:\program files\Twain\Twain.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Program Files\AdwareAlert\AdwareAlert.exe (Rogue.AdwareAlert) -> Unloaded process successfully.
Memory Modules Infected:
C:\Program Files\AdwareAlert\SpyCleaner.dll (Rogue.AdwareAlert) -> Unloaded module successfully.
C:\Program Files\AdwareAlert\TCL.dll (Rogue.AdwareAlert) -> Unloaded module successfully.
C:\Program Files\AdwareAlert\zlib.dll (Rogue.AdwareAlert) -> Unloaded module successfully.
Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{8d71eeb8-a1a7-4733-8fa2-1cac015c967d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT
Edited by tanaleefive, 20 April 2008 - 03:33 PM.