Trojan:Win32/Vundo.gen!M

**michaelh** · 23-06-2008

This has recently been found by Windows Defender on my computer, but an error message comes up when I try to delete/quarantine it.

This is what comes up after the scan:

Category:
Trojan

Description:
This program displays advertisements and may be difficult to remove.

Advice:
Remove this software immediately.

Resources:
clsid:
HKLM\SOFTWARE\CLASSES\CLSID\{AC519E4E-EDF0-48C7-8ADA-2A4A5B1C81C9}

regkey:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN \\MSServer

regkey:
HKLM\SOFTWARE\CLASSES\CLSID\{AC519E4E-EDF0-48C7-8ADA-2A4A5B1C81C9}

regkey:
HKCU@S-1-5-21-3097589998-3562996084-349051849-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN \\MSServer

regkey:
HKCU@S-1-5-21-3097589998-3562996084-349051849-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN \\cmds

runkey:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN \\MSServer

runkey:
HKCU@S-1-5-21-3097589998-3562996084-349051849-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN \\MSServer

runkey:
HKCU@S-1-5-21-3097589998-3562996084-349051849-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN \\cmds

file:
C:\Windows\system32\urqRHwUN.dll

file:
C:\Windows\system32\mlJYsqpq.dll

file:
C:\Users\Hurley Family\AppData\Local\Temp\khfEUnOh.dll

file:
C:\Users\Hurley Family\AppData\Local\Temp\geBtRlmK.dll

It caused adult popups to come up on my screen and random internet adverts. It even managed to turn off McAffee. I've tried to restore my computer to 4 days previous, but I think I still have a problem.

I use a Dell PC, running in Windows Vista Home Premium and here is my HJT log. I hope you can help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:36:26, on 23/06/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Users\Hurley Family\Program Files\DNA\btdna.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Orange Toolbar - {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - C:\Program Files\Orange Toolbar UK\ToolbarContainer192.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Hurley Family\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: McAfee Application Installer Cleanup (0125461213900588) (0125461213900588mcinstcleanup) - Unknown owner - C:\Windows\TEMP\012546~1.EXE (file missing)
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 8158 bytes

**Neal** · 23-06-2008

Welcome

The tool below is a vundo trojan killer

Please download and install SUPERAntiSpyware Trial Pro Edition SUPERAntiSpyware.com - AntiAdware. AntiSpyware. AntiMalware.

* Load SUPERAntiSpyware and click the Check for Updates button.
* Once the update has finished, exit SUPERAntiSpyware. Please do NOT run a scan yet!

IMPORTANT: Do NOT open any other windows or programs while SUPERAntiSpyware is scanning, it may interfere with the scanning process.

* Open SUPERAntiSpyware and click the Scan your Computer button.
* Check Perform Complete Scan and then click Next.
* SUPERAntiSpyware will now scan your computer and when it’s finished it will list all the infections it has found.
* Make sure that they all have a check next to them, and then click Next.
* Click Finish and you will be taken back to the main interface.
* It could be possible that it will ask you to reboot your computer in order to delete some files after reboot.
* I'll need a log afterwards of what has been found.
* To get the log, click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear.
* Please post the results of the SUPERAntiSpyware log in your next reply.

ALSO...

Update Java: Security Issue

* Go to Start > Control Panel double-click on the Software icon > add/remove programs.
* Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

It should have next icon next to it:

Select it and click Remove.
* The current version can be downloaded from Sun here: Java SE Downloads Scroll down the page to 'Java Runtime Environment (JRE) 6u6(Or higher) and press the 'Download' button. On the new web page, click the 'Accept License Agreement' button. Then select 'Windows Offline Installation, Multi-language' in the Windows Platform area just below the Accept button.

**michaelh** · 24-06-2008

Here is the result from my scan.

SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com - AntiAdware, AntiSpyware, AntiMalware!

Generated 06/24/2008 at 08:56 PM

Application Version : 4.15.1000

Core Rules Database Version : 3489
Trace Rules Database Version: 1480

Scan type : Complete Scan
Total Scan Time : 00:33:31

Memory items scanned : 600
Memory threats detected : 0
Registry items scanned : 6204
Registry threats detected : 0
File items scanned : 26455
File threats detected : 276

Adware.Tracking Cookie
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\h urley_family@perf.overture[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\h urley_family@statse.webtrendslive[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\h urley_family@revsci[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\h urley_family@2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\h urley_family@serving-sys[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\h urley_family@adtech[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\h urley_family@bs.serving-sys[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\h urley_family@channel4.112.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\h urley_family@doubleclick[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\h urley_family@atdmt[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@webstats.thefa[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ehg-twi.hitbox[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@find-me-a-gift.co[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ads.digital5media[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@www.burstnet[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@banner.joylandcasino[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@click.cashengines[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@adtech[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@toplist[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@burstnet[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@warezreleases[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@interclick[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@adviva[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@specificclick[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@virginmedia[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ehg-ads.hitbox[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@collective-media[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@adserver.adreactor[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@indextools[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@audit.median[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@crucial.adbureau[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@112.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@media.adrevolver[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@media.adrevolver[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ehg-mgnlimited.hitbox[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@paypal.112.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@pinnaclesystems.122.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@spreadshirtag.112.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@122.2o7[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@vhost.oddcast[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@tradedoubler[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@247realmedia[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@eb.adbureau[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@perf.overture[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ads.realtechnetwork[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@wrigley.122.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@cracked[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@questionmarket[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@baadserve.baplc[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@statcounter[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@www.3dstats[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@adserver.net-games[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ehg-bskyb.hitbox[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@dynamic.media.adrevolver[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@www.sexydesktop.co[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@e-2dj6wgk4upd5cfo.stats.esomniture[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ad.yieldmanager[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@adverts.chickendinner.co[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@archant.122.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@adbrite[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@tacoda[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@adverticum[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@www.football.virginmedia[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@boards.virginmedia[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@e-2dj6wfkiehdjsap.stats.esomniture[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@cbs.112.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@track.webgains[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@bravenet[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ads.expedia[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@media.medhelp[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@timeinc.122.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@stats.channel4[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@2o7[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ads.adbrite[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@clicks.laterooms[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@lstat.youku[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@premiumtv.122.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@hornymatches[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@gjacket.adbureau[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@m1.webstats.motigo[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@flightcentre.112.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@adrevolver[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ehg-iwantoneofthose.hitbox[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@b.casalemedia[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@revsci[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@e-2dj6wakycicpsgp.stats.esomniture[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@e-2dj6whliegazsbo.stats.esomniture[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ads.flashgames247[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ehg-tfl.hitbox[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@stats.ilsemedia[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@tribalfusion[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@fastclick[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@adultfriendfinder[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@edge.ru4[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@overture[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@www.clash-media[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@realmedia[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ads.swuzzlebucket[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ehg-deltatre.hitbox[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@myticketmarket.112.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@track.adform[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@clicksor[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@viacomedycentralrl.112.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ads.revsci[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ehg-onlinetravelgroup.hitbox[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@original.adultfanfiction[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@advertising[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@dealtime.co[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@image.masterstats[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ehg-wssuk.hitbox[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@snapemedia[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@prospect.adbureau[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@statse.webtrendslive[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ad1.emediate[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ad2.adecn[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@pr.valueclick[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@trinitymirror.112.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@sonyelectronicssupportus.112.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@partypoker[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ads.poweradvertising[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@atwola[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@msnaccountservices.112.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@apmebf[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@bizrate.co[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@stats.football365[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ads.anm.co[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@eas.apm.emediate[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@mediaplex[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@revenue[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@track.cbs[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@crackserialkeygen[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@rotator.adjuggler[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@bizrate[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@www.burstbeacon[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@givemefootball.advertserve[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@stat.onestat[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@rotator.adjuggler[3].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@trailfinders[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@mediafire[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@setanta.112.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@indexstats[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@cz4.clickzs[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ai.hitbox[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@parishiltonsex[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@banner.goldenpalace[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@e-2dj6wgkiejcpgfo.stats.esomniture[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@smartweb.advertserve[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@tracking.summitmedia.co[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@tourismwesternaustralia.112.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@valueclick[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@opodo.122.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ads.as4x.tmcs[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@z.blogads[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@adecn[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@stats.paypal[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@yadro[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ads.addynamix[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@pro-market[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@weborama[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@stanzapub.advertserve[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@sixapart.adbureau[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ehg-reed.hitbox[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ehg-bcmb.hitbox[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@e-2dj6wjlowiajgbq.stats.esomniture[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ehg-bbcworldwide.hitbox[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@casalemedia[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@atoc.112.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@pixel.ilsemedia[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@americanexpress.122.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@www.googleadservices[10].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@adultfanfiction[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@azjmp[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@cgm.adbureau[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@atdmt[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@tracker.roitesting[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@www.googleadservices[11].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ehg-capitalgroup.hitbox[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@media.mtvnservices[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@aerlingus.122.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@partygaming.122.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@qksrv[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@cz5.clickzs[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@medhelpinternational.112.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ads.pointroll[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@bannersng.yell[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@e-2dj6wfl4ugdjgfq.stats.esomniture[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@linkto.mediafire[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@adopt.specificclick[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@reduxads.valuead[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@blacks.112.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@malaysiaairlines.112.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ads.telegraph.co[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ads.ak.facebook[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ad.uk.tangozebra[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@www.pstats[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ufindus[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@kontera[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@anad.tacoda[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@lulu.112.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@nike.112.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@metacafe.122.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@www.googleadservices[5].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@www.googleadservices[4].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@www.googleadservices[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@www.googleadservices[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@serving-sys[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@sonyeurope.112.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@hp.adultfanfiction[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@goal.adbureau[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ads.planetactive[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@stumbleupon.112.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@www.s****horpe-united.premiumtv.co[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@pacificpoker[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@youporn[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ads1.partnerlogic[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@mediametrics.mpsa[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ehg-dig.hitbox[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@imrworldwide[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@account.live[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@stat.youku[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@cz6.clickzs[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@msnportal.112.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@lnx01.mediaondemand[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ads.gamesbannernet[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@www.googleadservices[6].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ads.react2media[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@eurostar.122.2o7[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ygo.adultfanfiction[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@e-2dj6wbl4coajwbp.stats.esomniture[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@hitbox[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@anat.tacoda[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ehg-starbucks.hitbox[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@fastfinders.co[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ad.uk.tangozebra[3].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@insightexpressai[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@adlegend[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ad2.doublepimp[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ads-dev.youporn[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@server.cpmstar[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@clicktorrent[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@server.iad.liveperson[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@adopt.euroclick[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@xiti[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@media.fastclick[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@server.iad.liveperson[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@server.iad.liveperson[3].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ehg-autotrader.hitbox[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@e-2dj6wjlyencpelp.stats.esomniture[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ehg-foxmovies.hitbox[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@flights.trailfinders[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@e-2dj6wjloskazseo.stats.esomniture[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@stat.dealtime[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@ehg-baa.hitbox[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@server.iad.liveperson[4].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@www.yourtracking[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@www5.addfreestats[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@findaproperty[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@hertz.122.2o7[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@richmedia.yahoo[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@mysoccermedia[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@www7.addfreestats[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@doubleclick[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@zedo[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@www.warezquality[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@www6.addfreestats[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@www3.addfreestats[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@socialmedia[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@bs.serving-sys[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@roiservice[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@bluestreak[2].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@dealtime[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@cz7.clickzs[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@www1.addfreestats[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@adnetserver[1].txt
C:\Users\Hurley Family\AppData\Roaming\Microsoft\Windows\Cookies\L ow\hurley_family@dmtracker[1].txt

Trojan.Security Toolbar
C:\Users\Hurley Family\Favorites\Antivirus Test Online.url

**Neal** · 24-06-2008

Not much came of that but a little.

What is going on now?

New hijackthis log please.

**michaelh** · 26-06-2008

Since I've restored my computer, it's seems to have stopped the pop ups, but it is still running slower than it should be. Also, Windows Defender brings up a message saying it has 2 items detected (the trojan) every time I start up my PC. Yet it beings up an error message when I try to delete or quarantine it.

Here is the log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:18:06, on 26/06/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Users\Hurley Family\Program Files\DNA\btdna.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Orange Toolbar - {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - C:\Program Files\Orange Toolbar UK\ToolbarContainer192.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Hurley Family\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 7832 bytes

**Neal** · 26-06-2008

Visit this page below to familiarize yourself to the tool below:

A guide and tutorial on using ComboFix

If you have previously downloaded ComboFix,please delete that version now.

Now download ComboFix and save to your desktop:

Note:

It is IMPORTANT that it is saved directly to your desktop

Close any open browsers.

Disconnect from the Internet.

Please do not re-connect your machine back to the Internet until Combofix has completely finished.

Disable your antivirus program and any realtime malware scanners and script blockers now

How To Disable

Double click on combofix.exe and follow the prompts.

When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Note:
Do not mouseclick combofix's window while it's running.

That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Re-enable your anti-virus and re-connect back to the internet and post the combofix log.

*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

ComboFix SHOULD NOT be used unless requested by a forum helper.

Trojan:Win32/Vundo.gen!M

Trojan:Win32/Vundo.gen!M

Similar Threads

Please help me! I can't remove Trojan.Vundo from my PC!

Have a Vundo Trojan, can't seem to get rid of it, help...

Win32: Vundo@dll [Trj].

Vundo Trojan