PDA

View Full Version : Cannot get rid of files after infection from trojans and malware



dillyyo72
2009-08-28, 01:14
My son was surfing and going P2P and he told me he got some viruses. When I scanned my comp with Rising anti virus and Spy bot I got back some nasty stuff, from what I found on the internet. I ran both several times in safe mode and removed as much as I could find and was informed I should online.

Symptoms were freeze ups, lagging, locked policies like no tsk mgr, no back ground etc. It was also diabling my antivirus and not letting me log into programs. I got much of it back, but things are still there. In particular 4 files that show up in spy bot yet the files are not there. I am including an HJT report (renamed to dillyyo72.exe), a spy bot report with some malware (registry errors) and 4 files that are always there even after fixing and what shows up on the microsoft live online scan I am running as we speak.

I don't know if this is related, but my DVD will not read blank discs. I ran a dell diagnostic and all came out good, so dell.s people told me I just have to reformat and reinstall the OS. Not preferable, but might be necessary. Can you tell me if this would get rid of all infections I might have? Is it safe to transfer all my docs, pics and videos to an external drive before reformatting with no risk of virus transfer? I would scan them before transfer.

Well, here is the reports I mentioned. Thansk for the help.



Spy Bot:

AdDestination: [SBI $20815D48] Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\d85588fb-8da5-cdab-f31d-6bab71677c02

Win32.FraudLoad.edt: [SBI $0174D446] Settings (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\NordBull

Win32.FraudLoad.edt: [SBI $0174D446] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-18\Software\NordBull

Win32.TDSS.rtk: [SBI $4568377B] File (File, nothing done)
C:\WINDOWS\system32\drivers\kbiwkmqjuyxwrm.sys
Properties.size=0
Properties.md5=F6A71590FFB7F4816DDBC6F22CFE055C

Win32.TDSS.rtk: [SBI $6BF0B3E5] File (File, nothing done)
C:\WINDOWS\system32\kbiwkmferpxuck.dll
Properties.size=0
Properties.md5=3B4644E78E6DF95C7B6433E4EAE0E7D0

Win32.TDSS.rtk: [SBI $6BF0B3E5] File (File, nothing done)
C:\WINDOWS\system32\kbiwkmmcjsbaet.dll
Properties.size=0
Properties.md5=796E92D2B25B6FB4352674BA449B7393

Win32.TDSS.rtk: [SBI $D8151B64] File (File, nothing done)
C:\WINDOWS\system32\kbiwkmaogspjoc.dat
Properties.size=0
Properties.md5=7D04C2822F4F7536EA0B0AFE6436FF14

Win32.TDSS.rtk: [SBI $D8151B64] File (File, nothing done)
C:\WINDOWS\system32\kbiwkmqpvgppwi.dat
Properties.size=0
Properties.md5=60B665DE07DEFEDCD1107BC6FA549206


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-08-20 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-07-28 advcheck.dll (1.6.3.17)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-08-25 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2009-08-25 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-08-04 Includes\HijackersC.sbi (*)
2009-06-23 Includes\Keyloggers.sbi (*)
2009-07-30 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-08-19 Includes\Malware.sbi (*)
2009-08-25 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-08-25 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-07-30 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-08-11 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-08-25 Includes\Trojans.sbi (*)
2009-08-26 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

The Win32 files are the ones that keep coming back, but are not where it says they are.




HJK report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:44:42 PM, on 8/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCENTER.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\RavMonD.exe
C:\Program Files\Rising\Rav\rsnetsvr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Rising\Rav\ScanFrm.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Rising\Rav\RsTray.exe
C:\Program Files\Native Instruments\Audio Kontrol 1\Audio Kontrol 1.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Dillyyo72.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
R3 - URLSearchHook: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
O2 - BHO: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: precisead - {bf386b10-fd3b-eed5-2442-8fcb4e6e963e} - C:\WINDOWS\system32\nse80.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [RavTray] "C:\Program Files\Rising\Rav\RsTray.exe" -system
O4 - HKLM\..\Run: [cftmon] C:\WINDOWS\system32\gvwf.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Audio Kontrol 1] C:\Program Files\Native Instruments\Audio Kontrol 1\Audio Kontrol 1.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.beatport.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/tgctlcm.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145072392000
O16 - DPF: {C7477E5B-9297-4083-A4B3-A6BBC611F7C9} - http://www.blackberry.com/CalendarPatch/patch/desktop/DevicePatchLoaderUSB.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Rav Process Communication Center (RavCCenter) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCENTER.EXE
O23 - Service: Rising RavTask Manager (RavTask) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\RavTask.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: RoxMediaDB9 - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe (file missing)
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe (file missing)
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\RavMonD.exe
O23 - Service: Rising Scan Service (RsScanSrv) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\ScanFrm.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

--
End of file - 9809 bytes



The Microsoft online scanner is running still. It shows 4 detections and 3 issues found, so i will include them after it is done.

:sad:

I read about limewire and deleted the program. This is the latest run HJT (no limewire), Spy Bot and info from Microsoft online scanning. I couldn't print a report or copy and paste so I am just typing what is says in the protection part:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:25:20, on 27/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCENTER.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\rsnetsvr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Rising\Rav\RsTray.exe
C:\Program Files\Native Instruments\Audio Kontrol 1\Audio Kontrol 1.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Rising\Rav\ScanFrm.exe
C:\Program Files\Rising\Rav\RavMonD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\Dillyyo72.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [RavTray] "C:\Program Files\Rising\Rav\RsTray.exe" -system
O4 - HKLM\..\Run: [cftmon] C:\WINDOWS\system32\gvwf.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/tgctlcm.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145072392000
O16 - DPF: {C7477E5B-9297-4083-A4B3-A6BBC611F7C9} - http://www.blackberry.com/CalendarPatch/patch/desktop/DevicePatchLoaderUSB.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Rav Process Communication Center (RavCCenter) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCENTER.EXE
O23 - Service: Rising RavTask Manager (RavTask) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\RavTask.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: RoxMediaDB9 - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe (file missing)
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe (file missing)
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\RavMonD.exe
O23 - Service: Rising Scan Service (RsScanSrv) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\ScanFrm.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

--
End of file - 9392 bytes











AdDestination: [SBI $20815D48] Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\d85588fb-8da5-cdab-f31d-6bab71677c02

Win32.FraudLoad.edt: [SBI $0174D446] Settings (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\NordBull

Win32.FraudLoad.edt: [SBI $0174D446] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-18\Software\NordBull

Win32.TDSS.rtk: [SBI $4568377B] File (File, nothing done)
C:\WINDOWS\system32\drivers\kbiwkmqjuyxwrm.sys
Properties.size=0
Properties.md5=F6A71590FFB7F4816DDBC6F22CFE055C

Win32.TDSS.rtk: [SBI $6BF0B3E5] File (File, nothing done)
C:\WINDOWS\system32\kbiwkmferpxuck.dll
Properties.size=0
Properties.md5=3B4644E78E6DF95C7B6433E4EAE0E7D0

Win32.TDSS.rtk: [SBI $6BF0B3E5] File (File, nothing done)
C:\WINDOWS\system32\kbiwkmmcjsbaet.dll
Properties.size=0
Properties.md5=796E92D2B25B6FB4352674BA449B7393

Win32.TDSS.rtk: [SBI $D8151B64] File (File, nothing done)
C:\WINDOWS\system32\kbiwkmaogspjoc.dat
Properties.size=0
Properties.md5=7D04C2822F4F7536EA0B0AFE6436FF14

Win32.TDSS.rtk: [SBI $D8151B64] File (File, nothing done)
C:\WINDOWS\system32\kbiwkmqpvgppwi.dat
Properties.size=0
Properties.md5=60B665DE07DEFEDCD1107BC6FA549206






--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-08-20 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-07-28 advcheck.dll (1.6.3.17)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-08-25 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2009-08-25 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-08-04 Includes\HijackersC.sbi (*)
2009-06-23 Includes\Keyloggers.sbi (*)
2009-07-30 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-08-19 Includes\Malware.sbi (*)
2009-08-25 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-08-25 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-07-30 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-08-11 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-08-25 Includes\Trojans.sbi (*)
2009-08-26 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll






I had 4 severe and 2 high issues found with the online scanner.

-Trojan:Win32/Alureon.gen!U
-Trojan downloader:Win32/fakeinit
-VirTool:Win32/DelfInject.gen!T
-VirTool:Win32/Obfuscator.ET

Trojan:JS/Agent.FA
TrojanDownloader:Win32/Renos.JM



I have noticed that Outlook has had to reinstall (didn't let it complete) and I can't seem to find my PST files.:sad:
=================================
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Shaba
2009-08-29, 12:26
Hi dillyyo72

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

dillyyo72
2009-08-29, 19:45
ComboFix 09-08-28.05 - Jonathan Malave 29/08/2009 12:08.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2558.2156 [GMT -4:00]
Running from: c:\documents and settings\Jonathan Malave\Desktop\ComboFix.exe
AV: Rising Antivirus *On-access scanning disabled* (Updated) {234E4A88-48FA-4220-A994-5323706FF524}
* Created a new restore point
* Resident AV is active

.
/wow section not completed

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\kbiwkmqjuyxwrm.sys
c:\windows\system32\kbiwkmaogspjoc.dat
c:\windows\system32\kbiwkmferpxuck.dll
c:\windows\system32\kbiwkmmcjsbaet.dll
c:\windows\system32\kbiwkmqpvgppwi.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kbiwkmlnbpjyod
-------\Legacy_kbiwkmlnbpjyod
-------\Legacy_hooksys
-------\Service_hooksys


((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-29 )))))))))))))))))))))))))))))))
.

2009-08-29 04:22 . 2009-08-29 04:23 -------- dc-h--w- c:\windows\ie8
2009-08-29 04:20 . 2009-08-29 04:20 -------- dc----w- C:\11d6fc14b292ca73a9d0
2009-08-26 23:38 . 2009-08-26 23:38 -------- dc----w- c:\program files\microsoft frontpage
2009-08-26 00:07 . 2009-08-26 15:31 58341 -c--a-w- c:\windows\system32\u_bcetlkvlynfjpjnk.dll.exe
2009-08-25 21:17 . 2009-08-29 15:25 86005 -c--a-w- c:\windows\system32\d85588fb-8da5-cdab-f31d-6bab71677c02.exe
2009-08-25 21:17 . 2009-08-25 21:47 48273 -c--a-w- c:\windows\system32\zwozzmkwrxq.exe
2009-08-25 21:14 . 2009-08-25 21:14 4 -c--a-w- c:\documents and settings\Jonathan Malave\Application Data\NP.sys
2009-08-25 21:13 . 2009-08-25 21:13 134144 -c--a-w- c:\windows\ceids88045.exe
2009-08-25 21:12 . 2009-08-25 21:12 412160 -c--a-w- c:\windows\denc4602.exe
2009-08-25 21:12 . 2009-08-26 17:42 -------- dc----w- c:\program files\runit
2009-08-25 21:12 . 2009-08-25 21:12 69697 -c--a-w- c:\windows\avqhl4521.exe
2009-08-25 21:12 . 2009-08-25 21:12 889078 -c--a-w- c:\windows\avge04557.exe
2009-08-21 23:34 . 2009-08-21 23:35 -------- dc----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-21 23:34 . 2009-08-21 23:34 -------- dc----w- c:\program files\NOS
2009-08-20 20:24 . 2009-08-20 20:25 -------- dc----w- c:\program files\Spybot - Search & Destroy
2009-08-14 19:16 . 2009-08-14 19:16 -------- dc----w- c:\documents and settings\All Users\Application Data\Citrix
2009-08-14 19:16 . 2009-08-14 19:16 -------- dc----w- c:\documents and settings\Jonathan Malave\Local Settings\Application Data\Citrix
2009-08-12 02:25 . 2009-08-12 02:25 152576 -c--a-w- c:\documents and settings\Jonathan Malave\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-29 15:53 . 2006-04-14 19:57 49072 -c--a-w- c:\documents and settings\Jonathan Malave\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-29 01:30 . 2006-07-26 02:00 -------- dc----w- c:\program files\Web Publish
2009-08-27 21:22 . 2006-12-17 14:55 -------- dc----w- c:\program files\Windows Live Safety Center
2009-08-26 21:58 . 2006-04-14 23:52 -------- dc----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-26 02:38 . 2008-11-14 06:14 -------- dc----w- c:\documents and settings\Jonathan Malave\Application Data\LimeWire
2009-08-12 02:26 . 2007-06-26 06:11 -------- dc----w- c:\program files\Java
2009-08-11 23:05 . 2009-07-08 03:30 34200 -c--a-w- c:\windows\system32\drivers\HookHelp.sys
2009-08-11 23:05 . 2009-07-08 03:30 144024 -c--a-w- c:\windows\system32\drivers\HookSys.sys
2009-08-06 23:52 . 2007-06-10 05:33 -------- dc----w- c:\documents and settings\Jonathan Malave\Application Data\dvdcss
2009-08-05 09:01 . 2004-08-12 13:23 204800 -c--a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:29 . 2006-04-14 20:23 -------- dc-h--w- c:\program files\InstallShield Installation Information
2009-07-25 09:23 . 2009-07-16 01:55 411368 -c--a-w- c:\windows\system32\deploytk.dll
2009-07-24 04:05 . 2009-07-24 04:06 737280 -c--a-w- c:\windows\iun6002.exe
2009-07-17 19:01 . 2004-08-12 13:17 58880 -c--a-w- c:\windows\system32\atl.dll
2009-07-16 01:54 . 2009-07-16 01:54 152576 -c--a-w- c:\documents and settings\Jonathan Malave\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-07-14 19:40 . 2009-03-11 17:18 -------- dc----w- c:\program files\Google
2009-07-14 19:12 . 2008-07-07 04:41 -------- dc----w- c:\program files\Windows Live
2009-07-14 19:11 . 2008-07-14 19:02 -------- dc----w- c:\program files\Common Files\Apple
2009-07-14 03:43 . 2004-08-12 13:34 286208 -c--a-w- c:\windows\system32\wmpdxm.dll
2009-07-08 03:29 . 2009-07-08 03:30 15216 -c--a-w- c:\windows\system32\drivers\HookCont.sys
2009-07-08 03:28 . 2009-07-08 03:30 238704 -c--a-w- c:\windows\system32\bsmain.exe
2009-07-08 03:28 . 2009-07-08 03:30 10832 -c--a-w- c:\windows\system32\drivers\RsNTGdi.sys
2009-07-08 03:28 . 2009-07-08 03:30 146032 -c--a-w- c:\windows\system32\RavExt.dll
2009-07-08 03:21 . 2006-04-14 19:59 -------- dc----w- c:\program files\Rising
2009-07-08 03:20 . 2009-07-08 03:20 -------- dc----w- c:\documents and settings\All Users\Application Data\{81D4BDA8-1F33-4633-B176-8A7E942ABDE1}
2009-07-08 03:18 . 2006-05-07 06:48 -------- dc----w- c:\program files\Common Files\Adobe
2009-07-02 14:14 . 2009-07-02 14:14 1338368 -c--a-w- c:\windows\system32\nshE.dll
2009-06-29 16:12 . 2004-08-12 13:33 827392 -c----w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-12 13:18 17408 -c----w- c:\windows\system32\corpol.dll
2009-06-25 08:25 . 2004-08-12 13:32 54272 -c--a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-12 13:28 56832 -c--a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-12 13:27 147456 -c--a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-12 13:23 136192 -c--a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-08-12 13:21 730112 -c--a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-12 13:20 301568 -c--a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-08-12 13:20 92928 -c--a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-12 13:30 119808 -c--a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-12 13:19 81920 -c--a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-08-12 13:31 80896 -c--a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-12 13:30 76288 -c--a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-12 13:17 84992 -c--a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2006-04-14 19:48 2066432 -c--a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-12 13:33 132096 -c--a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2004-08-12 13:26 1291264 -c--a-w- c:\windows\system32\quartz.dll
2007-09-12 15:19 . 2007-12-01 14:44 8784 -c--a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-09-12 15:22 . 2007-12-01 14:44 245408 -c--a-w- c:\program files\mozilla firefox\plugins\unicows.dll
2007-06-08 06:24 . 2007-06-08 06:24 10856 -csha-w- c:\windows\system32\KGyGaAvL.sys
2006-12-24 13:19 . 2006-12-24 13:19 73 -csha-w- c:\windows\system32\SYSDRVREB.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf386b10-fd3b-eed5-2442-8fcb4e6e963e}]
2009-07-02 14:14 1338368 -c--a-w- c:\windows\system32\nshE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 114688]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"RavTray"="c:\program files\Rising\Rav\RsTray.exe" [2009-07-08 141936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-08-03 4493312]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-4-14 209016]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{32CD708B-60A7-4C00-9377-D73EAA495F0F}"= "c:\windows\system32\RavExt.dll" [2009-07-08 146032]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0 bsmain

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"winupdate.exe"=c:\windows\system32\winupdate.exe
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Rising\\Rav\\Update\\Setup.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 RsNTGDI;RsNTGDI;c:\windows\system32\drivers\RsNTGdi.sys [07/07/2009 23:30 10832]
R1 hookcont;hookcont;c:\windows\system32\drivers\HookCont.sys [07/07/2009 23:30 15216]
R2 BaseTDI;Rising TDI Base Driver;c:\windows\system32\drivers\basetdi.sys [14/04/2006 16:42 13364]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [28/10/2008 16:42 156968]
R2 RavTask;Rising RavTask Manager;c:\program files\Rising\Rav\RavTask.exe [07/07/2009 23:30 129648]
R3 ak1avs;ak1avs;c:\windows\system32\drivers\ak1avs.sys [25/04/2009 23:43 25600]
R3 ak1usb;ak1usb;c:\windows\system32\drivers\ak1usb.sys [25/04/2009 23:43 186368]
S2 RavCCenter;Rav Process Communication Center;c:\program files\Rising\Rav\CCenter.exe [07/07/2009 23:30 113264]
S2 RsRavMon;Rising RealTime Monitor;c:\program files\Rising\Rav\RavMonD.exe [07/07/2009 23:30 133744]
S2 RsScanSrv;Rising Scan Service;c:\program files\Rising\Rav\ScanFrm.exe [07/07/2009 23:30 51824]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [18/10/2006 13:01 16512]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe -k getPlusHelper [12/08/2004 09:30 14336]
S4 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [14/04/2006 16:23 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-TkBellExe - realsched.exe


.
------- Supplementary Scan -------
.
DPF: {C7477E5B-9297-4083-A4B3-A6BBC611F7C9} - hxxp://www.blackberry.com/CalendarPatch/patch/desktop/DevicePatchLoaderUSB.cab
FF - ProfilePath - c:\documents and settings\Jonathan Malave\Application Data\Mozilla\Firefox\Profiles\3ag8935g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-29 12:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3224)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Rising\Rav\rsnetsvr.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\hpzipm12.exe
c:\program files\Analog Devices\SoundMAX\spkrmon.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\PRISMSVR.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
.
**************************************************************************
.
Completion time: 2009-08-29 12:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-29 16:38

Pre-Run: 10,348,044,288 bytes free
Post-Run: 10,243,104,768 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

265 --- E O F --- 2009-08-26 00:21












Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44:54, on 29/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCENTER.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\RavMonD.exe
C:\Program Files\Rising\Rav\rsnetsvr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Rising\Rav\ScanFrm.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Rising\Rav\RsTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\Dillyyo72.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: precisead - {bf386b10-fd3b-eed5-2442-8fcb4e6e963e} - C:\WINDOWS\system32\nshE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [RavTray] "C:\Program Files\Rising\Rav\RsTray.exe" -system
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/tgctlcm.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145072392000
O16 - DPF: {C7477E5B-9297-4083-A4B3-A6BBC611F7C9} - http://www.blackberry.com/CalendarPatch/patch/desktop/DevicePatchLoaderUSB.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Rav Process Communication Center (RavCCenter) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCENTER.EXE
O23 - Service: Rising RavTask Manager (RavTask) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\RavTask.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: RoxMediaDB9 - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe (file missing)
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe (file missing)
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\RavMonD.exe
O23 - Service: Rising Scan Service (RsScanSrv) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\ScanFrm.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

--
End of file - 8831 bytes

Shaba
2009-08-29, 19:55
Please click this link-->Jotti (http://virusscan.jotti.org/)

Copy/paste the first file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

c:\windows\system32\u_bcetlkvlynfjpjnk.dll.exe
c:\windows\system32\d85588fb-8da5-cdab-f31d-6bab71677c02.exe
c:\windows\system32\zwozzmkwrxq.exe
c:\windows\avqhl4521.exe
c:\windows\avge04557.exe

Repeat steps for all files on the list.

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

dillyyo72
2009-08-29, 20:49
File u_bcetlkvlynfjpjnk.dll.exe received on 2009.08.29 17:34:02 (UTC)
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.08.29 -
AhnLab-V3 5.0.0.2 2009.08.29 -
AntiVir 7.9.1.7 2009.08.28 -
Antiy-AVL 2.0.3.7 2009.08.24 -
Authentium 5.1.2.4 2009.08.29 -
Avast 4.8.1335.0 2009.08.28 -
AVG 8.5.0.406 2009.08.29 -
BitDefender 7.2 2009.08.29 -
CAT-QuickHeal 10.00 2009.08.29 -
ClamAV 0.94.1 2009.08.29 -
Comodo 2124 2009.08.29 -
DrWeb 5.0.0.12182 2009.08.29 -
eSafe 7.0.17.0 2009.08.27 -
eTrust-Vet 31.6.6707 2009.08.28 -
F-Prot 4.5.1.85 2009.08.29 -
F-Secure 8.0.14470.0 2009.08.28 -
Fortinet 3.120.0.0 2009.08.29 -
GData 19 2009.08.29 -
Ikarus T3.1.1.68.0 2009.08.29 -
Jiangmin 11.0.800 2009.08.29 -
K7AntiVirus 7.10.831 2009.08.29 -
Kaspersky 7.0.0.125 2009.08.29 -
McAfee 5724 2009.08.29 -
McAfee+Artemis 5724 2009.08.29 Artemis!9FD1B1A23591
McAfee-GW-Edition 6.8.5 2009.08.29 Heuristic.BehavesLike.Win32.Dropper.H
Microsoft 1.5005 2009.08.29 -
NOD32 4379 2009.08.29 -
Norman 2009.08.29 -
nProtect 2009.1.8.0 2009.08.29 -
Panda 10.0.2.2 2009.08.29 -
PCTools 4.4.2.0 2009.08.29 -
Prevx 3.0 2009.08.29 High Risk Cloaked Malware
Rising 21.44.40.00 2009.08.28 -
Sophos 4.45.0 2009.08.29 -
Sunbelt 3.2.1858.2 2009.08.29 -
Symantec 1.4.4.12 2009.08.29 -
TheHacker 6.3.4.3.390 2009.08.28 -
TrendMicro 8.950.0.1094 2009.08.28 -
VBA32 3.12.10.10 2009.08.29 -
ViRobot 2009.8.28.1907 2009.08.28 -
VirusBuster 4.6.5.0 2009.08.29 -
Additional information
File size: 58341 bytes
MD5...: 9fd1b1a23591980ec70e4e097179e41e
SHA1..: 92b512fc76918bf32531f25390cc14b25ed006fb
SHA256: b961caa4f0f564f3881e802fff163af2346410a97d7221f8cf0af5ba6874510a
ssdeep: 768:G4wO7XBz+5Qm3W0tYdrQZHV4EWuWEUOg4jjfS3XJDsDfyanoqPtlvugQL+T:<br>JLXB65939tY6HBg4sXJDsmHQurLK<br>
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x30cb<br>timedatestamp.....: 0x4a2ae29c (Sat Jun 06 21:41:48 2009)<br>machinetype.......: 0x14c (I386)<br><br>( 5 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x58d2 0x5a00 6.43 c69726ed422d3dcfdec9731986daa752<br>.rdata 0x7000 0x1190 0x1200 5.18 a2c7710fa66fcbb43c7ef0ab9eea5e9a<br>.data 0x9000 0x1af78 0x400 4.62 e59cdcb732e4bfbc84cc61dd68354f78<br>.ndata 0x24000 0xa000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.rsrc 0x2e000 0x4b38 0x4c00 5.31 d5a25e341f03d13a2d364d738fe70742<br><br>( 8 imports ) <br>&gt; KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA<br>&gt; USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow<br>&gt; GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject<br>&gt; SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation<br>&gt; ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA<br>&gt; COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create<br>&gt; ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance<br>&gt; VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA<br><br>( 0 exports ) <br>
RDS...: NSRL Reference Data Set<br>-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)<br>Win32 Executable Generic (14.7%)<br>Win32 Dynamic Link Library (generic) (13.1%)<br>Generic Win/DOS Executable (3.4%)<br>DOS Executable Generic (3.4%)
&lt;a href='http://info.prevx.com/aboutprogramtext.asp?PX5=7D164AD1E5419C2BE33800A28048430037D24C78' target='_blank'&gt;http://info.prevx.com/aboutprogramtext.asp?PX5=7D164AD1E5419C2BE33800A28048430037D24C78&lt;/a&gt;
packers (F-Prot): NSIS








File d85588fb-8da5-cdab-f31d-6bab71677 received on 2009.08.29 17:39:48 (UTC)
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.08.29 -
AhnLab-V3 5.0.0.2 2009.08.29 -
AntiVir 7.9.1.7 2009.08.28 -
Antiy-AVL 2.0.3.7 2009.08.24 -
Authentium 5.1.2.4 2009.08.29 -
Avast 4.8.1335.0 2009.08.28 -
AVG 8.5.0.406 2009.08.29 -
BitDefender 7.2 2009.08.29 -
CAT-QuickHeal 10.00 2009.08.29 -
ClamAV 0.94.1 2009.08.29 -
Comodo 2124 2009.08.29 -
DrWeb 5.0.0.12182 2009.08.29 -
eSafe 7.0.17.0 2009.08.27 -
eTrust-Vet 31.6.6707 2009.08.28 -
F-Prot 4.5.1.85 2009.08.29 -
F-Secure 8.0.14470.0 2009.08.28 -
Fortinet 3.120.0.0 2009.08.29 -
GData 19 2009.08.29 -
Ikarus T3.1.1.68.0 2009.08.29 -
Jiangmin 11.0.800 2009.08.29 -
K7AntiVirus 7.10.831 2009.08.29 -
Kaspersky 7.0.0.125 2009.08.29 -
McAfee 5724 2009.08.29 -
McAfee+Artemis 5724 2009.08.29 Suspect-29!D016F3CB79FF
McAfee-GW-Edition 6.8.5 2009.08.29 -
Microsoft 1.5005 2009.08.29 -
NOD32 4379 2009.08.29 -
Norman 2009.08.29 -
nProtect 2009.1.8.0 2009.08.29 -
Panda 10.0.2.2 2009.08.29 -
PCTools 4.4.2.0 2009.08.29 -
Prevx 3.0 2009.08.29 High Risk Cloaked Malware
Rising 21.44.40.00 2009.08.28 -
Sophos 4.45.0 2009.08.29 -
Sunbelt 3.2.1858.2 2009.08.29 -
Symantec 1.4.4.12 2009.08.29 -
TheHacker 6.3.4.3.390 2009.08.28 -
TrendMicro 8.950.0.1094 2009.08.28 -
VBA32 3.12.10.10 2009.08.29 -
ViRobot 2009.8.28.1907 2009.08.28 -
VirusBuster 4.6.5.0 2009.08.29 -
Additional information
File size: 86005 bytes
MD5...: d016f3cb79fff421c32f8208bd5e4027
SHA1..: 4d7c88b61670885043c4616edb0f3b49540659ff
SHA256: 590b3f1089f25f20c91ae16aa35736dfa1dfe5e692d6b4b4ce59027fc1ddd627
ssdeep: 1536:5u4EQalMK/ewGnh0mJPbWUsAbT5u+hwwRVSxg4EMZphZuC/ikZQ7PeQx7ZA<br>9/wr:5Nyah0mJPSUsApu6rRVSxN+eik0PeUZd<br>
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x3225<br>timedatestamp.....: 0x48efcdc9 (Fri Oct 10 21:48:57 2008)<br>machinetype.......: 0x14c (I386)<br><br>( 5 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x5976 0x5a00 6.47 335c19bb25cd1d02eec2b0a4eacb979c<br>.rdata 0x7000 0x1190 0x1200 5.18 db16645055619c0cc73276ff5c3adb75<br>.data 0x9000 0x1af98 0x400 4.69 59710519e577598f785044e4d95261f4<br>.ndata 0x24000 0xb000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.rsrc 0x2f000 0x7d8 0x800 4.29 68b3d02c23844000b5aa5e3fda2096ff<br><br>( 8 imports ) <br>&gt; KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA<br>&gt; USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow<br>&gt; GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject<br>&gt; SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation<br>&gt; ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA<br>&gt; COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create<br>&gt; ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance<br>&gt; VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA<br><br>( 0 exports ) <br>
RDS...: NSRL Reference Data Set<br>-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)<br>Win32 Executable Generic (14.7%)<br>Win32 Dynamic Link Library (generic) (13.1%)<br>Generic Win/DOS Executable (3.4%)<br>DOS Executable Generic (3.4%)
ThreatExpert info: &lt;a href='http://www.threatexpert.com/report.aspx?md5=d016f3cb79fff421c32f8208bd5e4027' target='_blank'&gt;http://www.threatexpert.com/report.aspx?md5=d016f3cb79fff421c32f8208bd5e4027&lt;/a&gt;
&lt;a href='http://info.prevx.com/aboutprogramtext.asp?PX5=8BBFD997F5C3D6E04F1501CEBA529500F8E9C65E' target='_blank'&gt;http://info.prevx.com/aboutprogramtext.asp?PX5=8BBFD997F5C3D6E04F1501CEBA529500F8E9C65E&lt;/a&gt;
packers (F-Prot): NSIS









File zwozzmkwrxq.exe received on 2009.08.29 17:42:56 (UTC)
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.08.29 -
AhnLab-V3 5.0.0.2 2009.08.29 -
AntiVir 7.9.1.7 2009.08.28 -
Antiy-AVL 2.0.3.7 2009.08.24 -
Authentium 5.1.2.4 2009.08.29 -
Avast 4.8.1335.0 2009.08.28 -
AVG 8.5.0.406 2009.08.29 Generic_c.AYKT
BitDefender 7.2 2009.08.29 -
CAT-QuickHeal 10.00 2009.08.29 -
ClamAV 0.94.1 2009.08.29 -
Comodo 2124 2009.08.29 -
DrWeb 5.0.0.12182 2009.08.29 -
eSafe 7.0.17.0 2009.08.27 -
eTrust-Vet 31.6.6707 2009.08.28 -
F-Prot 4.5.1.85 2009.08.29 -
F-Secure 8.0.14470.0 2009.08.28 -
Fortinet 3.120.0.0 2009.08.29 -
GData 19 2009.08.29 -
Ikarus T3.1.1.68.0 2009.08.29 -
Jiangmin 11.0.800 2009.08.29 -
K7AntiVirus 7.10.831 2009.08.29 -
Kaspersky 7.0.0.125 2009.08.29 -
McAfee 5724 2009.08.29 -
McAfee+Artemis 5724 2009.08.29 Suspect-29!0F880461FE32
McAfee-GW-Edition 6.8.5 2009.08.29 Heuristic.LooksLike.Win32.Suspicious.H
Microsoft 1.5005 2009.08.29 -
NOD32 4379 2009.08.29 -
Norman 2009.08.29 -
nProtect 2009.1.8.0 2009.08.29 -
Panda 10.0.2.2 2009.08.29 -
PCTools 4.4.2.0 2009.08.29 -
Prevx 3.0 2009.08.29 High Risk Cloaked Malware
Rising 21.44.40.00 2009.08.28 -
Sophos 4.45.0 2009.08.29 -
Sunbelt 3.2.1858.2 2009.08.29 -
Symantec 1.4.4.12 2009.08.29 -
TheHacker 6.3.4.3.390 2009.08.28 -
TrendMicro 8.950.0.1094 2009.08.28 -
VBA32 3.12.10.10 2009.08.29 -
ViRobot 2009.8.28.1907 2009.08.28 -
VirusBuster 4.6.5.0 2009.08.29 -
Additional information
File size: 48273 bytes
MD5...: 0f880461fe321e9e7edb6a5bd0330e40
SHA1..: b11cafcef75ac60e2a85195203d4f76f9c285281
SHA256: 38045b041b55d55d479afd925787a3ecbb60661b8344ec2fb1d2e6ebe1159cca
ssdeep: 768:CCloVlpQE2MQGc6rDh84nSwN15G4DRF/O71mJ3JRnA6tGTT8u5ML2IeiH+ZN<br>Yds:TYpQtMDc6fnpumJA4GTTDHFZNYds<br>
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x323c<br>timedatestamp.....: 0x49a05a1a (Sat Feb 21 19:46:34 2009)<br>machinetype.......: 0x14c (I386)<br><br>( 5 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x5a56 0x5c00 6.42 7e9e633fd2aedade49bf819fab33d557<br>.rdata 0x7000 0x1190 0x1200 5.18 db16645055619c0cc73276ff5c3adb75<br>.data 0x9000 0x1af98 0x400 4.71 a59d6ff4f72ca84cc2dea3b332090bfb<br>.ndata 0x24000 0xd000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.rsrc 0x31000 0x908 0xa00 3.85 a6381affa5d795345d320cd0bf75e6d2<br><br>( 8 imports ) <br>&gt; KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA<br>&gt; USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow<br>&gt; GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject<br>&gt; SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation<br>&gt; ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA<br>&gt; COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create<br>&gt; ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance<br>&gt; VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA<br><br>( 0 exports ) <br>
RDS...: NSRL Reference Data Set<br>-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)<br>Win32 Executable Generic (14.7%)<br>Win32 Dynamic Link Library (generic) (13.1%)<br>Generic Win/DOS Executable (3.4%)<br>DOS Executable Generic (3.4%)
&lt;a href='http://info.prevx.com/aboutprogramtext.asp?PX5=9F2E2D3491F86921BC2E005809A7C5007CD441BD' target='_blank'&gt;http://info.prevx.com/aboutprogramtext.asp?PX5=9F2E2D3491F86921BC2E005809A7C5007CD441BD&lt;/a&gt;
packers (F-Prot): N











File avqhl4521.exe received on 2009.08.29 17:45:42 (UTC)
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.08.29 -
AhnLab-V3 5.0.0.2 2009.08.29 -
AntiVir 7.9.1.7 2009.08.28 -
Antiy-AVL 2.0.3.7 2009.08.24 -
Authentium 5.1.2.4 2009.08.29 -
Avast 4.8.1335.0 2009.08.28 -
AVG 8.5.0.406 2009.08.29 -
BitDefender 7.2 2009.08.29 MemScan:Trojan.Agent.ANLP
CAT-QuickHeal 10.00 2009.08.29 Backdoor.Farfli.j
ClamAV 0.94.1 2009.08.29 -
Comodo 2124 2009.08.29 TrojWare.Win32.TrojanDropper.Agent.~RBP
DrWeb 5.0.0.12182 2009.08.29 -
eSafe 7.0.17.0 2009.08.27 Win32.MaliciousSoftw
eTrust-Vet 31.6.6707 2009.08.28 -
F-Prot 4.5.1.85 2009.08.29 -
F-Secure 8.0.14470.0 2009.08.28 -
Fortinet 3.120.0.0 2009.08.29 -
GData 19 2009.08.29 MemScan:Trojan.Agent.ANLP
Ikarus T3.1.1.68.0 2009.08.29 -
Jiangmin 11.0.800 2009.08.29 -
K7AntiVirus 7.10.831 2009.08.29 -
Kaspersky 7.0.0.125 2009.08.29 -
McAfee 5724 2009.08.29 -
McAfee+Artemis 5724 2009.08.29 Suspect-29!71F29A6CE4C9
McAfee-GW-Edition 6.8.5 2009.08.29 -
Microsoft 1.5005 2009.08.29 -
NOD32 4379 2009.08.29 Win32/VB.OAI
Norman 2009.08.29 Smalldrp.AVFP
nProtect 2009.1.8.0 2009.08.29 -
Panda 10.0.2.2 2009.08.29 -
PCTools 4.4.2.0 2009.08.29 -
Prevx 3.0 2009.08.29 Medium Risk Malware
Rising 21.44.40.00 2009.08.28 -
Sophos 4.45.0 2009.08.29 -
Sunbelt 3.2.1858.2 2009.08.29 Trojan.Win32.Agent.asb
Symantec 1.4.4.12 2009.08.29 -
TheHacker 6.3.4.3.390 2009.08.28 -
TrendMicro 8.950.0.1094 2009.08.28 TROJ_AGENT.ASB
VBA32 3.12.10.10 2009.08.29 -
ViRobot 2009.8.28.1907 2009.08.28 Spyware.Lwsta.Do.69697
VirusBuster 4.6.5.0 2009.08.29 -
Additional information
File size: 69697 bytes
MD5...: 71f29a6ce4c9907783301376c7b7a214
SHA1..: 3165aaf5ca7e6f91541794a721c0d235aef432fa
SHA256: c72e5f8b875dc7c83a3ccac924701d4089017227da07add3e6bb95b652aa138c
ssdeep: 1536:jYTmwVUsW7dtJMHy0DxmJXNQdHnydrHIepHaLEYdVN25+QB:US17XJiDxmJ<br>XK1ydrNhsNzQB<br>
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x30e3<br>timedatestamp.....: 0x48a737ec (Sat Aug 16 20:26:20 2008)<br>machinetype.......: 0x14c (I386)<br><br>( 5 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x5b68 0x5c00 6.49 6bfa289fc453f683cf6ad42723acbb61<br>.rdata 0x7000 0x129c 0x1400 5.05 165e3e874dc59c8a96748c6f4d0f4207<br>.data 0x9000 0x25c58 0x400 4.77 78a50275610b8d77577a9aaa1957d1b6<br>.ndata 0x2f000 0x8000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.rsrc 0x37000 0xa68 0xc00 3.47 d211484d2bd0bc7cd9fa8208a56e2ff4<br><br>( 8 imports ) <br>&gt; KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA<br>&gt; USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow<br>&gt; GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject<br>&gt; SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation<br>&gt; ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA<br>&gt; COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create<br>&gt; ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance<br>&gt; VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA<br><br>( 0 exports ) <br>
RDS...: NSRL Reference Data Set<br>-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)<br>Win32 Executable Generic (14.7%)<br>Win32 Dynamic Link Library (generic) (13.1%)<br>Generic Win/DOS Executable (3.4%)<br>DOS Executable Generic (3.4%)
&lt;a href='http://info.prevx.com/aboutprogramtext.asp?PX5=53CB81C141695ED410F40121E4A6000025BCB8E1' target='_blank'&gt;http://info.prevx.com/aboutprogramtext.asp?PX5=53CB81C141695ED410F40121E4A6000025BCB8E1&lt;/a&gt;
packers (F-Prot): NSIS









File avge04557.exe received on 2009.08.29 17:48:29 (UTC)
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.08.29 -
AhnLab-V3 5.0.0.2 2009.08.29 -
AntiVir 7.9.1.7 2009.08.28 -
Antiy-AVL 2.0.3.7 2009.08.24 -
Authentium 5.1.2.4 2009.08.29 -
Avast 4.8.1335.0 2009.08.28 -
AVG 8.5.0.406 2009.08.29 -
BitDefender 7.2 2009.08.29 -
CAT-QuickHeal 10.00 2009.08.29 -
ClamAV 0.94.1 2009.08.29 -
Comodo 2124 2009.08.29 -
DrWeb 5.0.0.12182 2009.08.29 Adware.IEHelper.102
eSafe 7.0.17.0 2009.08.27 -
eTrust-Vet 31.6.6707 2009.08.28 -
F-Prot 4.5.1.85 2009.08.29 -
F-Secure 8.0.14470.0 2009.08.28 WebToolbar.Win32.TJ2.a
Fortinet 3.120.0.0 2009.08.29 -
GData 19 2009.08.29 -
Ikarus T3.1.1.68.0 2009.08.29 AdWare.IEToolba
Jiangmin 11.0.800 2009.08.29 -
K7AntiVirus 7.10.831 2009.08.29 -
Kaspersky 7.0.0.125 2009.08.29 not-a-virus:WebToolbar.Win32.TJ2.a
McAfee 5724 2009.08.29 -
McAfee+Artemis 5724 2009.08.29 Artemis!754B51183111
McAfee-GW-Edition 6.8.5 2009.08.29 -
Microsoft 1.5005 2009.08.29 -
NOD32 4379 2009.08.29 -
Norman 2009.08.29 -
nProtect 2009.1.8.0 2009.08.29 -
Panda 10.0.2.2 2009.08.29 Suspicious file
PCTools 4.4.2.0 2009.08.29 -
Prevx 3.0 2009.08.29 High Risk System Back Door
Rising 21.44.40.00 2009.08.28 -
Sophos 4.45.0 2009.08.29 Mal/Generic-A
Sunbelt 3.2.1858.2 2009.08.29 Adware.IEToolbar.TJ.2
Symantec 1.4.4.12 2009.08.29 -
TheHacker 6.3.4.3.390 2009.08.28 -
TrendMicro 8.950.0.1094 2009.08.28 -
VBA32 3.12.10.10 2009.08.29 -
ViRobot 2009.8.28.1907 2009.08.28 Adware.TJ2.To.889078
VirusBuster 4.6.5.0 2009.08.29 Adware.IEToolba.B
Additional information
File size: 889078 bytes
MD5...: 754b51183111422250b118eb7768d164
SHA1..: a862dfebd880aa6699e67ed6ca4e95d7d2a1385e
SHA256: 0895c7a99e119142999b4027e1d7dd5151239d24516581a0a8a228df1a5408be
ssdeep: 24576:JD0btAnTLEr/H8yOZNB6q5d0ckRB4JvpHZlNq:NEtA0bcJ3F5kB4f5lNq<br>
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x30cc<br>timedatestamp.....: 0x46d055c0 (Sat Aug 25 16:16:00 2007)<br>machinetype.......: 0x14c (I386)<br><br>( 5 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x57b6 0x5800 6.46 ec844f25c8cba54542e5a2abcbae5b99<br>.rdata 0x7000 0x1190 0x1200 5.18 90bd2f87a259e7efae7775fc2ed3f717<br>.data 0x9000 0x1afd8 0x400 5.00 5f348dc6c4935b046240ccf56120be67<br>.ndata 0x24000 0xa000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.rsrc 0x2e000 0x4048 0x4200 5.83 3883ce5a9c4120a39fa913cea287e71e<br><br>( 8 imports ) <br>&gt; KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA<br>&gt; USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow<br>&gt; GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject<br>&gt; SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation<br>&gt; ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA<br>&gt; COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create<br>&gt; ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance<br>&gt; VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA<br><br>( 0 exports ) <br>
RDS...: NSRL Reference Data Set<br>-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)<br>Win32 Executable Generic (14.7%)<br>Win32 Dynamic Link Library (generic) (13.1%)<br>Generic Win/DOS Executable (3.4%)<br>DOS Executable Generic (3.4%)
&lt;a href='http://info.prevx.com/aboutprogramtext.asp?PX5=88503737F6FF162B90C20D13FDE8B400E1A4A7AD' target='_blank'&gt;http://info.prevx.com/aboutprogramtext.asp?PX5=88503737F6FF162B90C20D13FDE8B400E1A4A7AD&lt;/a&gt;
packers (F-Prot): NSIS

Shaba
2009-08-29, 22:48
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

dillyyo72
2009-08-29, 23:21
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.












Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.9
AnswerWorks 5.0 English Runtime
ASAPI
Ascendo Fitness 3.60
BlackBerry Desktop Software 4.5
BlackBerry Desktop Software 4.5
Broadcom Driver Installer
Compatibility Pack for the 2007 Office system
Contextual Tool Precisead
Critical Update for Windows Media Player 11 (KB959772)
Exact Audio Copy 0.99pb4
GdiplusUpgrade
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Image Zone 3.5
HP PSC & OfficeJet 3.5
Intel Matrix Storage Manager
Java(TM) 6 Update 15
Java(TM) 6 Update 5
Logitech QuickCam Software
Logitech® Camera Driver
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access 2003
Microsoft Office Basic Edition 2003
Microsoft Office Standard Edition 2003
Microsoft SQL Server Desktop Engine
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.52
Mozilla Firefox (3.5.2)
MSDE
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Native Instruments - Audio Kontrol 1 Driver
Native Instruments Audio Kontrol 1
Native Instruments Traktor DJ Studio 3
NI Service Center
overland
Quicken 2008
QuickTime
RealPlayer
Rising Antivirus
Roxio Media Manager
Salon Iris
Salon Iris
Seagate Manager Installer
Seagate Manager Installer
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Service Studio
SoundMAX
Spybot - Search & Destroy
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.762
VLC media player 0.9.9
WaveLab Demo
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver

Shaba
2009-08-30, 11:59
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:


File::
c:\windows\system32\u_bcetlkvlynfjpjnk.dll.exe
c:\windows\system32\d85588fb-8da5-cdab-f31d-6bab71677c02.exe
c:\windows\system32\zwozzmkwrxq.exe
c:\windows\avqhl4521.exe
c:\windows\avge04557.exe
c:\windows\system32\nshE.dll

Folder::
c:\documents and settings\Jonathan Malave\Application Data\LimeWire


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

dillyyo72
2009-08-30, 17:59
I did everything you stated, but I run into a problem during the scan. It detects Rising AV running. I try to disable all self protect, but one of them I cannot disable (Maliscious activity monitoring) So some form of protection stays on. I even went and checked off everything within the Rising User Interfaces.

I don't ever recall this happening and it didn't happen when I originally ran combofix for you. Should I just let it proceed with that one function enabled or is there some other way to do this?

I don't know exactly what processes are linked with Rising besides the "Rav*" files and I did not see any processes running in "services.msc", although a few were enabled automatically.

FYI: I just found trojans on my laptop which had shared an external hard drive many times. In short there is an XML file that has a rising http: address labled "virusUploader" that scans as a Cloaked Malware and I am not able to remove this file from my temp folder.

Also, within the main screen of the Rising AntiVirus UI I show a "yellow exclamation" mark next to system core. This is on my desktop (which we are working on) and my laptop. Just informing in case that helps.

Shaba
2009-08-30, 18:41
Please then uninstall Rising and try again.

You can reinstall it when we are done.

dillyyo72
2009-08-30, 19:09
ComboFix 09-08-29.01 - Jonathan Malave 08/30/2009 11:54.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2145 [GMT -4:00]
Running from: c:\documents and settings\Jonathan Malave\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jonathan Malave\Desktop\CFScript.txt

FILE ::
"c:\windows\avge04557.exe"
"c:\windows\avqhl4521.exe"
"c:\windows\system32\d85588fb-8da5-cdab-f31d-6bab71677c02.exe"
"c:\windows\system32\nshE.dll"
"c:\windows\system32\u_bcetlkvlynfjpjnk.dll.exe"
"c:\windows\system32\zwozzmkwrxq.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jonathan Malave\Application Data\LimeWire
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\.AppSpecialShare\[2001-05-26] - Carlos Hernandez vs Floyd Mayweather.avi.torrent.bak
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\.AppSpecialShare\Floyd Mayweather Jr vs Henry Bruseles.avi.torrent.bak
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\active.mojito
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xul-v2.0b2.4-do-not-remove
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\AccessibleMarshal.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\chrome\branding.jar
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\chrome\branding.manifest
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\chrome\classic.jar
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\chrome\classic.manifest
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\chrome\comm.jar
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\chrome\comm.manifest
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\chrome\en-US.jar
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\chrome\en-US.manifest
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\chrome\limewire.jar
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\chrome\limewire.manifest
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\chrome\pippki.jar
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\chrome\pippki.manifest
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\chrome\toolkit.jar
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\chrome\toolkit.manifest
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\accessibility-msaa.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\accessibility.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\alerts.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\appshell.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\appshell_modal.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\appshell_modal.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\appstartup.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\auth.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\autocomplete.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\autoconfig.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\autoconfig.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\caps.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\chardet.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\chrome.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\commandhandler.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\commandlines.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\composer.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\content_base.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\content_html.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\content_htmldoc.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\content_xmldoc.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\content_xslt.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\content_xtf.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\contentprefs.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\cookie.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\directory.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\docshell_base.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\dom.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\dom_base.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\dom_canvas.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\dom_core.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\dom_css.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\dom_events.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\dom_html.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\dom_json.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\dom_loadsave.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\dom_offline.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\dom_range.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\dom_sidebar.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\dom_storage.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\dom_stylesheets.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\dom_svg.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\dom_traversal.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\dom_views.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\dom_xbl.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\dom_xpath.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\dom_xul.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\downloads.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\editor.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\embed_base.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\extensions.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\exthandler.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\exthelper.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\fastfind.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\FeedProcessor.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\feeds.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\find.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\gfx.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\htmlparser.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\imgicon.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\imglib2.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\inspector.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\intl.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\jar.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\jsconsole-clhandler.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\jsdservice.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\layout_base.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\layout_printing.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\layout_xul.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\layout_xul_tree.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\locale.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\loginmgr.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\lwbrk.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\mimetype.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\mozbrwsr.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\mozfind.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\necko.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\necko_about.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\necko_cache.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\necko_cookie.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\necko_dns.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\necko_file.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\necko_ftp.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\necko_http.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\necko_res.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\necko_socket.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\necko_strconv.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\necko_viewsource.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\nsAddonRepository.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\nsBadCertHandler.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\nsBlocklistService.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\nsContentDispatchChooser.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\nsContentPrefService.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\nsDefaultCLH.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\nsDictionary.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\nsDownloadManagerUI.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\nsExtensionManager.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\nsHandlerService.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\nsHelperAppDlg.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\nsLivemarkService.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\nsLoginInfo.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\nsLoginManager.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\nsLoginManagerPrompter.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\nsPostUpdateWin.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\nsProgressDialog.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\nsProxyAutoConfig.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\nsResetPref.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\nsTaggingService.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\nsTryToClose.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\nsUpdateService.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\nsURLFormatter.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\nsWebHandlerApp.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\nsXmlRpcClient.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\nsXULAppInstall.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\oji.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\parentalcontrols.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\pipboot.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\pipboot.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\pipnss.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\pipnss.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\pippki.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\pippki.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\places.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\plugin.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\pluginGlue.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\pref.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\prefetch.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\profile.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\proxyObject.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\rdf.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\satchel.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\saxparser.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\shistory.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\spellchecker.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\storage-Legacy.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\storage.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\toolkitprofile.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\transformiix.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\txEXSLTRegExFunctions.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\txmgr.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\txtsvc.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\uconv.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\unicharutil.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\universalchardet.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\update.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\uriloader.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\urlformatter.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\webBrowser_core.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\webbrowserpersist.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\webshell_idls.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\websrvcs.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\widget.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\windowds.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\windowwatcher.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\xml-rpc.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\xmlextras.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\xpcom_base.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\xpcom_components.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\xpcom_ds.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\xpcom_io.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\xpcom_system.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\xpcom_thread.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\xpcom_xpti.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\xpconnect.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\xpinstall.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\xulapp.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\xulapp_setup.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\xuldoc.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\xultmpl.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\xulutil.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\components\zipwriter.xpt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\crashreporter.exe
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\crashreporter.ini
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\defaults\autoconfig\platform.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\defaults\autoconfig\prefcalls.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\defaults\pref\xulrunner.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\defaults\profile\chrome\userChrome-example.css
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\defaults\profile\chrome\userContent-example.css
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\defaults\profile\localstore.rdf
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userChrome-example.css
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userContent-example.css
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\localstore.rdf
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\dependentlibs.list
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\dictionaries\en-US.aff
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\dictionaries\en-US.dic
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\freebl3.chk
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\freebl3.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\greprefs\all.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\greprefs\security-prefs.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\greprefs\xpinstall.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\IA2Marshal.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\javaxpcom.jar
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\javaxpcomglue.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\js3250.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\LICENSE
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\modules\debug.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\modules\DownloadUtils.jsm
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\modules\ISO8601DateUtils.jsm
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\modules\JSON.jsm
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\modules\Microformats.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\modules\PluralForm.jsm
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\modules\utils.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\modules\XPCOMUtils.jsm
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\mozctl.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\mozctlx.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\MSVCP71.DLL
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\msvcr71.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\nspr4.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\nss3.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\nssckbi.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\nssdbm3.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\nssutil3.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\platform.ini
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\plc4.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\plds4.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\plugins\npnul32.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\README.txt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\arrow.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\arrowd.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\broken-image.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\charsetalias.properties
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\charsetData.properties
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\contenteditable.css
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\designmode.css
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\dtd\mathml.dtd
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\dtd\xhtml11.dtd
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\EditorOverride.css
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Latin1.properties
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Special.properties
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Symbols.properties
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\entityTables\htmlEntityVersions.properties
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\entityTables\mathml20.properties
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\entityTables\transliterate.properties
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfont.properties
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontStandardSymbolsL.properties
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSTIXNonUnicode.properties
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSTIXSize1.properties
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSymbol.properties
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontUnicode.properties
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\forms.css
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\grabber.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\hiddenWindow.html
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\html.css
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\html\folder.png
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\langGroups.properties
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\language.properties
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\loading-image.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\mathml.css
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\quirk.css
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\svg.css
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after-active.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after-hover.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before-active.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before-hover.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after-active.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after-hover.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before-active.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before-hover.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\table-remove-column-active.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\table-remove-column-hover.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\table-remove-column.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\table-remove-row-active.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\table-remove-row-hover.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\table-remove-row.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\ua.css
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\viewsource.css
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\res\wincharset.properties
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\smime3.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\softokn3.chk
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\softokn3.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\sqlite3.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\ssl3.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\updater.exe
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\version.properties
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\xpcom.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\xpcshell.exe
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\xpicleanup.exe
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\xpidl.exe
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\xpt_dump.exe
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\xpt_link.exe
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\xul.dll
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\xulrunner-stub.exe
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\browser\xulrunner\xulrunner.exe
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\createtimes.cache
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\downloads.dat
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\fileurns.cache
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\filters.props
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\gnutella.net
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\installation.props
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\library.dat
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\library5.dat
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\limewire.props
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\lock
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mojito.props
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mozilla-profile\.autoreg
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_001_
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_002_
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_003_
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_MAP_
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mozilla-profile\Cache\30B5DE57d01
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mozilla-profile\Cache\4C4B6535d01
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mozilla-profile\Cache\7BD6A121d01
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mozilla-profile\Cache\98E79480d01
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mozilla-profile\Cache\AE98BDFBd01
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mozilla-profile\Cache\B7E8F4C3d01
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mozilla-profile\Cache\BAFF9A89d01
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mozilla-profile\Cache\D5267890d01
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mozilla-profile\cert8.db
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mozilla-profile\compreg.dat
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mozilla-profile\cookies.sqlite
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mozilla-profile\downloads.sqlite
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mozilla-profile\extensions.cache
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mozilla-profile\extensions.ini
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mozilla-profile\history.dat
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mozilla-profile\key3.db
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mozilla-profile\permissions.sqlite
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mozilla-profile\places.sqlite-journal
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mozilla-profile\places.sqlite
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mozilla-profile\pluginreg.dat
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mozilla-profile\prefs.js
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mozilla-profile\secmod.db
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mozilla-profile\XPC.mfl
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\mozilla-profile\xpti.dat
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\passive.mojito
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\player.props
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\questions.props
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\responses.cache
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\simpp.xml
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\spam.dat
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\tables.props
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\ttdata.cache
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\ttrees.cache
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\ttroot.cache
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\version.xml
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\versions.props
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\xml\data\audio.sxml2
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\xml\data\audio.sxml3
c:\documents and settings\Jonathan Malave\Application Data\LimeWire\xml\data\video.sxml3
c:\program files\runit
c:\program files\runit\config.txt
C:\Rav18_61_42.exe
c:\windows\avge04557.exe
c:\windows\avqhl4521.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\d85588fb-8da5-cdab-f31d-6bab71677c02.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\FTPx.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\MabryObj.dll
c:\windows\system32\nshE.dll
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\u_bcetlkvlynfjpjnk.dll.exe
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\system32\zwozzmkwrxq.exe

.
((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-30 )))))))))))))))))))))))))))))))
.

2009-08-29 21:39 . 2009-08-29 21:39 -------- dcsh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-29 21:39 . 2009-08-29 21:39 -------- dcsh--w- c:\documents and settings\Jonathan Malave\IETldCache
2009-08-29 20:53 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-29 20:53 . 2009-08-29 20:53 -------- dc----w- c:\windows\ie8updates
2009-08-29 20:53 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-29 20:53 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-29 16:54 . 2009-08-29 16:54 -------- dc----w- c:\program files\Microsoft Works
2009-08-29 04:22 . 2009-08-29 20:52 -------- dc-h--w- c:\windows\ie8
2009-08-29 04:20 . 2009-08-29 04:20 -------- dc----w- C:\11d6fc14b292ca73a9d0
2009-08-26 23:38 . 2009-08-26 23:38 -------- dc----w- c:\program files\microsoft frontpage
2009-08-25 21:14 . 2009-08-25 21:14 4 -c--a-w- c:\documents and settings\Jonathan Malave\Application Data\NP.sys
2009-08-25 21:13 . 2009-08-25 21:13 134144 -c--a-w- c:\windows\ceids88045.exe
2009-08-25 21:12 . 2009-08-25 21:12 412160 -c--a-w- c:\windows\denc4602.exe
2009-08-21 23:34 . 2009-08-21 23:35 -------- dc----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-21 23:34 . 2009-08-21 23:34 -------- dc----w- c:\program files\NOS
2009-08-20 20:24 . 2009-08-20 20:25 -------- dc----w- c:\program files\Spybot - Search & Destroy
2009-08-14 19:16 . 2009-08-14 19:16 -------- dc----w- c:\documents and settings\All Users\Application Data\Citrix
2009-08-14 19:16 . 2009-08-14 19:16 -------- dc----w- c:\documents and settings\Jonathan Malave\Local Settings\Application Data\Citrix
2009-08-12 02:25 . 2009-08-12 02:25 152576 -c--a-w- c:\documents and settings\Jonathan Malave\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-30 15:51 . 2006-04-14 19:57 49072 -c--a-w- c:\documents and settings\Jonathan Malave\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-29 01:30 . 2006-07-26 02:00 -------- dc----w- c:\program files\Web Publish
2009-08-27 21:22 . 2006-12-17 14:55 -------- dc----w- c:\program files\Windows Live Safety Center
2009-08-26 21:58 . 2006-04-14 23:52 -------- dc----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-12 02:26 . 2007-06-26 06:11 -------- dc----w- c:\program files\Java
2009-08-06 23:52 . 2007-06-10 05:33 -------- dc----w- c:\documents and settings\Jonathan Malave\Application Data\dvdcss
2009-08-05 09:01 . 2004-08-12 13:23 204800 -c--a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:29 . 2006-04-14 20:23 -------- dc-h--w- c:\program files\InstallShield Installation Information
2009-07-25 09:23 . 2009-07-16 01:55 411368 -c--a-w- c:\windows\system32\deploytk.dll
2009-07-24 04:05 . 2009-07-24 04:06 737280 -c--a-w- c:\windows\iun6002.exe
2009-07-17 19:01 . 2004-08-12 13:17 58880 -c--a-w- c:\windows\system32\atl.dll
2009-07-16 01:54 . 2009-07-16 01:54 152576 -c--a-w- c:\documents and settings\Jonathan Malave\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-07-14 19:40 . 2009-03-11 17:18 -------- dc----w- c:\program files\Google
2009-07-14 19:12 . 2008-07-07 04:41 -------- dc----w- c:\program files\Windows Live
2009-07-14 19:11 . 2008-07-14 19:02 -------- dc----w- c:\program files\Common Files\Apple
2009-07-14 03:43 . 2004-08-12 13:34 286208 -c--a-w- c:\windows\system32\wmpdxm.dll
2009-07-08 03:21 . 2006-04-14 19:59 -------- dc----w- c:\program files\Rising
2009-07-08 03:20 . 2009-07-08 03:20 -------- dc----w- c:\documents and settings\All Users\Application Data\{81D4BDA8-1F33-4633-B176-8A7E942ABDE1}
2009-07-08 03:18 . 2006-05-07 06:48 -------- dc----w- c:\program files\Common Files\Adobe
2009-07-03 17:09 . 2004-08-12 13:33 915456 -c--a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-12 13:32 54272 -c--a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-12 13:28 56832 -c--a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-12 13:27 147456 -c--a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-12 13:23 136192 -c--a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-08-12 13:21 730112 -c--a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-12 13:20 301568 -c--a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-08-12 13:20 92928 -c--a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-12 13:30 119808 -c--a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-12 13:19 81920 -c--a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-08-12 13:31 80896 -c--a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-12 13:30 76288 -c--a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-12 13:17 84992 -c--a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2006-04-14 19:48 2066432 -c--a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-12 13:33 132096 -c--a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2004-08-12 13:26 1291264 -c--a-w- c:\windows\system32\quartz.dll
2007-09-12 15:19 . 2007-12-01 14:44 8784 -c--a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-09-12 15:22 . 2007-12-01 14:44 245408 -c--a-w- c:\program files\mozilla firefox\plugins\unicows.dll
2007-06-08 06:24 . 2007-06-08 06:24 10856 -csha-w- c:\windows\system32\KGyGaAvL.sys
2006-12-24 13:19 . 2006-12-24 13:19 73 -csha-w- c:\windows\system32\SYSDRVREB.SYS
.


(CONTINUED.........)

dillyyo72
2009-08-30, 19:10
.....CONTINUED





((((((((((((((((((((((((((((( SnapShot@2009-08-29_16.34.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-12 13:26 . 2009-03-08 08:31 46592 c:\windows\system32\pngfilt.dll
+ 2004-08-12 13:23 . 2009-03-08 08:31 48128 c:\windows\system32\mshtmler.dll
- 2004-08-12 13:23 . 2007-08-13 22:01 48128 c:\windows\system32\mshtmler.dll
+ 2004-08-12 13:23 . 2009-03-08 08:31 66560 c:\windows\system32\mshtmled.dll
+ 2004-08-12 13:23 . 2009-03-08 08:31 45568 c:\windows\system32\mshta.exe
- 2004-08-12 13:23 . 2007-08-13 22:32 45568 c:\windows\system32\mshta.exe
+ 2006-10-17 16:58 . 2009-03-08 08:31 13312 c:\windows\system32\msfeedssync.exe
+ 2006-11-08 02:03 . 2009-07-03 17:09 55296 c:\windows\system32\msfeedsbs.dll
+ 2004-08-12 13:21 . 2009-03-08 08:34 43008 c:\windows\system32\licmgr10.dll
+ 2004-08-12 13:20 . 2009-07-03 17:09 25600 c:\windows\system32\jsproxy.dll
+ 2004-08-12 13:20 . 2009-03-08 08:32 94720 c:\windows\system32\inseng.dll
+ 2004-08-12 13:20 . 2009-03-08 08:31 34816 c:\windows\system32\imgutil.dll
+ 2004-08-12 13:19 . 2009-03-08 08:32 71680 c:\windows\system32\iesetup.dll
+ 2004-08-12 13:19 . 2009-03-08 08:32 55808 c:\windows\system32\iernonce.dll
+ 2006-10-17 16:58 . 2009-03-08 08:31 59904 c:\windows\system32\icardie.dll
+ 2004-08-12 13:26 . 2009-03-08 08:31 46592 c:\windows\system32\dllcache\pngfilt.dll
+ 2004-08-12 13:23 . 2009-03-08 08:31 48128 c:\windows\system32\dllcache\mshtmler.dll
- 2004-08-12 13:23 . 2007-08-13 22:01 48128 c:\windows\system32\dllcache\mshtmler.dll
+ 2004-08-12 13:23 . 2009-03-08 08:31 66560 c:\windows\system32\dllcache\mshtmled.dll
- 2004-08-12 13:23 . 2007-08-13 22:32 45568 c:\windows\system32\dllcache\mshta.exe
+ 2004-08-12 13:23 . 2009-03-08 08:31 45568 c:\windows\system32\dllcache\mshta.exe
+ 2007-05-09 02:30 . 2009-07-03 17:09 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2004-08-12 13:21 . 2009-03-08 08:34 43008 c:\windows\system32\dllcache\licmgr10.dll
+ 2004-08-12 13:20 . 2009-07-03 17:09 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2004-08-12 13:20 . 2009-03-08 08:32 94720 c:\windows\system32\dllcache\inseng.dll
+ 2004-08-12 13:20 . 2009-03-08 08:31 34816 c:\windows\system32\dllcache\imgutil.dll
+ 2004-08-12 13:19 . 2009-03-08 08:32 71680 c:\windows\system32\dllcache\iesetup.dll
+ 2004-08-12 13:19 . 2009-03-08 08:32 55808 c:\windows\system32\dllcache\iernonce.dll
+ 2007-08-20 10:04 . 2009-03-08 08:31 59904 c:\windows\system32\dllcache\icardie.dll
+ 2007-08-13 22:18 . 2009-03-08 08:24 68608 c:\windows\system32\dllcache\hmmapi.dll
+ 2004-08-12 13:18 . 2009-03-08 08:33 18944 c:\windows\system32\dllcache\corpol.dll
+ 2004-08-12 13:17 . 2009-03-08 08:32 72704 c:\windows\system32\dllcache\admparse.dll
+ 2004-08-12 13:18 . 2009-03-08 08:33 18944 c:\windows\system32\corpol.dll
- 2006-04-14 19:55 . 2009-08-29 16:16 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-04-14 19:55 . 2009-08-30 15:47 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-04-14 19:55 . 2009-08-30 15:47 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-04-14 19:55 . 2009-08-29 16:16 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-04-14 19:55 . 2009-08-30 15:47 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-04-14 19:55 . 2009-08-29 16:16 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-12 13:17 . 2009-03-08 08:32 72704 c:\windows\system32\admparse.dll
- 2006-04-14 22:19 . 2009-08-11 23:35 23040 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2006-04-14 22:19 . 2009-08-29 16:55 23040 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-04-14 22:19 . 2009-08-11 23:35 27136 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2006-04-14 22:19 . 2009-08-29 16:55 27136 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2006-04-14 22:19 . 2009-08-11 23:35 11264 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2006-04-14 22:19 . 2009-08-29 16:55 11264 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2006-04-14 22:19 . 2009-08-29 16:55 12288 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2006-04-14 22:19 . 2009-08-11 23:35 12288 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2009-08-29 20:53 . 2009-03-08 08:33 12288 c:\windows\ie8updates\KB972260-IE8\xpshims.dll
+ 2009-08-29 20:53 . 2009-03-08 08:31 55296 c:\windows\ie8updates\KB972260-IE8\msfeedsbs.dll
+ 2009-08-29 20:53 . 2009-03-08 08:33 25600 c:\windows\ie8updates\KB972260-IE8\jsproxy.dll
- 2009-08-29 04:23 . 2009-06-29 16:12 44544 c:\windows\ie8\pngfilt.dll
+ 2009-08-29 20:52 . 2009-06-29 16:12 44544 c:\windows\ie8\pngfilt.dll
- 2009-08-29 04:23 . 2007-08-13 22:01 48128 c:\windows\ie8\mshtmler.dll
+ 2009-08-29 20:52 . 2007-08-13 22:01 48128 c:\windows\ie8\mshtmler.dll
+ 2009-08-29 20:52 . 2007-08-13 22:32 45568 c:\windows\ie8\mshta.exe
- 2009-08-29 04:23 . 2007-08-13 22:32 45568 c:\windows\ie8\mshta.exe
- 2009-08-29 04:23 . 2007-08-13 22:36 12288 c:\windows\ie8\msfeedssync.exe
+ 2009-08-29 20:52 . 2007-08-13 22:36 12288 c:\windows\ie8\msfeedssync.exe
+ 2009-08-29 20:52 . 2009-06-29 16:12 52224 c:\windows\ie8\msfeedsbs.dll
- 2009-08-29 04:22 . 2009-06-29 16:12 52224 c:\windows\ie8\msfeedsbs.dll
+ 2009-08-29 20:52 . 2007-08-13 22:44 40960 c:\windows\ie8\licmgr10.dll
- 2009-08-29 04:23 . 2007-08-13 22:44 40960 c:\windows\ie8\licmgr10.dll
+ 2009-08-29 20:52 . 2009-06-29 16:12 27648 c:\windows\ie8\jsproxy.dll
- 2009-08-29 04:23 . 2009-06-29 16:12 27648 c:\windows\ie8\jsproxy.dll
- 2009-08-29 04:23 . 2007-08-13 22:39 92672 c:\windows\ie8\inseng.dll
+ 2009-08-29 20:52 . 2007-08-13 22:39 92672 c:\windows\ie8\inseng.dll
- 2009-08-29 04:23 . 2007-08-13 22:36 36352 c:\windows\ie8\imgutil.dll
+ 2009-08-29 20:52 . 2007-08-13 22:36 36352 c:\windows\ie8\imgutil.dll
+ 2009-08-29 20:52 . 2007-08-13 22:39 55296 c:\windows\ie8\iesetup.dll
- 2009-08-29 04:23 . 2007-08-13 22:39 55296 c:\windows\ie8\iesetup.dll
+ 2009-08-29 20:52 . 2009-06-29 16:12 44544 c:\windows\ie8\iernonce.dll
- 2009-08-29 04:23 . 2009-06-29 16:12 44544 c:\windows\ie8\iernonce.dll
- 2009-08-29 04:22 . 2009-06-29 11:07 70656 c:\windows\ie8\ie4uinit.exe
+ 2009-08-29 20:52 . 2009-06-29 11:07 70656 c:\windows\ie8\ie4uinit.exe
+ 2009-08-29 20:52 . 2009-06-29 16:12 63488 c:\windows\ie8\icardie.dll
- 2009-08-29 04:22 . 2009-06-29 16:12 63488 c:\windows\ie8\icardie.dll
+ 2009-08-29 20:52 . 2007-08-13 22:18 60416 c:\windows\ie8\hmmapi.dll
- 2009-08-29 04:22 . 2007-08-13 22:18 60416 c:\windows\ie8\hmmapi.dll
+ 2009-08-29 20:52 . 2009-06-29 16:12 17408 c:\windows\ie8\corpol.dll
- 2009-08-29 04:22 . 2009-06-29 16:12 17408 c:\windows\ie8\corpol.dll
- 2009-08-29 04:22 . 2007-08-13 22:39 71680 c:\windows\ie8\admparse.dll
+ 2009-08-29 20:52 . 2007-08-13 22:39 71680 c:\windows\ie8\admparse.dll
+ 2006-04-14 22:19 . 2009-08-29 16:55 4096 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2006-04-14 22:19 . 2009-08-11 23:35 4096 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-08-29 20:53 . 2009-03-08 08:35 2048 c:\windows\ie8updates\KB973874-IE8\iecompat.dll
+ 2006-10-17 17:05 . 2009-03-08 08:34 208384 c:\windows\system32\WinFXDocObj.exe
+ 2004-08-12 13:33 . 2009-03-08 08:34 236544 c:\windows\system32\webcheck.dll
+ 2004-08-12 13:32 . 2009-03-08 08:33 420352 c:\windows\system32\vbscript.dll
+ 2004-08-12 13:31 . 2009-03-08 08:34 105984 c:\windows\system32\url.dll
- 2004-08-12 13:31 . 2009-06-29 16:12 105984 c:\windows\system32\url.dll
+ 2004-08-12 13:25 . 2009-07-03 17:09 206848 c:\windows\system32\occache.dll
+ 2004-08-12 13:23 . 2009-03-08 08:32 611840 c:\windows\system32\mstime.dll
+ 2004-08-12 13:23 . 2009-03-08 08:34 193536 c:\windows\system32\msrating.dll
+ 2004-08-12 13:23 . 2009-03-08 08:22 156160 c:\windows\system32\msls31.dll
- 2004-08-12 13:23 . 2007-08-13 22:54 156160 c:\windows\system32\msls31.dll
+ 2006-11-08 02:03 . 2009-07-03 17:09 594432 c:\windows\system32\msfeeds.dll
+ 2004-08-12 13:20 . 2009-03-08 08:33 726528 c:\windows\system32\jscript.dll
+ 2006-11-08 02:03 . 2009-03-08 08:22 164352 c:\windows\system32\ieui.dll
+ 2004-08-12 13:19 . 2009-07-03 17:09 184320 c:\windows\system32\iepeers.dll
+ 2004-08-12 13:19 . 2009-07-03 17:09 386048 c:\windows\system32\iedkcs32.dll
+ 2006-10-17 16:27 . 2009-03-08 08:11 445952 c:\windows\system32\ieapfltr.dll
+ 2004-08-12 13:19 . 2009-03-08 08:32 163840 c:\windows\system32\ieakui.dll
+ 2004-08-12 13:19 . 2009-03-08 08:33 229376 c:\windows\system32\ieaksie.dll
+ 2004-08-12 13:19 . 2009-03-08 08:33 125952 c:\windows\system32\ieakeng.dll
+ 2004-08-12 13:19 . 2009-07-03 11:01 173056 c:\windows\system32\ie4uinit.exe
- 2006-04-14 15:44 . 2009-08-14 13:20 213360 c:\windows\system32\FNTCACHE.DAT
+ 2006-04-14 15:44 . 2009-08-29 21:38 213360 c:\windows\system32\FNTCACHE.DAT
+ 2004-08-12 13:18 . 2009-03-08 08:31 216064 c:\windows\system32\dxtrans.dll
+ 2004-08-12 13:18 . 2009-03-08 08:31 348160 c:\windows\system32\dxtmsft.dll
+ 2004-08-12 13:33 . 2009-07-03 17:09 915456 c:\windows\system32\dllcache\wininet.dll
+ 2004-08-12 13:33 . 2009-03-08 08:34 236544 c:\windows\system32\dllcache\webcheck.dll
+ 2006-04-14 19:50 . 2009-03-08 08:33 759296 c:\windows\system32\dllcache\VGX.dll
+ 2004-08-12 13:32 . 2009-03-08 08:33 420352 c:\windows\system32\dllcache\vbscript.dll
- 2004-08-12 13:31 . 2009-06-29 16:12 105984 c:\windows\system32\dllcache\url.dll
+ 2004-08-12 13:31 . 2009-03-08 08:34 105984 c:\windows\system32\dllcache\url.dll
+ 2004-08-12 13:25 . 2009-07-03 17:09 206848 c:\windows\system32\dllcache\occache.dll
+ 2004-08-12 13:23 . 2009-03-08 08:32 611840 c:\windows\system32\dllcache\mstime.dll
+ 2004-08-12 13:23 . 2009-03-08 08:34 193536 c:\windows\system32\dllcache\msrating.dll
+ 2004-08-12 13:23 . 2009-03-08 08:22 156160 c:\windows\system32\dllcache\msls31.dll
- 2004-08-12 13:23 . 2007-08-13 22:54 156160 c:\windows\system32\dllcache\msls31.dll
+ 2007-05-09 02:30 . 2009-07-03 17:09 594432 c:\windows\system32\dllcache\msfeeds.dll
+ 2004-08-12 13:20 . 2009-03-08 08:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2007-08-13 22:43 . 2009-03-08 18:09 638816 c:\windows\system32\dllcache\iexplore.exe
+ 2004-08-12 13:19 . 2009-07-03 17:09 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2004-08-12 13:19 . 2009-07-03 17:09 386048 c:\windows\system32\dllcache\iedkcs32.dll
+ 2007-05-09 02:30 . 2009-03-08 08:11 445952 c:\windows\system32\dllcache\ieapfltr.dll
+ 2004-08-12 13:19 . 2009-03-08 08:32 163840 c:\windows\system32\dllcache\ieakui.dll
+ 2004-08-12 13:19 . 2009-03-08 08:33 229376 c:\windows\system32\dllcache\ieaksie.dll
+ 2004-08-12 13:19 . 2009-03-08 08:33 125952 c:\windows\system32\dllcache\ieakeng.dll
+ 2004-08-12 13:19 . 2009-07-03 11:01 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2004-08-12 13:18 . 2009-03-08 08:31 216064 c:\windows\system32\dllcache\dxtrans.dll
+ 2004-08-12 13:18 . 2009-03-08 08:31 348160 c:\windows\system32\dllcache\dxtmsft.dll
+ 2004-08-12 13:17 . 2009-03-08 08:32 128512 c:\windows\system32\dllcache\advpack.dll
+ 2009-08-29 21:39 . 2009-08-30 04:56 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2004-08-12 13:17 . 2009-03-08 08:32 128512 c:\windows\system32\advpack.dll
- 2006-04-14 22:19 . 2009-08-11 23:35 409600 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-04-14 22:19 . 2009-08-29 16:55 409600 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-04-14 22:19 . 2009-08-29 16:55 286720 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-04-14 22:19 . 2009-08-11 23:35 286720 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-04-14 22:19 . 2009-08-11 23:35 794624 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-04-14 22:19 . 2009-08-29 16:55 794624 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-04-14 22:19 . 2009-08-29 16:55 135168 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2006-04-14 22:19 . 2009-08-11 23:35 135168 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-08-29 20:53 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB973874-IE8\spuninst\updspapi.dll
+ 2009-08-29 20:53 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB973874-IE8\spuninst\spuninst.exe
+ 2009-08-29 20:53 . 2009-03-08 08:34 914944 c:\windows\ie8updates\KB972260-IE8\wininet.dll
+ 2009-08-29 20:53 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB972260-IE8\spuninst\updspapi.dll
+ 2009-08-29 20:53 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB972260-IE8\spuninst\spuninst.exe
+ 2009-08-29 20:53 . 2009-03-08 08:34 109568 c:\windows\ie8updates\KB972260-IE8\occache.dll
+ 2009-08-29 20:53 . 2009-03-08 08:32 594432 c:\windows\ie8updates\KB972260-IE8\msfeeds.dll
+ 2009-08-29 20:53 . 2009-03-08 08:33 246784 c:\windows\ie8updates\KB972260-IE8\ieproxy.dll
+ 2009-08-29 20:53 . 2009-03-08 08:31 183808 c:\windows\ie8updates\KB972260-IE8\iepeers.dll
+ 2009-08-29 20:53 . 2009-03-08 18:09 391536 c:\windows\ie8updates\KB972260-IE8\iedkcs32.dll
+ 2009-08-29 20:53 . 2009-03-08 08:32 173056 c:\windows\ie8updates\KB972260-IE8\ie4uinit.exe
- 2009-08-29 04:23 . 2009-06-29 16:12 102912 c:\windows\ie8\occache.dll
+ 2009-08-29 20:52 . 2009-06-29 16:12 102912 c:\windows\ie8\occache.dll
+ 2009-08-29 20:52 . 2009-06-29 16:12 671232 c:\windows\ie8\mstime.dll
- 2009-08-29 04:23 . 2009-06-29 16:12 671232 c:\windows\ie8\mstime.dll
- 2009-08-29 04:23 . 2009-06-29 16:12 193024 c:\windows\ie8\msrating.dll
+ 2009-08-29 20:52 . 2009-06-29 16:12 193024 c:\windows\ie8\msrating.dll
+ 2009-08-29 20:52 . 2007-08-13 22:54 156160 c:\windows\ie8\msls31.dll
- 2009-08-29 04:23 . 2007-08-13 22:54 156160 c:\windows\ie8\msls31.dll
- 2009-08-29 04:23 . 2009-06-29 16:12 477696 c:\windows\ie8\mshtmled.dll
+ 2009-08-29 20:52 . 2009-06-29 16:12 477696 c:\windows\ie8\mshtmled.dll
- 2009-08-29 04:22 . 2009-06-29 16:12 459264 c:\windows\ie8\msfeeds.dll
+ 2009-08-29 20:52 . 2009-06-29 16:12 459264 c:\windows\ie8\msfeeds.dll
- 2009-08-29 04:23 . 2008-05-09 10:53 512000 c:\windows\ie8\jscript.dll
+ 2009-08-29 20:52 . 2008-05-09 10:53 512000 c:\windows\ie8\jscript.dll
- 2009-08-29 04:23 . 2009-06-29 08:35 634632 c:\windows\ie8\iexplore.exe
+ 2009-08-29 20:52 . 2009-06-29 08:35 634632 c:\windows\ie8\iexplore.exe
- 2009-08-29 04:23 . 2007-08-13 22:54 180736 c:\windows\ie8\ieui.dll
+ 2009-08-29 20:52 . 2007-08-13 22:54 180736 c:\windows\ie8\ieui.dll
+ 2009-08-29 20:52 . 2009-06-29 16:12 268288 c:\windows\ie8\iertutil.dll
- 2009-08-29 04:22 . 2009-06-29 16:12 268288 c:\windows\ie8\iertutil.dll
- 2009-08-29 04:23 . 2007-08-13 22:54 287744 c:\windows\ie8\ieproxy.dll
+ 2009-08-29 20:52 . 2007-08-13 22:54 287744 c:\windows\ie8\ieproxy.dll
- 2009-08-29 04:23 . 2007-08-13 22:54 191488 c:\windows\ie8\iepeers.dll
+ 2009-08-29 20:52 . 2007-08-13 22:54 191488 c:\windows\ie8\iepeers.dll
+ 2009-08-29 20:52 . 2009-06-29 16:12 385024 c:\windows\ie8\iedkcs32.dll
- 2009-08-29 04:23 . 2009-06-29 16:12 385024 c:\windows\ie8\iedkcs32.dll
- 2009-08-29 04:22 . 2009-06-29 16:12 380928 c:\windows\ie8\ieapfltr.dll
+ 2009-08-29 20:52 . 2009-06-29 16:12 380928 c:\windows\ie8\ieapfltr.dll
- 2009-08-29 04:23 . 2009-06-29 08:33 161792 c:\windows\ie8\ieakui.dll
+ 2009-08-29 20:52 . 2009-06-29 08:33 161792 c:\windows\ie8\ieakui.dll
- 2009-08-29 04:23 . 2009-06-29 16:12 230400 c:\windows\ie8\ieaksie.dll
+ 2009-08-29 20:52 . 2009-06-29 16:12 230400 c:\windows\ie8\ieaksie.dll
+ 2009-08-29 20:52 . 2009-06-29 16:12 153088 c:\windows\ie8\ieakeng.dll
- 2009-08-29 04:22 . 2009-06-29 16:12 153088 c:\windows\ie8\ieakeng.dll
+ 2009-08-29 20:52 . 2009-06-29 16:12 214528 c:\windows\ie8\dxtrans.dll
- 2009-08-29 04:22 . 2009-06-29 16:12 214528 c:\windows\ie8\dxtrans.dll
- 2009-08-29 04:22 . 2009-06-29 16:12 347136 c:\windows\ie8\dxtmsft.dll
+ 2009-08-29 20:52 . 2009-06-29 16:12 347136 c:\windows\ie8\dxtmsft.dll
+ 2009-08-29 20:52 . 2009-06-29 16:12 124928 c:\windows\ie8\advpack.dll
- 2009-08-29 04:22 . 2009-06-29 16:12 124928 c:\windows\ie8\advpack.dll
+ 2004-08-12 13:31 . 2009-07-03 17:09 1208832 c:\windows\system32\urlmon.dll
+ 2004-08-12 13:23 . 2009-07-19 13:18 5937152 c:\windows\system32\mshtml.dll
+ 2006-10-17 16:57 . 2009-07-03 17:09 1985536 c:\windows\system32\iertutil.dll
+ 2006-09-06 04:01 . 2009-02-07 01:07 3698584 c:\windows\system32\ieapfltr.dat
+ 2004-08-12 13:31 . 2009-07-03 17:09 1208832 c:\windows\system32\dllcache\urlmon.dll
+ 2004-08-12 13:23 . 2009-07-19 13:18 5937152 c:\windows\system32\dllcache\mshtml.dll
+ 2007-05-09 02:30 . 2009-07-03 17:09 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2007-05-09 02:30 . 2009-02-07 01:07 3698584 c:\windows\system32\dllcache\ieapfltr.dat
+ 2009-08-29 20:53 . 2009-03-08 08:34 1206784 c:\windows\ie8updates\KB972260-IE8\urlmon.dll
+ 2009-08-29 20:53 . 2009-03-08 08:41 5937152 c:\windows\ie8updates\KB972260-IE8\mshtml.dll
+ 2009-08-29 20:53 . 2009-03-08 08:32 1985024 c:\windows\ie8updates\KB972260-IE8\iertutil.dll
+ 2009-08-29 20:52 . 2009-07-19 13:33 3597824 c:\windows\ie8\mshtml.dll
- 2009-08-29 04:23 . 2009-07-19 13:33 3597824 c:\windows\ie8\mshtml.dll
- 2009-08-29 04:22 . 2009-07-19 13:32 6067200 c:\windows\ie8\ieframe.dll
+ 2009-08-29 20:52 . 2009-07-19 13:32 6067200 c:\windows\ie8\ieframe.dll
- 2009-08-29 04:22 . 2009-06-29 08:33 2452872 c:\windows\ie8\ieapfltr.dat
+ 2009-08-29 20:52 . 2009-06-29 08:33 2452872 c:\windows\ie8\ieapfltr.dat
+ 2006-11-08 02:03 . 2009-07-19 22:48 11067392 c:\windows\system32\ieframe.dll
+ 2007-05-09 02:30 . 2009-07-19 22:48 11067392 c:\windows\system32\dllcache\ieframe.dll
+ 2009-08-29 20:53 . 2009-03-08 08:39 11063808 c:\windows\ie8updates\KB972260-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 114688]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-08-03 4493312]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-4-14 209016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"winupdate.exe"=c:\windows\system32\winupdate.exe
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 BaseTDI;Rising TDI Base Driver;c:\windows\system32\drivers\basetdi.sys [4/14/2006 4:42 PM 13364]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 4:42 PM 156968]
R3 ak1avs;ak1avs;c:\windows\system32\drivers\ak1avs.sys [4/25/2009 11:43 PM 25600]
R3 ak1usb;ak1usb;c:\windows\system32\drivers\ak1usb.sys [4/25/2009 11:43 PM 186368]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [10/18/2006 1:01 PM 16512]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/12/2004 9:30 AM 14336]
S4 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [4/14/2006 4:23 PM 57344]

--- Other Services/Drivers In Memory ---

*Deregistered* - hookcont
*Deregistered* - RsNTGDI

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

BHO-{bf386b10-fd3b-eed5-2442-8fcb4e6e963e} - c:\windows\system32\nshE.dll
HKCU-Run-HijackThis startup scan - c:\program files\Trend Micro\HijackThis\HijackThis.exe
ShellExecuteHooks-{32CD708B-60A7-4C00-9377-D73EAA495F0F} - c:\windows\system32\RavExt.dll


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {C7477E5B-9297-4083-A4B3-A6BBC611F7C9} - hxxp://www.blackberry.com/CalendarPatch/patch/desktop/DevicePatchLoaderUSB.cab
FF - ProfilePath - c:\documents and settings\Jonathan Malave\Application Data\Mozilla\Firefox\Profiles\3ag8935g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\documents and settings\Jonathan Malave\Application Data\Mozilla\Firefox\Profiles\3ag8935g.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-30 12:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-08-30 12:03
ComboFix-quarantined-files.txt 2009-08-30 16:02
ComboFix2.txt 2009-08-29 16:38

Pre-Run: 10,120,871,936 bytes free
Post-Run: 10,059,796,480 bytes free

844 --- E O F --- 2009-08-29 20:53

Shaba
2009-08-30, 21:06
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

dillyyo72
2009-08-31, 03:12
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, August 30, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, August 30, 2009 22:10:39
Records in database: 2730279
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Objects scanned: 68228
Threats found: 2
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 01:18:49


File name / Threat / Threats count
C:\Qoobox\Quarantine\[4]-Submit_2009-08-30_11.53.45.zip Infected: not-a-virus:WebToolbar.Win32.TJ2.a 1
C:\WINDOWS\system32\gvwf.exe Infected: Trojan-Downloader.Win32.Pher.ij 1

Selected area has been scanned.









Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:02 PM, on 8/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Dillyyo72.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/tgctlcm.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145072392000
O16 - DPF: {C7477E5B-9297-4083-A4B3-A6BBC611F7C9} - http://www.blackberry.com/CalendarPatch/patch/desktop/DevicePatchLoaderUSB.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: RoxMediaDB9 - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe (file missing)
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe (file missing)
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

--
End of file - 7779 bytes

Shaba
2009-08-31, 06:58
Empty this folder:

C:\Qoobox\Quarantine

Delete this:

C:\WINDOWS\system32\gvwf.exe

Empty Recycle Bin.

Still problems?

dillyyo72
2009-08-31, 18:16
Did as you said and all seems well so far. Can you tell me how I should go about cleaning an external USB hard drive? I used it with this desk top and I think that's how my lap top got infected (different thread). I just don't want to hook it back up and infect again.

Also, I use rising AV (free edition) and spy bot for protection. Can you tell me any particular recommended programs I can put on my computer, free or pay, that doesn't hog down the system? I also read that windows firewall is not accurate, is this true?

Again, appreciate the time and effort you put towards resolving my problem. You guys are invaluable:D:

Shaba
2009-08-31, 19:15
You will need to disable autorun first. See [http://support.microsoft.com/kb/967715]here[/url] how to do it.

Then you can just attach it, go to my computer, right-click drive and choose format (unless there is nothing you want to save).

dillyyo72
2009-08-31, 19:53
I'm sorry, but I think I still have an issue. I downloaded Malwarebytes because I saw that is was a commonly used program and figured it would be good. I scanned my system with it and it is showing objects as infections. It currently shows 4. It is still scanning so I will post what is found when it is done. Just didn't want you to close the file. thanks:red:

dillyyo72
2009-08-31, 20:05
Ok, here is the Malwarebytes report:


Malwarebytes' Anti-Malware 1.40
Database version: 2722
Windows 5.1.2600 Service Pack 3

8/31/2009 1:03:06 PM
mbam-log-2009-08-31 (13-02-58).txt

Scan type: Full Scan (C:\|)
Objects scanned: 186849
Time elapsed: 48 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{60088CA5-9B3D-41A3-83E7-E94BC8BF7640}\RP0\A0000002.dll (Rootkit.TDSS) -> No action taken.
C:\System Volume Information\_restore{60088CA5-9B3D-41A3-83E7-E94BC8BF7640}\RP0\A0000003.dll (Rootkit.TDSS) -> No action taken.
C:\System Volume Information\_restore{60088CA5-9B3D-41A3-83E7-E94BC8BF7640}\RP2\A0002669.exe (Trojan.Dropper) -> No action taken.
C:\System Volume Information\_restore{60088CA5-9B3D-41A3-83E7-E94BC8BF7640}\RP2\A0002670.exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Jonathan Malave\Application Data\NP.sys (Malware.Trace) -> No action taken.



I also wanted to note that my browsers (Mozzila and IE) tend to be opening up slowly and I have noticed flickering, some on desptop, but moreso in browsers.

Shaba
2009-08-31, 20:16
Four of those are in system restore. Did you let mbam to remove all?

dillyyo72
2009-08-31, 20:21
No. I noticed that. Should I turn off system restore and restart my comp or should I let mbam remove them first and then do the restart?

Shaba
2009-08-31, 21:13
Please let mbam remove them, restart and post back a fresh mbam log :)

dillyyo72
2009-08-31, 23:32
Well it seems that I am clean! :D: Now, if only you could jump onto my laptop thread so I can clean that one up!! Thanks for all of your help:cowboy:

BTW, I saw your post on disabling auto start for the external drive. Just to be clear are you saying as long as that is disabled I can then hook up my USB drive and scan it with Rising, Spy Bot and mbam to check for malware?:confused:

dillyyo72
2009-08-31, 23:33
Sorry, I forgot to attach the report

Malwarebytes' Anti-Malware 1.40
Database version: 2722
Windows 5.1.2600 Service Pack 3

8/31/2009 4:30:02 PM
mbam-log-2009-08-31 (16-30-02).txt

Scan type: Full Scan (C:\|)
Objects scanned: 187300
Time elapsed: 56 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Shaba
2009-09-01, 07:15
"BTW, I saw your post on disabling auto start for the external drive. Just to be clear are you saying as long as that is disabled I can then hook up my USB drive and scan it with Rising, Spy Bot and mbam to check for malware?"

Yes but don't open it.

Any other concerns? :)

dillyyo72
2009-09-01, 09:33
No, but thanks a lot. Appreciate the time you gave.:D:

Shaba
2009-09-01, 16:52
Good :)

Please reinstall Rising and post back a fresh HijackThis log and I will give you final instructions.

dillyyo72
2009-09-01, 19:16
Just to give you a heads up I have reinstalled Rising and I have also added Comodo D+ firewall. One thing I have noticed since I was infected is that many apps that I have and windows in general are acting like I am first using them. Things have been reset to defaults I guess and some programs try to install (roxio media manager from BB desktop manager I assume, but i keep denying install) and (Outlook is as if I never set it up). Is that just behavior from the infections?





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:41 PM, on 9/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCENTER.EXE
C:\Program Files\Rising\Rav\RavTask.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\RavMonD.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Rising\Rav\rsnetsvr.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Rising\Rav\ScanFrm.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Rising\Rav\RsTray.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Dillyyo72.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RavTray] "C:\Program Files\Rising\Rav\RsTray.exe" -system
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/tgctlcm.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145072392000
O16 - DPF: {C7477E5B-9297-4083-A4B3-A6BBC611F7C9} - http://www.blackberry.com/CalendarPatch/patch/desktop/DevicePatchLoaderUSB.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Rav Process Communication Center (RavCCenter) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCENTER.EXE
O23 - Service: Rising RavTask Manager (RavTask) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\RavTask.exe
O23 - Service: Roxio UPnP Renderer 9 - Unknown owner - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe (file missing)
O23 - Service: Roxio Upnp Server 9 - Unknown owner - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe (file missing)
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: RoxMediaDB9 - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe (file missing)
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe (file missing)
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\RavMonD.exe
O23 - Service: Rising Scan Service (RsScanSrv) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\ScanFrm.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

--
End of file - 9202 bytes

Shaba
2009-09-01, 19:38
Do they do it all the time or just once?

dillyyo72
2009-09-01, 19:55
Do they do it all the time or just once?

Just once as far as I know. I haven't bothered hooking up Outlook until I am clean so I cant say for sure for that app. Roxio keep son trying to install, but I had this same issue with a newer version of blackberry manager awhile ago. My solution was to drop down to a older version so I don't know if it was a bug in the new release, but roxio media manager always seemed flakey on the desktop manager for BB.

I went into program files and deleted the ROxio folder, but I assume that the installer is launching from somewhere else within the system. I think the infections had tampered with my registry policies because it blocked out task mgr and as per instruction on the net I had to change a few key policies as the trojans behavior was to change them.

Needless to say everything is running without hangups, I have no findable infections and I am thinking the roxio thing is just a glitch in that program for BB desktop manager. I will just delete it when I have the time to look for the files.

dillyyo72
2009-09-01, 20:30
I let the roxio installer go and it did not finish loading since it could not locate a certificate or target files (the ones I deleted). So, I just need to get that installer from launching and I think I am golden.:santa:

Shaba
2009-09-01, 21:08
This (http://support.microsoft.com/kb/290301) might help here.

Remove all Roxio related entries and tell if it helped.

dillyyo72
2009-09-02, 05:13
That did the trick!! You guys are the best:rockon:

Shaba
2009-09-02, 06:55
Good :)

Still something?

dillyyo72
2009-09-02, 07:11
Good :)

Still something?

Nope, all is good! Just tell tell me what I need to do in closing.

Shaba
2009-09-02, 07:24
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.

Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Malwarebytes' Anti-Malware - Malwarebytes''Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

Malwarebytes' Anti-Malware Setup Guide (http://www.lognrock.com/forum/index.php?showtopic=6926)

Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. See also a hosts file tutorial here (http://malwareremoval.com/forum/viewtopic.php?t=22187)
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://forums.spybot.info/showthread.php?t=279)

Happy surfing and stay clean! :bigthumb:

dillyyo72
2009-09-02, 08:50
I dont know if this thread is closed yet, but I just encountered a problem after starting to do what you asked. After getting rid of combofix and using the clean up utility I restarted my system. On boot up of windows, while on desptop and programs starting I got a RUNDLL box saying that there was an "error loading C:\WINDOWS\system32\NvCpl.dll". I searched in that folder and found the same file, but in lowercase letters. NIVIDIA file.

I then had a problem logging into IE 8 as I was trying to set it up as you said. Everytime I clicked on it to open it would open and disappear. I then uninstalled it and restarted my comp to get the same previous error about NvCpl.dll. The error comes up twice at boot up.

I then tried to add/remove to see if IE was taken out and I get an error for any icon in Control Panel. Same RUNDLL box and error, but this time pointing to system32 subfolder Shell32.dll. I also confirmed that this file was there and that file is. :sad:

dillyyo72
2009-09-02, 08:53
I dont know if this thread is closed yet, but I just encountered a problem after starting to do what you asked. After getting rid of combofix and using the clean up utility I restarted my system. On boot up of windows, while on desptop and programs starting I got a RUNDLL box saying that there was an "error loading C:\WINDOWS\system32\NvCpl.dll". I searched in that folder and found the same file, but in lowercase letters. NIVIDIA file.

I then had a problem logging into IE 8 as I was trying to set it up as you said. Everytime I clicked on it to open it would open and disappear. I then uninstalled it and restarted my comp to get the same previous error about NvCpl.dll. The error comes up twice at boot up.

I then tried to add/remove to see if IE was taken out and I get an error for any icon in Control Panel. Same RUNDLL box and error, but this time pointing to system32 subfolder Shell32.dll. I also confirmed that this file was there and that file is. :sad:





Basically I get an "access is denied" error

Shaba
2009-09-02, 09:10
I suggest that you try to reinstall NVIDIA software/drivers next.

dillyyo72
2009-09-02, 09:15
Pay me no mind, it was the Comodo firewall:oops: I uninstalled it and I will reinstall now. Thansk anyways.

Shaba
2009-09-02, 09:46
OK, let me know if it helped :)

dillyyo72
2009-09-02, 10:20
I think we are good to go. ;)

Shaba
2009-09-02, 10:34
Good :)

I hope that you stay clean in the future.

Shaba
2009-09-12, 11:38
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.