0-length ntoskrnl.dll (NOT ntoskrnl.exe)

Ron Aaronson · Dec 4, 2006

I have discovered that I have a 0-length
\windows\system32\ntoskrnl.dll file. I believe as the result of a
trojan horse that has been removed. My ntoskrnk.exe file seems to be
uncorrupted. The system seems to run ok except occasionally I will
get a system popup complaining that ntoskrnl.dll is not a valid
Windows image. I reply "ok" to this and the blocked thread seems to
continue normally. ntoskrnl.dll does not seem to exist on my friend's
Windows xp system at all, so I am tempted to remove this file
altogether but am afraid that I will not be able to reboot if I do.
Does anyoe have any recommendations?

David H. Lipman · Dec 4, 2006

From: "Ron Aaronson" <[email protected]>

| I have discovered that I have a 0-length
| \windows\system32\ntoskrnl.dll file. I believe as the result of a
| trojan horse that has been removed. My ntoskrnk.exe file seems to be
| uncorrupted. The system seems to run ok except occasionally I will
| get a system popup complaining that ntoskrnl.dll is not a valid
| Windows image. I reply "ok" to this and the blocked thread seems to
| continue normally. ntoskrnl.dll does not seem to exist on my friend's
| Windows xp system at all, so I am tempted to remove this file
| altogether but am afraid that I will not be able to reboot if I do.
| Does anyoe have any recommendations?

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm

* * * Please report back your results * * *

Ron Aaronson · Dec 5, 2006

David H. Lipman said:
From: "Ron Aaronson" <[email protected]>

| I have discovered that I have a 0-length
| \windows\system32\ntoskrnl.dll file. I believe as the result of a
| trojan horse that has been removed. My ntoskrnk.exe file seems to be
| uncorrupted. The system seems to run ok except occasionally I will
| get a system popup complaining that ntoskrnl.dll is not a valid
| Windows image. I reply "ok" to this and the blocked thread seems to
| continue normally. ntoskrnl.dll does not seem to exist on my friend's
| Windows xp system at all, so I am tempted to remove this file
| altogether but am afraid that I will not be able to reboot if I do.
| Does anyoe have any recommendations?

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm

* * * Please report back your results * * *

I have run various scans and do not believe that may machine is still
infected. I have looked at other Windows XP systems and they do not
seem to have an ntoskrnl.dll file at all. I am thinking that one of
the trojan horse cleanup programs I ran may have truncated this file
to 0 rather than deleting it. So what I would really like to try is
first simply deleting this file. My fear is that if I am wrong about
this file not being required I may not be able ot reboot. I would
like to get confirmation from an expert that this file may be safely
removed. If this file indeed is not a component of Windows XP, I have
no assurance that going through the process you suggest will detect
this file and take action on it (the last scan I ran did not touch
this file). So I am hesitant about running another unknown 3rd-party
product unless I can be sure it addresses this very specific issue.

Is anyone out there able to tell me what ntoskrnl.dll is on a Windows
XP (not Windows 2000) system? Can I safely remove it? Thanks.

Blades · Dec 5, 2006

It's a file 0 bytes long! How much work do you think it can do? IF it
were required, you'd be talking to us though another computer.

That said, I have never seen ntoskrnl.dll on any [non-infected] WinXP
machine.

Daniel Crichton · Dec 5, 2006

Ron wrote on Tue, 05 Dec 2006 07:51:32 -0500:

Is anyone out there able to tell me what ntoskrnl.dll is on a Windows
XP (not Windows 2000) system? Can I safely remove it? Thanks.

Never seen it on any XP machine I'm running.

However, the popup saying it's not a valid image indicates that something is
attempting to load it - so that means your PC still isn't clean. Try
HijackThis (http://www.spywareinfo.com/~merijn/programs.php) in safe mode
and check the output of the registry keys to see if anything looks
suspicious, there are a few forums around where you can post a HijackThis
log file and people will point out what should be removed.

Dan

Ron Aaronson · Dec 5, 2006

Daniel Crichton said:
Ron wrote on Tue, 05 Dec 2006 07:51:32 -0500:

Never seen it on any XP machine I'm running.

However, the popup saying it's not a valid image indicates that something is
attempting to load it - so that means your PC still isn't clean. Try
HijackThis (http://www.spywareinfo.com/~merijn/programs.php) in safe mode
and check the output of the registry keys to see if anything looks
suspicious, there are a few forums around where you can post a HijackThis
log file and people will point out what should be removed.

Dan

Now you're talking! Thanks.

David H. Lipman · Dec 5, 2006

Ron Aaronson · Dec 6, 2006

David H. Lipman said:
From: "Ron Aaronson" <[email protected]>

| Now you're talking! Thanks.

Forums where you can get expert advice for HiJack This! (HJT) logs.

NOTE: Registration is not required in the below before posting a log
http://www.thespykiller.co.uk/forum/?action=forum

NOTE: Registration is REQUIRED in any of the below before posting a log
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.malwarebytes.org/forums/index.php?showforum=7
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13

I have already posted a HijackThis log to both
http://forums.spywareinfo.com/index.php?showforum=18 and
http://www.bleepingcomputer.com/forums/forum22.html

Thanks.

David H. Lipman · Dec 6, 2006

From: "Ron Aaronson" <[email protected]>

|
| I have already posted a HijackThis log to both
| http://forums.spywareinfo.com/index.php?showforum=18 and
| http://www.bleepingcomputer.com/forums/forum22.html
|
| Thanks.

Great !

Could you please provide the SPECIFIC thread urls of your posts.

Blades · Dec 7, 2006

Found them:
http://forums.spywareinfo.com/index.php?showtopic=90542&hl=ntoskrnl.dll
and
http://www.bleepingcomputer.com/forums/index.php?showtopic=74452&hl=ntoskrnl.dll

Although, from glancing at the second one, I'd get rid of your
MStask32.exe: http://www.twistthenew.com/dir/M/mstask32.exe.php

Oh, and I noticed what was trying to load ntoskrnl.dll. Windows. As a
security provider. Open regedit, and remove it from the key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders.

David H. Lipman · Dec 7, 2006

From: "Blades" <[email protected]>

| Found them:
| http://forums.spywareinfo.com/index.php?showtopic=90542&hl=ntoskrnl.dll
| and
| http://www.bleepingcomputer.com/forums/index.php?showtopic=74452&hl=ntoskrnl.dll
|
| Although, from glancing at the second one, I'd get rid of your
| MStask32.exe: http://www.twistthenew.com/dir/M/mstask32.exe.php
|
| Oh, and I noticed what was trying to load ntoskrnl.dll. Windows. As a
| security provider. Open regedit, and remove it from the key
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders.
|

Thanx !!

Yes, MSTASK32.EXE is related to a few viruses and Trojans.
http://www.sophos.com/support/knowl...search=0&action=search&submit.x=54&submit.y=4

Specifically...
O4 - HKLM\..\Run: [Mstask32driver] Mstask32.exe
http://www.sophos.com/virusinfo/analyses/trojloonyd.html

I aksed him to run the Multi AV Scanning Tool early on.
He replied "I have run various scans and do not believe that may machine is still infected."

I should have pressed the point of "what scanners" did he use and for him to still run the
Multi AV Scanning Tool. My intuition was that malware was/is the causative factor.

Ron Aaronson · Dec 13, 2006

Sorry I haven't gotten back to this thread in a while. I have been
working with "Buckeye_Sam" (see
http://www.bleepingcomputer.com/forums/index.php?showtopic=74452&hl=ntoskrnl.dll).
I am sorry I cannot recall which scanner detected and attempted to
clean up the malware. I do have on my machine both Ad-Aware SE
Personal and SuperAntiSpyWare Free Edition and it may have been the
latter. ntoskrnl.dll has now been removed and all the popups have
gone away. I am still waiting for feedback to my latest post to
bleepingcomputer.com. At some point I suppose I will be instructed
to remove this from the registry. As for Mstask32.exe, I can find no
instance of this under the Windows directory.

David H. Lipman · Dec 13, 2006

From: "Ron Aaronson" <[email protected]>

| Sorry I haven't gotten back to this thread in a while. I have been
| working with "Buckeye_Sam" (see
| http://www.bleepingcomputer.com/forums/index.php?showtopic=74452&hl=ntoskrnl.dll).
| I am sorry I cannot recall which scanner detected and attempted to
| clean up the malware. I do have on my machine both Ad-Aware SE
| Personal and SuperAntiSpyWare Free Edition and it may have been the
| latter. ntoskrnl.dll has now been removed and all the popups have
| gone away. I am still waiting for feedback to my latest post to
| bleepingcomputer.com. At some point I suppose I will be instructed
| to remove this from the registry. As for Mstask32.exe, I can find no
| instance of this under the Windows directory.
|

Lets hope its gone.

It was listed in the HJT Log as...

O4 - HKLM\..\Run: [Mstask32driver] Mstask32.exe

Perform HJT again { Do NOT post the HJT log here } and see if the above shows up.

Please reply back if it is or not still in the latest HJT log.

Ron Aaronson · Dec 14, 2006

David H. Lipman said:
From: "Ron Aaronson" <[email protected]>

| Sorry I haven't gotten back to this thread in a while. I have been
| working with "Buckeye_Sam" (see
| http://www.bleepingcomputer.com/forums/index.php?showtopic=74452&hl=ntoskrnl.dll).
| I am sorry I cannot recall which scanner detected and attempted to
| clean up the malware. I do have on my machine both Ad-Aware SE
| Personal and SuperAntiSpyWare Free Edition and it may have been the
| latter. ntoskrnl.dll has now been removed and all the popups have
| gone away. I am still waiting for feedback to my latest post to
| bleepingcomputer.com. At some point I suppose I will be instructed
| to remove this from the registry. As for Mstask32.exe, I can find no
| instance of this under the Windows directory.
|

Lets hope its gone.

It was listed in the HJT Log as...

O4 - HKLM\..\Run: [Mstask32driver] Mstask32.exe

Perform HJT again { Do NOT post the HJT log here } and see if the above shows up.

Please reply back if it is or not still in the latest HJT log.

The latest log still has the line:

O4 - HKLM\..\Run: [Mstask32driver] Mstask32.exe

But I cannot find an instance of Mstask32.exe in any of the obvious
places. Does the above line signify an attempt to run such a module
or is it clear evidence that an instance of Mstask32.exe is actually
running? I found in the regsitry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
Mstask32driver = Mstask32.exe

So there may be an attempt to run this. I suspect that one of the
malware scans I ran deleted Mstask32.exe but neglected to clean up the
registry. Should I clean this up?

David H. Lipman · Dec 14, 2006

From: "Ron Aaronson" <[email protected]>

|
| The latest log still has the line:
|
| O4 - HKLM\..\Run: [Mstask32driver] Mstask32.exe
|
| But I cannot find an instance of Mstask32.exe in any of the obvious
| places. Does the above line signify an attempt to run such a module
| or is it clear evidence that an instance of Mstask32.exe is actually
| running? I found in the regsitry:
|
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
| Mstask32driver = Mstask32.exe
|
| So there may be an attempt to run this. I suspect that one of the
| malware scans I ran deleted Mstask32.exe but neglected to clean up the
| registry. Should I clean this up?

Start with the Sophos module of the below Multi AV Scanning Tool...

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm

* * * Please report back your results * * *

Ron Aaronson · Dec 15, 2006

I think everything has been cleared up -- here are the results of
Sophos and McAfee scans:

------------------------------ Sophos ------------------

Sophos Anti-Virus
Version 4.12.0 [Win32/Intel]
Virus data version 4.12, December 2006
Includes detection for 202513 viruses, trojans and worms
Copyright (c) 1989-2006 Sophos Plc, www.sophos.com

System time 11:30:22, System date 15 December 2006
Command line qualifiers are: -f -di -all -remove -mime -mbr -noc
-archive -opt=ISCabinet --stop-scan

IDE directory is: c:\AV-CLS\Sophos

Using IDE file traxg-e.ide
Using IDE file click-ea.ide
Using IDE file bagle-qx.ide
Using IDE file bront-ai.ide
Using IDE file agen-dsf.ide
Using IDE file bagle-qs.ide
Using IDE file bagle-qt.ide
Using IDE file bagle-qw.ide
Using IDE file agen-dwm.ide
Using IDE file bagdl-bw.ide
Using IDE file bagle-qy.ide
Using IDE file baglezip.ide
Using IDE file lowzo-ds.ide
Using IDE file banc-avs.ide
Using IDE file banc-axx.ide
Using IDE file nebule-n.ide
Using IDE file bank-dnm.ide
Using IDE file nesht-a.ide
Using IDE file banl-ase.ide
Using IDE file newurg-a.ide
Using IDE file zlob-wt.ide
Using IDE file bckd-pqp.ide
Using IDE file bombka-p.ide
Using IDE file zlob-wq.ide
Using IDE file zlob-wp.ide
Using IDE file zlob-ox.ide
Using IDE file zhengt-a.ide
Using IDE file xorpix-h.ide
Using IDE file vixup-bz.ide
Using IDE file clagg-an.ide
Using IDE file wow-im.ide
Using IDE file codeba-u.ide
Using IDE file vb-cuz.ide
Using IDE file dloa-akq.ide
Using IDE file vanity-a.ide
Using IDE file dloa-aqn.ide
Using IDE file dloa-aqs.ide
Using IDE file dloa-arb.ide
Using IDE file dloa-are.ide
Using IDE file nordex-a.ide
Using IDE file tileb-ic.ide
Using IDE file dloadrwz.ide
Using IDE file dnsbus-n.ide
Using IDE file tileb-ga.ide
Using IDE file dref-q.ide
Using IDE file dref-r.ide
Using IDE file dref-s.ide
Using IDE file strat-cj.ide
Using IDE file strat-ci.ide
Using IDE file strat-ch.ide
Using IDE file strat-cg.ide
Using IDE file ds061127.ide
Using IDE file ds061128.ide
Using IDE file ds061130.ide
Using IDE file ds061204.ide
Using IDE file ds061205.ide
Using IDE file ds061207.ide
Using IDE file ds061208.ide
Using IDE file ds061214.ide
Using IDE file pardon-c.ide
Using IDE file dwnl-fxo.ide
Using IDE file fakea-ah.ide
Using IDE file feebszip.ide
Using IDE file gold-eh.ide
Using IDE file grayb-ec.ide
Using IDE file kidala-i.ide
Using IDE file ldpi-aze.ide
Using IDE file poebo-jd.ide
Using IDE file strat-cf.ide
Using IDE file strat-cd.ide
Using IDE file limpne-a.ide
Using IDE file strat-bv.ide
Using IDE file strat-al.ide
Using IDE file pardon-d.ide
Using IDE file line-afb.ide
Using IDE file stinx-y.ide
Using IDE file look-ba.ide
Using IDE file look-be.ide
Using IDE file look-bf.ide
Using IDE file strat-aj.ide
Using IDE file star-bda.ide
Using IDE file spake-a.ide
Using IDE file sillyf-g.ide
Using IDE file sohana-b.ide
Using IDE file sharp-t.ide
Using IDE file looke-bb.ide
Using IDE file looke-bc.ide
Using IDE file sdbo-cwa.ide
Using IDE file ruindl-x.ide
Using IDE file mmthie-s.ide
Using IDE file mofei-t.ide
Using IDE file rootk-ba.ide
Using IDE file murlo-q.ide
Using IDE file mytob-if.ide
Using IDE file rjump-h.ide
Using IDE file strd-fam.ide
Using IDE file rjump-g.ide
Using IDE file qqhelp-p.ide
Using IDE file remadm-p.ide
Using IDE file rbot-fvz.ide
Using IDE file paprox-d.ide
Using IDE file rbot-fwy.ide
Using IDE file rbot-fyf.ide
Using IDE file starbo-e.ide
Using IDE file qqro-abd.ide
Using IDE file qqrb-abq.ide
Using IDE file ds061115.ide
Using IDE file medbot-b.ide
Using IDE file dwnl-fvg.ide
Using IDE file qqpa-akl.ide
Using IDE file look-ax.ide
Using IDE file pardon-a.ide
Using IDE file qqro-aba.ide
Using IDE file pardon-b.ide
Using IDE file rbot-fuo.ide
Using IDE file rbot-fus.ide
Using IDE file dloa-apl.ide
Using IDE file rbot-fwl.ide
Using IDE file rbot-fwm.ide
Using IDE file ds061116.ide
Using IDE file dref-o.ide
Using IDE file nebul-m.ide
Using IDE file mona-b.ide
Using IDE file agnt-dgy.ide
Using IDE file psyme-dd.ide
Using IDE file looke-az.ide
Using IDE file rungbu-c.ide
Using IDE file sdbo-cuj.ide
Using IDE file looke-av.ide
Using IDE file looke-ay.ide
Using IDE file silly-e.ide
Using IDE file looke-ar.ide
Using IDE file sniffe-m.ide
Using IDE file looke-aq.ide
Using IDE file looke-a.ide
Using IDE file line-aeo.ide
Using IDE file pitcom-c.ide
Using IDE file stex-a.ide
Using IDE file line-aeh.ide
Using IDE file line-aeg.ide
Using IDE file strat-ak.ide
Using IDE file levona-b.ide
Using IDE file strat-bo.ide
Using IDE file strat-bq.ide
Using IDE file legmi-yy.ide
Using IDE file ldpin-op.ide
Using IDE file proxy-eu.ide
Using IDE file ds061113.ide
Using IDE file dropp-ma.ide
Using IDE file dload-yt.ide
Using IDE file dloadaqk.ide
Using IDE file delspy-e.ide
Using IDE file strd-gen.ide
Using IDE file tibs-pf.ide
Using IDE file tileb-fy.ide
Using IDE file ntroo-av.ide
Using IDE file tileb-hn.ide
Using IDE file tileb-hx.ide
Using IDE file backdr-c.ide
Using IDE file adloa-kb.ide
Using IDE file clagg-am.ide
Using IDE file vb-crj.ide
Using IDE file bancb-oj.ide
Using IDE file clagg-al.ide
Using IDE file winspy-l.ide
Using IDE file wow-aj.ide
Using IDE file clagg-ak.ide
Using IDE file clagg-aj.ide
Using IDE file bronto-m.ide
Using IDE file zlob-nw.ide
Using IDE file banc-api.ide
Using IDE file bckd-pnp.ide
Using IDE file banl-aqv.ide
Using IDE file batkil-a.ide
Using IDE file zlobat.ide

Full Scanning

Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Adbureau.zip\ronald (e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Adbureau.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Adbureau.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Adbureau1.zip\ronald
(e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Adbureau1.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Adbureau1.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Adbureau2.zip\ronald aaronson@adbureau[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Adbureau2.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Adbureau2.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\AdFlow.zip\ronald aaronson@ad-flow[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\AdFlow.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\AdFlow.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\AdMonitor.zip\ronald (e-mail address removed)[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\AdMonitor.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\AdMonitor.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\AdMonitor1.zip\ronald aaronson@admonitor[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\AdMonitor1.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\AdMonitor1.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Advertisingcom.zip\ronald
(e-mail address removed)[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Advertisingcom.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Advertisingcom.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Advertisingcom1.zip\ronald
aaronson@advertising[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Advertisingcom1.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Advertisingcom1.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\AlexaRelated.zip\RELATED.HTM
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\AlexaRelated.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\AlexaRelated.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Aureate.zip\sbRecovery.reg
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Aureate.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Aureate.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Aureate1.zip\advert.dll
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Aureate1.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Aureate1.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\AvenueAInc.zip\ronald aaronson@atdmt[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\AvenueAInc.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\AvenueAInc.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\AvenueAInc1.zip\ronald aaronson@atdmt[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\AvenueAInc1.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\AvenueAInc1.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\AvenueAInc2.zip\ronald aaronson@atdmt[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\AvenueAInc2.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\AvenueAInc2.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\BFast.zip\ronald aaronson@bfast[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\BFast.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\BFast.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\BFast1.zip\ronald aaronson@bfast[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\BFast1.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\BFast1.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\BFast2.zip\ronald aaronson@bfast[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\BFast2.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\BFast2.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\ClickAgents.zip\ronald aaronson@clickagents[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\ClickAgents.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\ClickAgents.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\CommissionJunction.zip\ronald
(e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\CommissionJunction.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\CommissionJunction.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\CommissionJunction1.zip\ronald
(e-mail address removed)-junction[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\CommissionJunction1.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\CommissionJunction1.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\CommissionJunction2.zip\ronald aaronson@qksrv[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\CommissionJunction2.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\CommissionJunction2.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\CommissionJunction3.zip\ronald
aaronson@commission-junction[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\CommissionJunction3.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\CommissionJunction3.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\CommissionJunction4.zip\ronald aaronson@qksrv[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\CommissionJunction4.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\CommissionJunction4.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\CommissionJunction5.zip\ronald
aaronson@commission-junction[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\CommissionJunction5.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\CommissionJunction5.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\CoreMetrics.zip\ronald
(e-mail address removed)[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\CoreMetrics.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\CoreMetrics.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\DoubleClick.zip\ronald aaronson@doubleclick[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\DoubleClick.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\DoubleClick.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\DoubleClick1.zip\ronald aaronson@doubleclick[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\DoubleClick1.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\DoubleClick1.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\DSOExploit.zip\sbRecovery.reg
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\DSOExploit.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\DSOExploit.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\DSOExploit1.zip\sbRecovery.reg
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\DSOExploit1.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\DSOExploit1.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\DSOExploit2.zip\sbRecovery.reg
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\DSOExploit2.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\DSOExploit2.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\DSOExploit3.zip\sbRecovery.reg
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\DSOExploit3.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\DSOExploit3.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\DSOExploit4.zip\sbRecovery.reg
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\DSOExploit4.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\DSOExploit4.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\DSOExploit5.zip\sbRecovery.reg
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\DSOExploit5.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\DSOExploit5.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\eBatesMoneyMaker.zip\sbRecovery.reg
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\eBatesMoneyMaker.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\eBatesMoneyMaker.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\eBatesMoneyMaker1.zip\sbRecovery.reg
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\eBatesMoneyMaker1.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\eBatesMoneyMaker1.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\EngageInc.zip\ronald aaronson@engage[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\EngageInc.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\EngageInc.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\EngageInc1.zip\ronald
(e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\EngageInc1.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\EngageInc1.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\EngageInc2.zip\ronald (e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\EngageInc2.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\EngageInc2.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Enliven.zip\ronald (e-mail address removed)[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Enliven.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Enliven.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Excite.zip\ronald aaronson@excite[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Excite.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Excite.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Excite1.zip\ronald aaronson@excite[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Excite1.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Excite1.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\FastClick.zip\ronald aaronson@fastclick[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\FastClick.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\FastClick.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\FastClick1.zip\ronald aaronson@fastclick[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\FastClick1.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\FastClick1.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Flycast.zip\ronald aaronson@flycast[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Flycast.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Flycast.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Focalink.zip\ronald aaronson@focalink[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Focalink.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Focalink.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Gator.zip\ronald (e-mail address removed)[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Gator.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Gator.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Gator1.zip\ronald aaronson@gator[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Gator1.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\Gator1.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox.zip\ronald (e-mail address removed)[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox1.zip\ronald (e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox1.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox1.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox10.zip\ronald (e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox10.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox10.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox11.zip\ronald (e-mail address removed)[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox11.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox11.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox12.zip\ronald
(e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox12.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox12.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox13.zip\ronald
(e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox13.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox13.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox14.zip\ronald
(e-mail address removed)[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox14.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox14.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox15.zip\ronald (e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox15.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox15.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox16.zip\ronald
(e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox16.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox16.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox17.zip\ronald (e-mail address removed)[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox17.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox17.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox18.zip\ronald
(e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox18.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox18.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox19.zip\ronald
(e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox19.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox19.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox2.zip\ronald (e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox2.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox2.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox20.zip\ronald (e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox20.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox20.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox21.zip\ronald
(e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox21.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox21.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox3.zip\ronald (e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox3.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox3.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox4.zip\ronald aaronson@hitbox[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox4.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox4.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox5.zip\ronald
(e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox5.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox5.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox6.zip\ronald (e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox6.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox6.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox7.zip\ronald (e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox7.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox7.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox8.zip\ronald
(e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox8.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox8.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox9.zip\ronald (e-mail address removed)[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox9.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitBox9.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitsLink.zip\ronald (e-mail address removed)[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitsLink.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\HitsLink.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\LinkSynergy.zip\ronald aaronson@linksynergy[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\LinkSynergy.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\LinkSynergy.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\LinkSynergy1.zip\ronald aaronson@linksynergy[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\LinkSynergy1.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\LinkSynergy1.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\MediaPlex.zip\ronald aaronson@mediaplex[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\MediaPlex.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\MediaPlex.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\MediaPlex1.zip\ronald aaronson@mediaplex[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\MediaPlex1.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\MediaPlex1.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\MediaPlex2.zip\ronald aaronson@mediaplex[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\MediaPlex2.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\MediaPlex2.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\NavExcel.zip\sbRecovery.reg
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\NavExcel.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\NavExcel.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\NavExcel1.zip\sbRecovery.reg
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\NavExcel1.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\NavExcel1.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\NavExcel2.zip\sbRecovery.reg
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\NavExcel2.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\NavExcel2.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\NavExcel3.zip\sbRecovery.reg
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\NavExcel3.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\NavExcel3.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\NavExcel4.zip\sbRecovery.reg
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\NavExcel4.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\NavExcel4.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\NavExcel5.zip\sbRecovery.reg
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\NavExcel5.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\NavExcel5.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\OffshoreClicks.zip\ronald
aaronson@offshoreclicks[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\OffshoreClicks.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\OffshoreClicks.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexList.zip\ronald aaronson@sexlist[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexList.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexList.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker.zip\ronald
(e-mail address removed)[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker1.zip\ronald
(e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker1.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker1.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker10.zip\ronald
(e-mail address removed)[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker10.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker10.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker2.zip\ronald
(e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker2.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker2.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker3.zip\ronald
(e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker3.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker3.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker4.zip\ronald aaronson@sextracker[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker4.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker4.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker5.zip\ronald
(e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker5.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker5.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker6.zip\ronald
(e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker6.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker6.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker7.zip\ronald
(e-mail address removed)[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker7.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker7.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker8.zip\ronald
(e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker8.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker8.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker9.zip\ronald
(e-mail address removed)[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker9.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\SexTracker9.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\TargetNet.zip\ronald aaronson@targetnet[2].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\TargetNet.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\TargetNet.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\ValueAd.zip\ronald (e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\ValueAd.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\ValueAd.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\ValueClick.zip\ronald aaronson@valueclick[3].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\ValueClick.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\ValueClick.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\ValueClick1.zip\ronald aaronson@valueclick[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\ValueClick1.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\ValueClick1.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\WebTrendslive.zip\ronald
(e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\WebTrendslive.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\WebTrendslive.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\WebTrendslive1.zip\ronald
(e-mail address removed)[1].txt
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\WebTrendslive1.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\WebTrendslive1.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\WindowsMediaPlayer.zip\sbRecovery.reg
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\WindowsMediaPlayer.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\WindowsMediaPlayer.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\WindowsMediaPlayer1.zip\sbRecovery.reg
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\WindowsMediaPlayer1.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\WindowsMediaPlayer1.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\WindowsMediaPlayer2.zip\sbRecovery.reg
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\WindowsMediaPlayer2.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\WindowsMediaPlayer2.zip\comment
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\WindowsMediaPlayer3.zip\sbRecovery.reg
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\WindowsMediaPlayer3.zip\sbRecovery.ini
Password protected file c:\Documents and Settings\All
Users\Application Data\Spybot - Search &
Destroy\Recovery\WindowsMediaPlayer3.zip\comment
Could not open c:\Documents and Settings\LocalService\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat
Could not open c:\Documents and Settings\LocalService\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Could not open c:\Documents and Settings\NetworkService\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat
Could not open c:\Documents and Settings\NetworkService\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Could not open c:\Documents and Settings\postgres\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat
Could not open c:\Documents and Settings\postgres\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Password protected file c:\Documents and Settings\Ronald
Aaronson\Application
Data\Adobe\Acrobat\6.0\Messages\ENU\read0600win_ENUadbe0061.pdf
Password protected file c:\Documents and Settings\Ronald
Aaronson\Application
Data\Adobe\Acrobat\6.0\Messages\ENU\read0600win_ENUyhoo0013.pdf
Password protected file c:\Documents and Settings\Ronald
Aaronson\Application
Data\Adobe\Acrobat\7.0\Messages\ENU\read0600win_ENUyhoo0010.pdf
Password protected file c:\Documents and Settings\Ronald
Aaronson\Application
Data\Adobe\Acrobat\7.0\Messages\ENU\read0700win_ENUadbe0700.pdf
Could not open c:\Documents and Settings\Ronald Aaronson\Application
Data\Microsoft\Outlook\outcmd.dat
Could not open c:\Documents and Settings\Ronald Aaronson\Application
Data\Mozilla\Firefox\Profiles\u8qyuc97.default\parent.lock
Could not open c:\Documents and Settings\Ronald Aaronson\Local
Settings\Application Data\Google\Google Desktop Search\dbc2em.cf1
Could not open c:\Documents and Settings\Ronald Aaronson\Local
Settings\Application Data\Google\Google Desktop Search\dbc2emh.ht1
Could not open c:\Documents and Settings\Ronald Aaronson\Local
Settings\Application Data\Google\Google Desktop Search\dbdam
Could not open c:\Documents and Settings\Ronald Aaronson\Local
Settings\Application Data\Google\Google Desktop Search\dbdao
Could not open c:\Documents and Settings\Ronald Aaronson\Local
Settings\Application Data\Google\Google Desktop Search\dbeam
Could not open c:\Documents and Settings\Ronald Aaronson\Local
Settings\Application Data\Google\Google Desktop Search\dbeao
Could not open c:\Documents and Settings\Ronald Aaronson\Local
Settings\Application Data\Google\Google Desktop Search\dbm
Could not open c:\Documents and Settings\Ronald Aaronson\Local
Settings\Application Data\Google\Google Desktop Search\dbu2dm.cf1
Could not open c:\Documents and Settings\Ronald Aaronson\Local
Settings\Application Data\Google\Google Desktop Search\dbu2dmh.ht1
Could not open c:\Documents and Settings\Ronald Aaronson\Local
Settings\Application Data\Google\Google Desktop Search\dbvm.cf1
Could not open c:\Documents and Settings\Ronald Aaronson\Local
Settings\Application Data\Google\Google Desktop Search\dbvmh.ht1
Could not open c:\Documents and Settings\Ronald Aaronson\Local
Settings\Application Data\Google\Google Desktop Search\fii.cf1
Could not open c:\Documents and Settings\Ronald Aaronson\Local
Settings\Application Data\Google\Google Desktop Search\fiih.ht1
Could not open c:\Documents and Settings\Ronald Aaronson\Local
Settings\Application Data\Google\Google Desktop Search\fim1i.cf1
Could not open c:\Documents and Settings\Ronald Aaronson\Local
Settings\Application Data\Google\Google Desktop Search\fim1ih.ht1
Could not open c:\Documents and Settings\Ronald Aaronson\Local
Settings\Application Data\Google\Google Desktop Search\hp
Could not open c:\Documents and Settings\Ronald Aaronson\Local
Settings\Application Data\Google\Google Desktop Search\hpt2i.ht1
Could not open c:\Documents and Settings\Ronald Aaronson\Local
Settings\Application Data\Google\Google Desktop Search\rpm.cf1
Could not open c:\Documents and Settings\Ronald Aaronson\Local
Settings\Application Data\Google\Google Desktop Search\rpm1n.cf1
Could not open c:\Documents and Settings\Ronald Aaronson\Local
Settings\Application Data\Google\Google Desktop Search\rpm1n1m.cf1
Could not open c:\Documents and Settings\Ronald Aaronson\Local
Settings\Application Data\Google\Google Desktop Search\rpm1n1mh.ht1
Could not open c:\Documents and Settings\Ronald Aaronson\Local
Settings\Application Data\Google\Google Desktop Search\rpm1nh.ht1
Could not open c:\Documents and Settings\Ronald Aaronson\Local
Settings\Application Data\Google\Google Desktop Search\rpmh.ht1
Could not check c:\Documents and Settings\Ronald Aaronson\Local
Settings\Application Data\Microsoft\Outlook\outlook.pst (virus scan
failed)
Could not open c:\Documents and Settings\Ronald Aaronson\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat
Could not open c:\Documents and Settings\Ronald Aaronson\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Could not open c:\Documents and Settings\Ronald Aaronson\Local
Settings\Temp\Perflib_Perfdata_c10.dat
Could not check c:\Download\tiger.zip\tiger/chap4/Parse/Yylex.class
(corrupt)
Password protected file
c:\Download\winzip80.exe\SfxArchiveData\SETUP.WZ\WINZIP32.EX_
Could not open c:\hiberfil.sys
Could not open c:\Inetpub\catalog.wci\CiCL0001.000
Could not open c:\Inetpub\catalog.wci\CiP10000.000
Could not open c:\Inetpub\catalog.wci\CiP20000.000
Could not open c:\Inetpub\catalog.wci\CiPT0000.000
Could not open c:\Inetpub\catalog.wci\CiSL0001.000
Could not open c:\Inetpub\catalog.wci\CiSP0000.000
Could not open c:\Inetpub\catalog.wci\CiST0000.000
Could not open c:\Inetpub\catalog.wci\CiVP0000.000
Could not open c:\Inetpub\catalog.wci\INDEX.000
Could not check
c:\ipm3\cvs2cl\cvs2cl\BUGS\mail\prune-doesnt-work\att-0002\cvs2pl.bug.tbz2\Bzip2
(corrupt)
Could not check
c:\ipm3\cvs2cl\cvs2cl\BUGS\mail\revision-on-branch-plus-ten-rev\att-0001\cvs2pl.bug.tbz2\Bzip2
(corrupt)
Could not check
c:\ipm3\cvs2cl\cvs2cl\BUGS\mail\show-tags-option\att-0002\01-log.tgz\Gzip
(corrupt)
Could not check
c:\ipm3\cvs2cl\cvs2cl\BUGS\mail\show-tags-option\att-0002\log.tgz\Gzip
(corrupt)
Could not check c:\ipm3\sds\data2.cab\ICAB:00013aab (corrupt)
Could not check c:\ipm3\sds.zip\data2.cab\ICAB:00013aab (corrupt)
Could not check
c:\jwsdp-1.5\jaxrpc\build\samples\PO\model-wsdl-rpcenc.xml.gz\Gzip
(corrupt)
Password protected file c:\Program Files\Adobe\Acrobat
7.0\Reader\Messages\ENU\RdrMsgENU.pdf
Password protected file c:\Program Files\Adobe\Acrobat
7.0\Reader\Messages\RdrMsgSplash.pdf
Password protected file c:\Program Files\Adobe\Acrobat
7.0\Reader\WebSearch\WebSearchENU.pdf
Password protected file c:\Program Files\Adobe\Acrobat 7.0\Setup
Files\RdrBig708\ENU\Data1.cab\WebSearchENU.pdf
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\Ad-Aware SE Default.skn
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\arrow1.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\arrow2.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bck1.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt11.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt12.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt13.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt21.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt22.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt23.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt31.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt32.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt33.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt41.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt42.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt43.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt51.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt52.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt53.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt61.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt62.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\checkbox1.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\checkbox2.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\checkbox3.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\checkbox4.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\defbtn1.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\defbtn2.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\defbtn3.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\glyph1.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\glyph2.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\glyph3.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\glyph4.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\glyph5.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\glyph6.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\glyph7.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\main.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\preview.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\sprite1.bmp
Password protected file c:\Program
Files\SUPERAntiSpyware\Quarantine\Quarantine - 11-27-2006 -
07-23-13.SBU\backup.db
Password protected file c:\Program
Files\SUPERAntiSpyware\Quarantine\Quarantine - 12-10-2006 -
10-41-32.SBU\backup.db
Could not open c:\System Volume Information\catalog.wci\CiCL0001.000
Could not open c:\System Volume Information\catalog.wci\CiP10000.000
Could not open c:\System Volume Information\catalog.wci\CiP20000.000
Could not open c:\System Volume Information\catalog.wci\CiPT0000.000
Could not open c:\System Volume Information\catalog.wci\CiSL0001.000
Could not open c:\System Volume Information\catalog.wci\CiSP0000.000
Could not open c:\System Volume Information\catalog.wci\CiST0000.000
Could not open c:\System Volume Information\catalog.wci\CiVP0000.000
Could not open c:\System Volume Information\catalog.wci\INDEX.000
Password protected file c:\WINDOWS\Cache\Adobe Reader
6\Data1.cab\RdrMsgENU.pdf
Could not open
c:\WINDOWS\SoftwareDistribution\EventCache\{47516CBA-304C-485D-81C6-5BD8A1A07B99}.bin
Could not open c:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
Could not check c:\xalan-j_2_2_D6\samples\extensions\sql\Xalan SQL
Extension.doc (corrupt)
Could not open d:\

1 master boot record swept.
246104 files swept in 5 hours, 0 minutes and 58 seconds.
428 errors were encountered.
No viruses were discovered.
362 encrypted files were not checked.
Ending Sophos Anti-Virus.

------------------------------- McAfee ----------------

Virus Scan Report File
Virus Scan Information

McAfee VirusScan for Win32 v5.10.0
Copyright (c) 1992-2006 McAfee, Inc. All rights reserved.
(408) 988-3832 LICENSED COPY - May 26 2006

Scan engine v5.1.00 for Win32.
Virus data file v4919 created Dec 14 2006
Scanning for 220893 viruses, trojans and variants.

Virus Scan Results

12/15/2006 08:15:24

Options:
/ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL
/MIME /PROGRAM /EXCLUDE C:\AV-CLS\EXCLIST.TXT /HTML
"C:\AV-CLS\MCAFEE\SCANREPORT.HTML"

Scanning C: []
Scanning C:\*.*

Summary report on C:\*.*
File(s)
Total files: ........... 1139641
Clean: ................. 1139315
Possibly Infected: ..... 0
Cleaned: ............... 0
Non-critical Error(s): 4
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0

Time: 03:12.32

Visit the McAfee Online Web Site
Need some help or advice? Send email to Technical Support.

David H. Lipman said:
From: "Ron Aaronson" <[email protected]>

|
| The latest log still has the line:
|
| O4 - HKLM\..\Run: [Mstask32driver] Mstask32.exe
|
| But I cannot find an instance of Mstask32.exe in any of the obvious
| places. Does the above line signify an attempt to run such a module
| or is it clear evidence that an instance of Mstask32.exe is actually
| running? I found in the regsitry:
|
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
| Mstask32driver = Mstask32.exe
|
| So there may be an attempt to run this. I suspect that one of the
| malware scans I ran deleted Mstask32.exe but neglected to clean up the
| registry. Should I clean this up?

Start with the Sophos module of the below Multi AV Scanning Tool...

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm

* * * Please report back your results * * *

David H. Lipman · Dec 15, 2006

From: "Ron Aaronson" <[email protected]>

| I think everything has been cleared up -- here are the results of
| Sophos and McAfee scans:
|

Yes it seems so. The following can be removed from the Registry...

O4 - HKLM\..\Run: [Mstask32driver] Mstask32.exe

You can do this from with HJT.