View Full Version : HJT Log-Having problems with spyware and malware
sara1221
2009-09-05, 23:41
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:39:05 PM, on 9/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://toolbar.inbox.com/search/ie.aspx?tbid=80208
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://toolbar.inbox.com/help/sa_customize.aspx?tbid=80208
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://toolbar.inbox.com/help/sa_customize.aspx?tbid=80208
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [PC Antispyware 2010] "C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe" /hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKCU\..\Run: [Monopod] C:\DOCUME~1\Owner\LOCALS~1\Temp\a.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: cru629.dat
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
--
End of file - 6192 bytes
Hi sara1221
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)
We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.
Should you have any questions, please feel free to ask.
Please let us know what you have decided to do in your next post
sara1221
2009-09-07, 20:13
I would like to be assisted in cleaning this computer.
Thank you.
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
sara1221
2009-09-09, 06:16
I'm having running ComboFix. I downloaded it, turned by AVG off and shut off all programs and it won't run. I double click on the icon and it shows a timer but then does nothing. I tried to uninstall it to download it again but it said it was unable to uninstall it. Any suggestions or other programs that will work?
Please try to run it then in safe mode :)
sara1221
2009-09-11, 06:09
I was unable to run it safe mode. I download it, save it to the desktop, run it but it stops there. I turned of AVG but still no luck. I can see it running in my processes tab but I don't see anything. One more thing, also under the processes tab i see several iexplore.exe processes running when I don't even have any internet explorers screens up. Please advise on how I should proceed. Thanks!
Please then rename combofix.exe and try to run it again in safe mode.
sara1221
2009-09-13, 08:26
ComboFix 09-08-31.03 - Owner 09/13/2009 1:15.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.701.439 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\computerhelp.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
- REDUCED FUNCTIONALITY MODE -
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\braviax.exe
c:\windows\system32\wisdstr.exe
c:\windows\system32\lowsec . . . . failed to delete
c:\windows\system32\lowsec\local.ds . . . . failed to delete
c:\windows\system32\lowsec\user.ds . . . . failed to delete
.
((((((((((((((((((((((((( Files Created from 2009-08-13 to 2009-09-13 )))))))))))))))))))))))))))))))
.
2009-09-13 04:23 . 2009-09-13 04:23 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-13 03:37 . 2009-09-13 03:37 -------- d-----w- c:\program files\Yahoo! Games
2009-09-11 01:47 . 2009-09-11 01:47 -------- d-sh--w- c:\documents and settings\Administrator.JUMHAUER-EBD14A.000\PrivacIE
2009-09-11 01:38 . 2009-09-11 01:38 -------- d-----w- c:\documents and settings\Administrator.JUMHAUER-EBD14A.000\Local Settings\Application Data\Mozilla
2009-09-09 21:40 . 2009-09-09 21:40 19171 ----a-w- c:\windows\system32\ijaxefaw.bin
2009-09-09 21:40 . 2009-09-09 21:40 17951 ----a-w- c:\windows\system32\ypemob.sys
2009-09-09 21:40 . 2009-09-09 21:40 17141 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\ujydojam.pif
2009-09-09 21:40 . 2009-09-09 21:40 16551 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\axidaq.bat
2009-09-09 21:40 . 2009-09-09 21:40 16473 ----a-w- c:\documents and settings\All Users\Application Data\tyqyq.sys
2009-09-09 21:40 . 2009-09-09 21:40 16051 ----a-w- c:\windows\ybese.pif
2009-09-09 21:40 . 2009-09-09 21:40 16049 ----a-w- c:\windows\pivuvyrysy.reg
2009-09-09 21:40 . 2009-09-09 21:40 12624 ----a-w- c:\windows\ydyt.dat
2009-09-09 21:40 . 2009-09-09 21:40 12427 ----a-w- c:\windows\recy.sys
2009-09-09 21:40 . 2009-09-09 21:40 10641 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\etebu.pif
2009-09-09 21:40 . 2009-09-09 21:40 15676 ----a-w- c:\program files\Common Files\apirex.vbs
2009-09-09 21:40 . 2009-09-09 21:40 13955 ----a-w- c:\windows\ohemahaxe.scr
2009-09-09 21:40 . 2009-09-09 21:40 13190 ----a-w- c:\windows\doqe.bat
2009-09-09 21:36 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-06 20:20 . 2009-09-06 20:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
2009-09-06 20:20 . 2009-09-06 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-06 20:19 . 2009-09-06 20:19 -------- d-----w- c:\program files\Yahoo!
2009-09-05 20:38 . 2009-09-05 20:38 396288 ----a-w- C:\HijackThis.exe
2009-09-05 20:33 . 2009-09-05 20:33 -------- d-----w- c:\program files\ERUNT
2009-09-05 09:47 . 2009-09-05 09:47 19965 ----a-w- c:\windows\ucefor.pif
2009-09-05 09:47 . 2009-09-05 09:47 17482 ----a-w- c:\windows\fyfoc.exe
2009-09-05 09:47 . 2009-09-05 09:47 16882 ----a-w- c:\windows\ukyhid.reg
2009-09-05 09:47 . 2009-09-05 09:47 11007 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\fypojafidu.bin
2009-09-05 09:47 . 2009-09-05 09:47 10927 ----a-w- c:\program files\Common Files\xisadakem.bat
2009-09-05 09:47 . 2009-09-05 09:47 10414 ----a-w- c:\program files\Common Files\hobevo.reg
2009-09-05 09:47 . 2009-09-05 09:47 10104 ----a-w- c:\windows\system32\kiciqefe.vbs
2009-09-03 20:31 . 2009-09-13 05:20 -------- d-sh--w- c:\windows\system32\lowsec
2009-09-03 20:02 . 2009-09-03 20:02 19866 ----a-w- c:\windows\system32\igavi.vbs
2009-09-03 20:02 . 2009-09-03 20:02 17290 ----a-w- c:\windows\urag.dll
2009-09-03 20:02 . 2009-09-03 20:02 16741 ----a-w- c:\windows\anocex.sys
2009-09-03 20:02 . 2009-09-03 20:02 16055 ----a-w- c:\documents and settings\Owner\Application Data\segymuhis.com
2009-09-03 20:02 . 2009-09-03 20:02 14289 ----a-w- c:\program files\Common Files\educozycew.com
2009-09-03 20:02 . 2009-09-03 20:02 13337 ----a-w- c:\windows\qicygamucy.reg
2009-09-03 20:02 . 2009-09-03 20:02 13076 ----a-w- c:\windows\ywelyc.sys
2009-09-03 20:02 . 2009-09-03 20:02 12902 ----a-w- c:\windows\amaqymi.bat
2009-09-03 20:02 . 2009-09-03 20:02 10649 ----a-w- c:\windows\paxykeqiwi.com
2009-09-03 20:02 . 2009-09-03 20:02 10211 ----a-w- c:\windows\yxak.bin
2009-09-02 22:34 . 2009-09-02 22:34 17362 ----a-w- c:\program files\Common Files\rakago.reg
2009-09-02 22:34 . 2009-09-02 22:34 18733 ----a-w- c:\documents and settings\Owner\Application Data\oqidimak.sys
2009-09-02 22:34 . 2009-09-02 22:34 17742 ----a-w- c:\windows\iqev.scr
2009-09-02 22:34 . 2009-09-02 22:34 15373 ----a-w- c:\documents and settings\All Users\Application Data\telysel.com
2009-09-02 22:34 . 2009-09-02 22:34 13825 ----a-w- c:\program files\Common Files\guryked.exe
2009-09-02 22:34 . 2009-09-02 22:34 13606 ----a-w- c:\windows\system32\udurejezeg.sys
2009-09-02 22:34 . 2009-09-02 22:34 12858 ----a-w- c:\documents and settings\Owner\Application Data\gujit.exe
2009-09-02 22:34 . 2009-09-02 22:34 11708 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\epomefi.pif
2009-09-02 22:34 . 2009-09-02 22:34 11673 ----a-w- c:\documents and settings\All Users\Application Data\ohacubik.bat
2009-09-02 22:34 . 2009-09-02 22:34 10222 ----a-w- c:\documents and settings\All Users\Application Data\yvamy.bat
2009-09-02 22:34 . 2009-09-02 22:34 17263 ----a-w- c:\documents and settings\Owner\Application Data\uwit.dll
2009-09-01 15:30 . 2009-09-01 15:30 13865 ----a-w- c:\windows\system32\osary.com
2009-09-01 15:30 . 2009-09-01 15:30 12175 ----a-w- c:\program files\Common Files\pehobi.dat
2009-09-01 15:30 . 2009-09-01 15:30 15814 ----a-w- c:\windows\yloq.com
2009-09-01 15:30 . 2009-09-01 15:30 14081 ----a-w- c:\windows\edudicikuz.bin
2009-09-01 15:30 . 2009-09-01 15:30 13930 ----a-w- c:\program files\Common Files\ebepe.sys
2009-09-01 15:30 . 2009-09-01 15:30 13446 ----a-w- c:\documents and settings\Owner\Application Data\zokivaduze.bat
2009-09-01 15:30 . 2009-09-01 15:30 12593 ----a-w- c:\windows\ufitifu.reg
2009-09-01 15:30 . 2009-09-01 15:30 12007 ----a-w- c:\program files\Common Files\ruxapipo.scr
2009-09-01 15:30 . 2009-09-01 15:30 11685 ----a-w- c:\program files\Common Files\myjoxozom.sys
2009-09-01 15:30 . 2009-09-01 15:30 11365 ----a-w- c:\program files\Common Files\uzed.sys
2009-09-01 15:30 . 2009-09-01 15:30 10894 ----a-w- c:\windows\bavopyc.exe
2009-09-01 04:19 . 2009-09-01 04:19 -------- d-----w- c:\program files\Bonjour
2009-08-31 02:05 . 2009-08-31 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\hitpointstudios
2009-08-31 00:07 . 2009-08-31 00:07 -------- d-----w- c:\documents and settings\Owner\Application Data\GOL_byHasbro
2009-08-28 05:06 . 2009-08-28 05:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-28 01:32 . 2009-08-28 01:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Logs
2009-08-26 05:49 . 2009-08-26 05:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-08-23 15:57 . 2009-08-23 15:57 -------- d-----w- c:\windows\Sun
2009-08-23 05:51 . 2009-08-23 05:51 0 ----a-w- c:\windows\nsreg.dat
2009-08-23 05:50 . 2009-08-23 05:50 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla
2009-08-23 05:43 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-23 05:43 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-23 05:43 . 2009-09-11 03:05 -------- d-----w- c:\windows\ie8updates
2009-08-23 05:42 . 2009-07-01 07:08 101376 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-23 05:39 . 2009-08-23 05:41 -------- dc-h--w- c:\windows\ie8
2009-08-23 05:08 . 2009-08-23 05:08 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-23 04:58 . 2009-08-23 05:02 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2009-08-23 04:58 . 2009-08-23 05:02 -------- d-s---w- c:\documents and settings\Administrator
2009-08-22 17:56 . 2009-08-22 17:56 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2009-08-22 17:55 . 2009-08-22 17:55 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2009-08-22 17:54 . 2009-08-22 17:54 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2009-08-21 03:52 . 2009-09-05 08:28 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2009-08-21 03:51 . 2009-09-05 02:29 -------- d-----w- c:\program files\LimeWire
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-13 05:20 . 2009-08-09 22:34 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2009-09-09 21:40 . 2009-09-09 21:40 18741 ----a-w- c:\documents and settings\Owner\Application Data\otyhoqon.dat
2009-09-09 21:40 . 2009-09-09 21:40 14720 ----a-w- c:\program files\Common Files\feci._sy
2009-09-05 09:47 . 2009-09-05 09:47 14868 ----a-w- c:\documents and settings\All Users\Application Data\etiviqife.vbs
2009-09-05 09:47 . 2009-09-05 09:47 14495 ----a-w- c:\documents and settings\All Users\Application Data\noruvypiv.vbs
2009-09-05 09:47 . 2009-09-05 09:47 13454 ----a-w- c:\program files\Common Files\lawybycyno.ban
2009-09-05 09:47 . 2009-09-05 09:47 10830 ----a-w- c:\program files\Common Files\esake._sy
2009-09-03 20:02 . 2009-09-03 20:02 19159 ----a-w- c:\documents and settings\Owner\Application Data\geliledeqy.dat
2009-09-03 20:02 . 2009-09-03 20:02 18788 ----a-w- c:\documents and settings\All Users\Application Data\ularyluril.reg
2009-09-03 20:02 . 2009-09-03 20:02 13767 ----a-w- c:\program files\Common Files\fikoz.ban
2009-09-03 20:02 . 2009-09-03 20:02 10595 ----a-w- c:\documents and settings\All Users\Application Data\dowe.bin
2009-09-02 22:34 . 2009-09-02 22:34 14697 ----a-w- c:\documents and settings\All Users\Application Data\uvupuny.dat
2009-09-01 15:30 . 2009-09-01 15:30 11049 ----a-w- c:\documents and settings\Owner\Application Data\urezocy.bin
2009-08-30 04:56 . 2008-11-13 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
2009-08-29 20:53 . 2009-08-09 22:35 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-08-12 18:15 . 2009-08-12 18:15 1961720 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-08-11 16:24 . 2008-11-25 01:15 17280 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-09 22:31 . 2009-08-09 22:31 -------- d-----w- c:\program files\OpenOffice.org 2.4
2009-08-09 22:29 . 2008-11-13 17:18 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 16:21 . 2004-08-04 12:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet(4).dll
2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet(2)(2).dll
2009-06-29 16:12 . 2004-08-04 12:00 1159680 ----a-w- c:\windows\system32\urlmon(4).dll
2009-06-29 16:12 . 2004-08-04 12:00 1159680 ----a-w- c:\windows\system32\urlmon(2)(2).dll
2009-06-29 16:12 . 2004-08-04 12:00 105984 ----a-w- c:\windows\system32\url(2)(2).dll
2009-06-29 16:12 . 2007-08-13 23:34 268288 ----a-w- c:\windows\system32\iertutil(2)(2).dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-02-02 155648]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2004-05-12 249856]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-13 1234712]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-11-19 88363]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2008-11-12 335872]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-11-13 118784]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/13/2008 1:32 PM 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/13/2008 1:32 PM 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/13/2008 1:32 PM 76040]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/13/2008 1:32 PM 875288]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2008-11-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Monopod - c:\docume~1\Owner\LOCALS~1\Temp\a.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sxvneur4.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.inbox.com/homepage.aspx?tbid=80208
FF - prefs.js: keyword.URL - hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=sf&tbid=80208&language=en&qkw=
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-13 01:21
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(504)
c:\windows\system32\wininet.dll
- - - - - - - > 'lsass.exe'(560)
c:\windows\system32\wininet.dll
- - - - - - - > 'explorer.exe'(3644)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Analog Devices\SoundMAX\spkrmon.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\WinZip\WZQKPICK.EXE
c:\program files\OpenOffice.org 2.4\program\soffice.exe
c:\program files\OpenOffice.org 2.4\program\soffice.bin
c:\program files\Apoint\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2009-09-13 1:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-13 05:23
Pre-Run: 7,541,387,264 bytes free
Post-Run: 9,450,311,680 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
257 --- E O F --- 2009-09-11 03:12
Your version of combofix is old.
Please download new version, rename and rerun it. Post back fresh combofix log afterwards, please.
sara1221
2009-09-14, 09:37
ComboFix 09-09-13.05 - Owner 09/14/2009 2:19.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.701.430 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\computerhelp.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\dowe.bin
c:\documents and settings\All Users\Application Data\erodekoto._sy
c:\documents and settings\All Users\Application Data\etiviqife.vbs
c:\documents and settings\All Users\Application Data\gagyfoq.pif
c:\documents and settings\All Users\Application Data\jubodyhyzy.exe
c:\documents and settings\All Users\Application Data\kabat._sy
c:\documents and settings\All Users\Application Data\noruvypiv.vbs
c:\documents and settings\All Users\Application Data\ohacubik.bat
c:\documents and settings\All Users\Application Data\ojuf.bin
c:\documents and settings\All Users\Application Data\qodyjyta.com
c:\documents and settings\All Users\Application Data\telysel.com
c:\documents and settings\All Users\Application Data\tyqyq.sys
c:\documents and settings\All Users\Application Data\ularyluril.reg
c:\documents and settings\All Users\Application Data\yvamy.bat
c:\documents and settings\All Users\Documents\atakag.dl
c:\documents and settings\All Users\Documents\ebosoxe.dll
c:\documents and settings\All Users\Documents\ipacipot.bat
c:\documents and settings\All Users\Documents\kiqopu.vbs
c:\documents and settings\All Users\Documents\ofiriziqa.vbs
c:\documents and settings\All Users\Documents\ofywom.scr
c:\documents and settings\All Users\Documents\tedibam._dl
c:\documents and settings\All Users\Documents\xyhedijile.ban
c:\documents and settings\All Users\Documents\yriva.exe
c:\documents and settings\Owner\Application Data\asituwepup.scr
c:\documents and settings\Owner\Application Data\diqi.ban
c:\documents and settings\Owner\Application Data\ecewo.lib
c:\documents and settings\Owner\Application Data\gujit.exe
c:\documents and settings\Owner\Application Data\gyzetyh.com
c:\documents and settings\Owner\Application Data\lilyr.exe
c:\documents and settings\Owner\Application Data\nedygiso.inf
c:\documents and settings\Owner\Application Data\nyfo.dl
c:\documents and settings\Owner\Application Data\oqidimak.sys
c:\documents and settings\Owner\Application Data\otejikukup.ban
c:\documents and settings\Owner\Application Data\segymuhis.com
c:\documents and settings\Owner\Application Data\suqanojob.lib
c:\documents and settings\Owner\Application Data\uqixyni.dl
c:\documents and settings\Owner\Application Data\urezocy.bin
c:\documents and settings\Owner\Application Data\uvubucyt.sys
c:\documents and settings\Owner\Application Data\uwit.dll
c:\documents and settings\Owner\Application Data\zileri.bin
c:\documents and settings\Owner\Application Data\zokivaduze.bat
c:\documents and settings\Owner\Cookies\ehasikazuh.dat
c:\documents and settings\Owner\Cookies\esybofefal.pif
c:\documents and settings\Owner\Cookies\fepegijul.inf
c:\documents and settings\Owner\Cookies\mapivuf.exe
c:\documents and settings\Owner\Cookies\mury.bat
c:\documents and settings\Owner\Cookies\nyredag.sys
c:\documents and settings\Owner\Cookies\ofajived._dl
c:\documents and settings\Owner\Cookies\ofor.db
c:\documents and settings\Owner\Cookies\osedulicu.dll
c:\documents and settings\Owner\Local Settings\Application Data\arelogive.sys
c:\documents and settings\Owner\Local Settings\Application Data\axidaq.bat
c:\documents and settings\Owner\Local Settings\Application Data\epomefi.pif
c:\documents and settings\Owner\Local Settings\Application Data\etebu.pif
c:\documents and settings\Owner\Local Settings\Application Data\ewodiluqa.sys
c:\documents and settings\Owner\Local Settings\Application Data\fypojafidu.bin
c:\documents and settings\Owner\Local Settings\Application Data\jarote.inf
c:\documents and settings\Owner\Local Settings\Application Data\jepa.com
c:\documents and settings\Owner\Local Settings\Application Data\nokakikihu._sy
c:\documents and settings\Owner\Local Settings\Application Data\qupi.vbs
c:\documents and settings\Owner\Local Settings\Application Data\takatud.pif
c:\documents and settings\Owner\Local Settings\Application Data\uducexozu.exe
c:\documents and settings\Owner\Local Settings\Application Data\ujydojam.pif
c:\documents and settings\Owner\Local Settings\Application Data\vazute.sys
c:\documents and settings\Owner\Local Settings\Application Data\yhadahuli.sys
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\aragudiqos.scr
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\ewutozaw.dl
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\ewylexasyz.dat
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\gidobino.dll
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\iqivif.bin
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\ixuqihokac.sys
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\lahugovevu.inf
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\maboj.com
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\nyvax.pif
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\pobu.lib
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\rabulewe.bat
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\ubiqon.db
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\upuvusibub.lib
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\uxumexemeb.bat
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\vafaxidew.db
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\xivesesy.dat
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\ymazexe.db
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\yvox.dll
c:\program files\Common Files\apirex.vbs
c:\program files\Common Files\ebepe.sys
c:\program files\Common Files\educozycew.com
c:\program files\Common Files\edykyxykom.dll
c:\program files\Common Files\fikoz.ban
c:\program files\Common Files\guryked.exe
c:\program files\Common Files\hobevo.reg
c:\program files\Common Files\lawybycyno.ban
c:\program files\Common Files\myjoxozom.sys
c:\program files\Common Files\rakago.reg
c:\program files\Common Files\ruxapipo.scr
c:\program files\Common Files\syzec.sys
c:\program files\Common Files\tymygujyko.reg
c:\program files\Common Files\uzed.sys
c:\program files\Common Files\xisadakem.bat
c:\windows\ahutawy.bat
c:\windows\amaqymi.bat
c:\windows\anebaxyfo.ban
c:\windows\anocex.sys
c:\windows\bavopyc.exe
c:\windows\cykupysis.exe
c:\windows\denore.sys
c:\windows\dolal.bin
c:\windows\doqe.bat
c:\windows\edudicikuz.bin
c:\windows\enizi.ban
c:\windows\fyfoc.exe
c:\windows\hedi.ban
c:\windows\iqev.scr
c:\windows\izok.dl
c:\windows\kapi.bat
c:\windows\luneca.inf
c:\windows\neno.ban
c:\windows\ohemahaxe.scr
c:\windows\pivuvyrysy.reg
c:\windows\qicygamucy.reg
c:\windows\qunyl.pif
c:\windows\recy.sys
c:\windows\saqiqe.bin
c:\windows\syhyky.inf
c:\windows\system32\aqyzufewep._dl
c:\windows\system32\cewykozys.dl
c:\windows\system32\drivers\UACrrdsvnnoss.sys
c:\windows\system32\epijy.sys
c:\windows\system32\igavi.vbs
c:\windows\system32\ijaxefaw.bin
c:\windows\system32\jimaceruq.pif
c:\windows\system32\kiciqefe.vbs
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\lyhymaxad.inf
c:\windows\system32\qotijyt.exe
c:\windows\system32\sdra64.exe
c:\windows\system32\UACeecxvvthxl.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACipmnthirpd.dll
c:\windows\system32\UACiuxjkikdku.dll
c:\windows\system32\UACnrarqfakbr.dll
c:\windows\system32\UACqhxwmivkpy.log
c:\windows\system32\UACvbqevdjfgx.dat
c:\windows\system32\UACwmnpelirsb.db
c:\windows\system32\udurejezeg.sys
c:\windows\system32\ypemob.sys
c:\windows\ucefor.pif
c:\windows\ucyg.reg
c:\windows\ufitifu.reg
c:\windows\ufoduketuc.inf
c:\windows\ugowe.ban
c:\windows\ukyhid.reg
c:\windows\urag.dll
c:\windows\vupova.vbs
c:\windows\ybese.pif
c:\windows\ywelyc.sys
c:\windows\yxak.bin
c:\windows\zylynyvili.vbs
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_UACd.sys
-------\Legacy_UACd.sys
((((((((((((((((((((((((( Files Created from 2009-08-14 to 2009-09-14 )))))))))))))))))))))))))))))))
.
2009-09-14 06:09 . 2009-09-14 06:09 -------- d-----w- C:\computerhelp
2009-09-13 04:23 . 2009-09-13 04:23 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-11 01:47 . 2009-09-11 01:47 -------- d-sh--w- c:\documents and settings\Administrator.JUMHAUER-EBD14A.000\PrivacIE
2009-09-11 01:38 . 2009-09-11 01:38 -------- d-----w- c:\documents and settings\Administrator.JUMHAUER-EBD14A.000\Local Settings\Application Data\Mozilla
2009-09-09 21:40 . 2009-09-09 21:40 12624 ----a-w- c:\windows\ydyt.dat
2009-09-09 21:36 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 04:37 . 2009-09-08 04:37 16329 ----a-w- c:\windows\system32\ydir.dat
2009-09-08 04:37 . 2009-09-08 04:37 19096 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\eweriwe.dat
2009-09-08 04:37 . 2009-09-08 04:37 12342 ----a-w- c:\windows\system32\ukamykydih.dat
2009-09-06 20:20 . 2009-09-06 20:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
2009-09-06 20:20 . 2009-09-06 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-06 20:19 . 2009-09-06 20:19 -------- d-----w- c:\program files\Yahoo!
2009-09-05 20:38 . 2009-09-05 20:38 396288 ----a-w- C:\HijackThis.exe
2009-09-05 20:33 . 2009-09-05 20:33 -------- d-----w- c:\program files\ERUNT
2009-09-03 20:02 . 2009-09-03 20:02 10649 ----a-w- c:\windows\paxykeqiwi.com
2009-09-01 15:30 . 2009-09-01 15:30 13865 ----a-w- c:\windows\system32\osary.com
2009-09-01 15:30 . 2009-09-01 15:30 12175 ----a-w- c:\program files\Common Files\pehobi.dat
2009-09-01 15:30 . 2009-09-01 15:30 15814 ----a-w- c:\windows\yloq.com
2009-09-01 04:19 . 2009-09-01 04:19 -------- d-----w- c:\program files\Bonjour
2009-08-31 02:05 . 2009-08-31 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\hitpointstudios
2009-08-31 00:07 . 2009-08-31 00:07 -------- d-----w- c:\documents and settings\Owner\Application Data\GOL_byHasbro
2009-08-28 23:45 . 2009-08-28 23:45 18707 ----a-w- c:\windows\mepel.com
2009-08-28 05:06 . 2009-08-28 05:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-28 01:32 . 2009-08-28 01:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Logs
2009-08-26 05:49 . 2009-08-26 05:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-08-23 15:57 . 2009-08-23 15:57 -------- d-----w- c:\windows\Sun
2009-08-23 05:51 . 2009-08-23 05:51 0 ----a-w- c:\windows\nsreg.dat
2009-08-23 05:50 . 2009-08-23 05:50 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla
2009-08-23 05:43 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-23 05:43 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-23 05:43 . 2009-09-11 03:05 -------- d-----w- c:\windows\ie8updates
2009-08-23 05:42 . 2009-07-01 07:08 101376 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-23 05:39 . 2009-08-23 05:41 -------- dc-h--w- c:\windows\ie8
2009-08-23 05:08 . 2009-08-23 05:08 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-23 04:58 . 2009-08-23 05:02 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2009-08-23 04:58 . 2009-08-23 05:02 -------- d-s---w- c:\documents and settings\Administrator
2009-08-22 17:56 . 2009-08-22 17:56 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2009-08-22 17:55 . 2009-08-22 17:55 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2009-08-22 17:54 . 2009-08-22 17:54 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2009-08-21 03:52 . 2009-09-05 08:28 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2009-08-21 03:51 . 2009-09-05 02:29 -------- d-----w- c:\program files\LimeWire
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-14 06:29 . 2009-08-09 22:34 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2009-09-09 21:40 . 2009-09-09 21:40 18741 ----a-w- c:\documents and settings\Owner\Application Data\otyhoqon.dat
2009-09-09 21:40 . 2009-09-09 21:40 14720 ----a-w- c:\program files\Common Files\feci._sy
2009-09-08 04:37 . 2009-09-08 04:37 18337 ----a-w- c:\program files\Common Files\ujikyze.db
2009-09-05 09:47 . 2009-09-05 09:47 10830 ----a-w- c:\program files\Common Files\esake._sy
2009-09-03 20:02 . 2009-09-03 20:02 19159 ----a-w- c:\documents and settings\Owner\Application Data\geliledeqy.dat
2009-09-02 22:34 . 2009-09-02 22:34 14697 ----a-w- c:\documents and settings\All Users\Application Data\uvupuny.dat
2009-08-30 04:56 . 2008-11-13 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
2009-08-11 16:24 . 2008-11-25 01:15 17280 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-09 22:31 . 2009-08-09 22:31 -------- d-----w- c:\program files\OpenOffice.org 2.4
2009-08-09 22:29 . 2008-11-13 17:18 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 16:21 . 2004-08-04 12:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-04 12:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet(4).dll
2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet(2)(2).dll
2009-06-29 16:12 . 2004-08-04 12:00 1159680 ----a-w- c:\windows\system32\urlmon(4).dll
2009-06-29 16:12 . 2004-08-04 12:00 1159680 ----a-w- c:\windows\system32\urlmon(2)(2).dll
2009-06-29 16:12 . 2004-08-04 12:00 105984 ----a-w- c:\windows\system32\url(2)(2).dll
2009-06-29 16:12 . 2007-08-13 23:34 268288 ----a-w- c:\windows\system32\iertutil(2)(2).dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-09-13_05.21.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-13 01:01 . 2009-09-14 06:18 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-13 01:01 . 2009-09-13 05:20 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-13 01:01 . 2009-09-14 06:18 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-11-13 01:01 . 2009-09-13 05:20 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-11-13 01:01 . 2009-09-13 05:20 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-13 01:01 . 2009-09-14 06:18 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-08-28 05:06 . 2009-09-14 06:18 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-08-28 05:06 . 2009-09-13 05:20 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-09-14 06:29 . 2009-09-14 06:29 163840 c:\windows\ERDNT\AutoBackup\9-14-2009\Users\00000002\UsrClass.dat
+ 2009-09-14 06:29 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\9-14-2009\ERDNT.EXE
+ 2009-09-14 06:29 . 2009-09-14 06:29 5992448 c:\windows\ERDNT\AutoBackup\9-14-2009\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-02-02 155648]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2004-05-12 249856]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-13 1234712]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-11-19 88363]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2008-11-12 335872]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-11-13 118784]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/13/2008 1:32 PM 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/13/2008 1:32 PM 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/13/2008 1:32 PM 76040]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/13/2008 1:32 PM 875288]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2008-11-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sxvneur4.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.inbox.com/homepage.aspx?tbid=80208
FF - prefs.js: keyword.URL - hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=sf&tbid=80208&language=en&qkw=
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-14 02:29
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2100)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Analog Devices\SoundMAX\spkrmon.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\WinZip\WZQKPICK.EXE
c:\program files\OpenOffice.org 2.4\program\soffice.exe
c:\program files\OpenOffice.org 2.4\program\soffice.bin
c:\program files\Apoint\ApntEx.exe
.
**************************************************************************
.
Completion time: 2009-09-14 2:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-14 06:34
ComboFix2.txt 2009-09-13 05:23
Pre-Run: 9,371,320,320 bytes free
Post-Run: 9,368,526,848 bytes free
381 --- E O F --- 2009-09-11 03:12
To access the Uninstall Manager you would do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
You will now be presented with a screen similar to the one below:
http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
sara1221
2009-09-15, 09:11
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Agere Systems AC'97 Modem
ALPS Touch Pad Driver
Apple Mobile Device Support
Apple Software Update
AVG Free 8.0
Bonjour
Dell ResourceCD
ERUNT 1.1j
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
iTunes
Java(TM) 6 Update 4
Java(TM) 6 Update 7
Malwarebytes' Anti-Malware
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.2)
MSN
OpenOffice.org 2.4
PowerDVD 5.1
QuickTime
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SiS 900 PCI Fast Ethernet Adapter Driver
SiS VGA Utilities
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
SoundMAX
Spybot - Search & Destroy
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows XP (KB898461)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows XP Service Pack 3
WinZip
Yahoo! Toolbar
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
File::
c:\windows\ydyt.dat
c:\windows\system32\dllcache\triedit.dll
c:\windows\system32\ydir.dat
c:\documents and settings\Owner\Local Settings\Application Data\eweriwe.dat
c:\windows\system32\ukamykydih.dat
c:\windows\paxykeqiwi.com
c:\windows\system32\osary.com
c:\documents and settings\Owner\Application Data\otyhoqon.dat
c:\program files\Common Files\feci._sy
c:\program files\Common Files\ujikyze.db
c:\program files\Common Files\esake._sy
c:\documents and settings\Owner\Application Data\geliledeqy.dat
c:\documents and settings\All Users\Application Data\uvupuny.dat
Folder::
c:\documents and settings\Owner\Application Data\LimeWire
c:\program files\LimeWire
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
sara1221
2009-09-16, 07:48
ComboFix 09-09-14.02 - Owner 09/16/2009 0:34.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.701.398 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\computerhelp.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FILE ::
"c:\documents and settings\All Users\Application Data\uvupuny.dat"
"c:\documents and settings\Owner\Application Data\geliledeqy.dat"
"c:\documents and settings\Owner\Application Data\otyhoqon.dat"
"c:\documents and settings\Owner\Local Settings\Application Data\eweriwe.dat"
"c:\program files\Common Files\esake._sy"
"c:\program files\Common Files\feci._sy"
"c:\program files\Common Files\ujikyze.db"
"c:\windows\paxykeqiwi.com"
"c:\windows\system32\dllcache\triedit.dll"
"c:\windows\system32\osary.com"
"c:\windows\system32\ukamykydih.dat"
"c:\windows\system32\ydir.dat"
"c:\windows\ydyt.dat"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\uvupuny.dat
c:\documents and settings\Owner\Application Data\geliledeqy.dat
c:\documents and settings\Owner\Application Data\LimeWire
c:\documents and settings\Owner\Application Data\LimeWire\browser\xul-v2.0b2.4-do-not-remove
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\chrome\branding.jar
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\chrome\classic.jar
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\chrome\comm.jar
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\chrome\en-US.jar
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\chrome\limewire.jar
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\chrome\pippki.jar
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\chrome\toolkit.jar
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\accessibility-msaa.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\accessibility.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\alerts.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\appshell.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\appshell_modal.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\appstartup.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\autocomplete.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\autoconfig.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\caps.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\chardet.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\chrome.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\commandhandler.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\commandlines.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\composer.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\content_base.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\content_html.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\content_htmldoc.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\content_xmldoc.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\content_xslt.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\content_xtf.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\contentprefs.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\cookie.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\directory.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\docshell_base.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_base.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_canvas.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_core.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_css.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_events.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_html.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_json.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_loadsave.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_offline.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_range.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_sidebar.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_storage.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_stylesheets.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_svg.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_traversal.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_views.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_xbl.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_xpath.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_xul.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\downloads.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\editor.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\embed_base.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\extensions.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\exthandler.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\exthelper.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\fastfind.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\FeedProcessor.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\feeds.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\find.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\gfx.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\htmlparser.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\imgicon.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\imglib2.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\inspector.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\intl.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\jar.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\jsconsole-clhandler.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\jsdservice.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\layout_base.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\layout_printing.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\layout_xul.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\layout_xul_tree.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\locale.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\loginmgr.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\lwbrk.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\mimetype.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\mozbrwsr.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\mozfind.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\necko.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\necko_about.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\necko_cache.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\necko_cookie.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\necko_dns.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\necko_file.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\necko_ftp.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\necko_http.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\necko_res.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\necko_socket.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\necko_strconv.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\necko_viewsource.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsAddonRepository.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsBadCertHandler.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsBlocklistService.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsContentDispatchChooser.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsContentPrefService.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsDefaultCLH.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsDictionary.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsDownloadManagerUI.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsExtensionManager.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsHandlerService.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsHelperAppDlg.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsLivemarkService.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsLoginInfo.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsLoginManager.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsLoginManagerPrompter.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsPostUpdateWin.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsProgressDialog.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsProxyAutoConfig.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsResetPref.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsTaggingService.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsTryToClose.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsUpdateService.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsURLFormatter.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsWebHandlerApp.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsXmlRpcClient.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsXULAppInstall.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\oji.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\parentalcontrols.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\pipboot.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\pipnss.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\pippki.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\places.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\plugin.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\pluginGlue.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\pref.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\prefetch.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\profile.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\proxyObject.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\rdf.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\satchel.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\saxparser.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\shistory.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\spellchecker.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\storage-Legacy.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\storage.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\toolkitprofile.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\txEXSLTRegExFunctions.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\txmgr.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\txtsvc.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\uconv.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\unicharutil.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\update.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\uriloader.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\urlformatter.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\webBrowser_core.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\webbrowserpersist.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\webshell_idls.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\widget.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\windowds.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\windowwatcher.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xml-rpc.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xpcom_base.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xpcom_components.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xpcom_ds.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xpcom_io.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xpcom_system.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xpcom_thread.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xpcom_xpti.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xpconnect.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xpinstall.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xulapp.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xulapp_setup.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xuldoc.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xultmpl.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\zipwriter.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\defaults\autoconfig\platform.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\defaults\autoconfig\prefcalls.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\defaults\pref\xulrunner.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\defaults\profile\chrome\userChrome-example.css
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\defaults\profile\chrome\userContent-example.css
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\defaults\profile\localstore.rdf
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userChrome-example.css
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userContent-example.css
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\localstore.rdf
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\dependentlibs.list
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\dictionaries\en-US.aff
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\dictionaries\en-US.dic
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\freebl3.chk
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\greprefs\all.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\greprefs\security-prefs.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\greprefs\xpinstall.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\javaxpcom.jar
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\LICENSE
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\modules\debug.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\modules\DownloadUtils.jsm
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\modules\ISO8601DateUtils.jsm
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\modules\JSON.jsm
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\modules\Microformats.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\modules\PluralForm.jsm
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\modules\utils.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\modules\XPCOMUtils.jsm
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\README.txt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\arrow.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\arrowd.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\broken-image.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\contenteditable.css
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\designmode.css
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\dtd\mathml.dtd
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\dtd\xhtml11.dtd
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\EditorOverride.css
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\forms.css
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\grabber.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\hiddenWindow.html
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\html.css
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\html\folder.png
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\loading-image.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\mathml.css
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\quirk.css
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\svg.css
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after-active.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after-hover.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before-active.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before-hover.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after-active.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after-hover.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before-active.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before-hover.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-remove-column-active.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-remove-column-hover.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-remove-column.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-remove-row-active.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-remove-row-hover.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-remove-row.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\ua.css
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\viewsource.css
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\softokn3.chk
c:\documents and settings\Owner\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\Owner\Application Data\LimeWire\createtimes.cache
c:\documents and settings\Owner\Application Data\LimeWire\downloads.dat
c:\documents and settings\Owner\Application Data\LimeWire\fileurns.cache
c:\documents and settings\Owner\Application Data\LimeWire\gnutella.net
c:\documents and settings\Owner\Application Data\LimeWire\installation.props
c:\documents and settings\Owner\Application Data\LimeWire\library.dat
c:\documents and settings\Owner\Application Data\LimeWire\library5.dat
c:\documents and settings\Owner\Application Data\LimeWire\limewire.props
c:\documents and settings\Owner\Application Data\LimeWire\lock
c:\documents and settings\Owner\Application Data\LimeWire\mojito.props
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\.autoreg
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\Cache(2)\_CACHE_001_
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\Cache(2)\_CACHE_002_
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\Cache(2)\_CACHE_003_
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\Cache(2)\_CACHE_MAP_
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\Cache(2)\30B5DE57d01
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\Cache(2)\4C4B6535d01
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\Cache(2)\7BD6A121d01
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\Cache(2)\98E79480d01
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\Cache(2)\AE98BDFBd01
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\Cache(2)\B7E8F4C3d01
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\Cache(2)\BAFF9A8Ed01
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\Cache(2)\D5267890d01
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\cert8.db
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\compreg.dat
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\cookies.sqlite
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\downloads.sqlite
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\extensions.cache
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\history.dat
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\key3.db
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\permissions.sqlite
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\places.sqlite-journal
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\places.sqlite
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\pluginreg.dat
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\prefs.js
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\secmod.db
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\xpti.dat
c:\documents and settings\Owner\Application Data\LimeWire\player.props
c:\documents and settings\Owner\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\Owner\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\Owner\Application Data\LimeWire\promotion\promodb.log
c:\documents and settings\Owner\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\Owner\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\Owner\Application Data\LimeWire\questions.props
c:\documents and settings\Owner\Application Data\LimeWire\responses.cache
c:\documents and settings\Owner\Application Data\LimeWire\simpp.xml
c:\documents and settings\Owner\Application Data\LimeWire\spam.dat
c:\documents and settings\Owner\Application Data\LimeWire\tables.props
c:\documents and settings\Owner\Application Data\LimeWire\ttdata.cache
c:\documents and settings\Owner\Application Data\LimeWire\ttroot.cache
c:\documents and settings\Owner\Application Data\LimeWire\version.xml
c:\documents and settings\Owner\Application Data\LimeWire\versions.props
c:\documents and settings\Owner\Application Data\LimeWire\xml\data\audio.sxml3
c:\documents and settings\Owner\Application Data\LimeWire\xml\data\video.sxml3
c:\documents and settings\Owner\Application Data\otyhoqon.dat
c:\documents and settings\Owner\Local Settings\Application Data\eweriwe.dat
c:\program files\Common Files\esake._sy
c:\program files\Common Files\feci._sy
c:\program files\Common Files\ujikyze.db
c:\program files\LimeWire
c:\program files\LimeWire\lib\activation-1.1.jar
c:\program files\LimeWire\lib\additional_resources.jar
c:\program files\LimeWire\lib\aopalliance.jar
c:\program files\LimeWire\lib\AppFramework.jar
c:\program files\LimeWire\lib\base64-2.2.2.jar
c:\program files\LimeWire\lib\clink.jar
c:\program files\LimeWire\lib\commons-codec-1.3.jar
c:\program files\LimeWire\lib\commons-lang-2.2.jar
c:\program files\LimeWire\lib\commons-logging.jar
c:\program files\LimeWire\lib\commons-math-1.2.jar
c:\program files\LimeWire\lib\daap.jar
c:\program files\LimeWire\lib\dnsjava-2.0.6.jar
c:\program files\LimeWire\lib\EventBus-1.2b.jar
c:\program files\LimeWire\lib\fb-java-api-2.1.1.jar
c:\program files\LimeWire\lib\fb-java-api-schema-2.1.1.jar
c:\program files\LimeWire\lib\gettext-commons.jar
c:\program files\LimeWire\lib\glazedlists-snapshot20090628_java15.jar
c:\program files\LimeWire\lib\google-collect-1.0-rc2.jar
c:\program files\LimeWire\lib\guice-2.0-snapshot-20090610.jar
c:\program files\LimeWire\lib\guice-assistedinject-snapshot20090512.jar
c:\program files\LimeWire\lib\hsqldb-1.8.0.10.jar
c:\program files\LimeWire\lib\httpclient-4.0-beta2.jar
c:\program files\LimeWire\lib\httpcore-4.0.jar
c:\program files\LimeWire\lib\httpcore-nio-4.0.jar
c:\program files\LimeWire\lib\icu4j.jar
c:\program files\LimeWire\lib\iTunes-0.0.1.jar
c:\program files\LimeWire\lib\jacob-1.14.3.jar
c:\program files\LimeWire\lib\jaudiotagger.jar
c:\program files\LimeWire\lib\jaxb-api-2.1.jar
c:\program files\LimeWire\lib\jaxb-impl-2.1.9.jar
c:\program files\LimeWire\lib\jcip-annotations.jar
c:\program files\LimeWire\lib\jcraft.jar
c:\program files\LimeWire\lib\jdic.jar
c:\program files\LimeWire\lib\jdic_stub.jar
c:\program files\LimeWire\lib\jflac.jar
c:\program files\LimeWire\lib\jl.jar
c:\program files\LimeWire\lib\jmdns.jar
c:\program files\LimeWire\lib\jna-3.1.0.jar
c:\program files\LimeWire\lib\jogg.jar
c:\program files\LimeWire\lib\jorbis.jar
c:\program files\LimeWire\lib\json-20070829.jar
c:\program files\LimeWire\lib\jxlayer-4.0.jar
c:\program files\LimeWire\lib\LimeWire.jar
c:\program files\LimeWire\lib\log4j.jar
c:\program files\LimeWire\lib\messages.jar
c:\program files\LimeWire\lib\miglayout-3.7-swing.jar
c:\program files\LimeWire\lib\mime-util.jar
c:\program files\LimeWire\lib\mozdom4java.jar
c:\program files\LimeWire\lib\MozillaGlue-1.9.jar
c:\program files\LimeWire\lib\MozillaInterfaces-1.9.jar
c:\program files\LimeWire\lib\mozswing.jar
c:\program files\LimeWire\lib\mp3spi.jar
c:\program files\LimeWire\lib\onion-common.jar
c:\program files\LimeWire\lib\onion-fec.jar
c:\program files\LimeWire\lib\runtime-0.4.1.3.jar
c:\program files\LimeWire\lib\smack.jar
c:\program files\LimeWire\lib\smackx-debug.jar
c:\program files\LimeWire\lib\smackx.jar
c:\program files\LimeWire\lib\stax-api-1.0-2.jar
c:\program files\LimeWire\lib\swing-worker-1.2.jar
c:\program files\LimeWire\lib\swingx-1.0.jar
c:\program files\LimeWire\lib\SystemUtilities.dll
c:\program files\LimeWire\lib\tritonus.jar
c:\program files\LimeWire\lib\vorbisspi.jar
c:\program files\LimeWire\LimeWire.exe
c:\windows\paxykeqiwi.com
c:\windows\system32\dllcache\triedit.dll
c:\windows\system32\osary.com
c:\windows\system32\ukamykydih.dat
c:\windows\system32\ydir.dat
c:\windows\ydyt.dat
.
((((((((((((((((((((((((( Files Created from 2009-08-16 to 2009-09-16 )))))))))))))))))))))))))))))))
.
2009-09-14 06:31 . 2008-10-16 18:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-09-14 06:31 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-14 06:09 . 2009-09-14 06:09 -------- d-----w- C:\computerhelp
2009-09-13 04:23 . 2009-09-13 04:23 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-11 01:47 . 2009-09-11 01:47 -------- d-sh--w- c:\documents and settings\Administrator.JUMHAUER-EBD14A.000\PrivacIE
2009-09-11 01:38 . 2009-09-11 01:38 -------- d-----w- c:\documents and settings\Administrator.JUMHAUER-EBD14A.000\Local Settings\Application Data\Mozilla
2009-09-06 20:20 . 2009-09-06 20:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
2009-09-06 20:20 . 2009-09-06 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-06 20:19 . 2009-09-06 20:19 -------- d-----w- c:\program files\Yahoo!
2009-09-05 20:38 . 2009-09-05 20:38 396288 ----a-w- C:\HijackThis.exe
2009-09-05 20:33 . 2009-09-05 20:33 -------- d-----w- c:\program files\ERUNT
2009-09-01 15:30 . 2009-09-01 15:30 12175 ----a-w- c:\program files\Common Files\pehobi.dat
2009-09-01 15:30 . 2009-09-01 15:30 15814 ----a-w- c:\windows\yloq.com
2009-09-01 04:19 . 2009-09-01 04:19 -------- d-----w- c:\program files\Bonjour
2009-08-31 02:05 . 2009-08-31 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\hitpointstudios
2009-08-31 00:07 . 2009-08-31 00:07 -------- d-----w- c:\documents and settings\Owner\Application Data\GOL_byHasbro
2009-08-28 23:45 . 2009-08-28 23:45 18707 ----a-w- c:\windows\mepel.com
2009-08-28 05:06 . 2009-08-28 05:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-28 01:32 . 2009-08-28 01:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Logs
2009-08-26 05:49 . 2009-08-26 05:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-08-23 15:57 . 2009-08-23 15:57 -------- d-----w- c:\windows\Sun
2009-08-23 05:51 . 2009-08-23 05:51 0 ----a-w- c:\windows\nsreg.dat
2009-08-23 05:50 . 2009-08-23 05:50 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla
2009-08-23 05:43 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-23 05:43 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-23 05:43 . 2009-09-11 03:05 -------- d-----w- c:\windows\ie8updates
2009-08-23 05:42 . 2009-07-01 07:08 101376 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-23 05:39 . 2009-08-23 05:41 -------- dc-h--w- c:\windows\ie8
2009-08-23 05:08 . 2009-08-23 05:08 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-23 04:58 . 2009-08-23 05:02 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2009-08-23 04:58 . 2009-08-23 05:02 -------- d-s---w- c:\documents and settings\Administrator
2009-08-22 17:56 . 2009-08-22 17:56 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2009-08-22 17:55 . 2009-08-22 17:55 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2009-08-22 17:54 . 2009-08-22 17:54 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-16 01:49 . 2009-08-09 22:34 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2009-08-30 04:56 . 2008-11-13 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
2009-08-11 16:24 . 2008-11-25 01:15 17280 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-09 22:31 . 2009-08-09 22:31 -------- d-----w- c:\program files\OpenOffice.org 2.4
2009-08-09 22:29 . 2008-11-13 17:18 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 16:21 . 2004-08-04 12:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-04 12:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet(4).dll
2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet(2)(2).dll
2009-06-29 16:12 . 2004-08-04 12:00 1159680 ----a-w- c:\windows\system32\urlmon(4).dll
2009-06-29 16:12 . 2004-08-04 12:00 1159680 ----a-w- c:\windows\system32\urlmon(2)(2).dll
2009-06-29 16:12 . 2004-08-04 12:00 105984 ----a-w- c:\windows\system32\url(2)(2).dll
2009-06-29 16:12 . 2007-08-13 23:34 268288 ----a-w- c:\windows\system32\iertutil(2)(2).dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-09-13_05.21.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 23:41 . 2009-07-11 23:41 97280 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
- 2008-11-13 01:01 . 2009-09-13 05:20 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-13 01:01 . 2009-09-14 06:18 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-13 01:01 . 2009-09-14 06:18 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-11-13 01:01 . 2009-09-13 05:20 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-08-28 05:06 . 2009-09-14 06:18 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-08-28 05:06 . 2009-09-13 05:20 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-09-14 07:01 . 2009-09-14 07:01 248832 c:\windows\Installer\1e9608.msi
+ 2009-09-15 05:30 . 2009-09-15 05:30 163840 c:\windows\ERDNT\AutoBackup\9-15-2009\Users\00000002\UsrClass.dat
+ 2009-09-15 05:30 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\9-15-2009\ERDNT.EXE
+ 2009-09-14 06:29 . 2009-09-14 06:29 163840 c:\windows\ERDNT\AutoBackup\9-14-2009\Users\00000002\UsrClass.dat
+ 2009-09-14 06:29 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\9-14-2009\ERDNT.EXE
+ 2009-09-15 05:30 . 2009-09-15 05:30 5992448 c:\windows\ERDNT\AutoBackup\9-15-2009\Users\00000001\ntuser.dat
+ 2009-09-14 06:29 . 2009-09-14 06:29 5992448 c:\windows\ERDNT\AutoBackup\9-14-2009\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-02-02 155648]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2004-05-12 249856]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-13 1234712]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-11-19 88363]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2008-11-12 335872]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-11-13 118784]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/13/2008 1:32 PM 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/13/2008 1:32 PM 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/13/2008 1:32 PM 76040]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/13/2008 1:32 PM 875288]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2008-11-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sxvneur4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.inbox.com/homepage.aspx?tbid=80208
FF - prefs.js: keyword.URL - hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=sf&tbid=80208&language=en&qkw=
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-16 00:42
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2009-09-16 0:45
ComboFix-quarantined-files.txt 2009-09-16 04:45
ComboFix2.txt 2009-09-14 06:35
ComboFix3.txt 2009-09-13 05:23
Pre-Run: 8,972,021,760 bytes free
Post-Run: 9,255,481,344 bytes free
568 --- E O F --- 2009-09-14 07:01
Please click this link-->Jotti (http://virusscan.jotti.org/)
Copy/paste the first file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).
c:\windows\yloq.com
c:\windows\mepel.com
Repeat steps for all files on the list.
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
sara1221
2009-09-17, 08:39
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.09.17 -
AhnLab-V3 5.0.0.2 2009.09.16 -
AntiVir 7.9.1.18 2009.09.16 -
Antiy-AVL 2.0.3.7 2009.09.17 -
Authentium 5.1.2.4 2009.09.17 -
Avast 4.8.1351.0 2009.09.16 -
AVG 8.5.0.412 2009.09.16 -
BitDefender 7.2 2009.09.17 -
CAT-QuickHeal 10.00 2009.09.16 -
ClamAV 0.94.1 2009.09.17 -
Comodo 2344 2009.09.17 -
DrWeb 5.0.0.12182 2009.09.17 -
eSafe 7.0.17.0 2009.09.16 -
eTrust-Vet 31.6.6742 2009.09.16 -
F-Prot 4.5.1.85 2009.09.16 -
F-Secure 8.0.14470.0 2009.09.17 -
Fortinet 3.120.0.0 2009.09.16 -
GData 19 2009.09.17 -
Ikarus T3.1.1.72.0 2009.09.17 -
Jiangmin 11.0.800 2009.09.16 -
K7AntiVirus 7.10.846 2009.09.16 -
Kaspersky 7.0.0.125 2009.09.17 -
McAfee 5743 2009.09.16 -
McAfee+Artemis 5743 2009.09.16 -
McAfee-GW-Edition 6.8.5 2009.09.16 -
Microsoft 1.5005 2009.09.16 -
NOD32 4432 2009.09.17 -
Norman 6.01.09 2009.09.16 -
nProtect 2009.1.8.0 2009.09.16 -
Panda 10.0.2.2 2009.09.16 -
PCTools 4.4.2.0 2009.09.16 -
Prevx 3.0 2009.09.17 -
Rising 21.47.30.00 2009.09.17 -
Sophos 4.45.0 2009.09.17 -
Sunbelt 3.2.1858.2 2009.09.17 -
Symantec 1.4.4.12 2009.09.17 -
TheHacker 6.3.4.4.404 2009.09.15 -
TrendMicro 8.950.0.1094 2009.09.16 -
VBA32 3.12.10.10 2009.09.17 -
ViRobot 2009.9.17.1940 2009.09.17 -
VirusBuster 4.6.5.0 2009.09.16 -
Additional information
File size: 18707 bytes
MD5...: 5cb5986647561e1ac30b03b3c68249c9
SHA1..: 811f32ce5cc070c0fa7632622df22d0990566bc6
SHA256: c0c047976d5905bef6c23a1db9e86183984f452cea84a57798f4355f0519f958
ssdeep: 384:F1nbAMJ0KxUYTWxi6VY9xdFDzOGwSH5eLdN0jWJIAyN8/XK2W0Fk/I6Q2YuT
:3vjmivFG2eLdOC5XJ9EI6MuT
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Unknown!
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.09.17 -
AhnLab-V3 5.0.0.2 2009.09.16 -
AntiVir 7.9.1.18 2009.09.16 -
Antiy-AVL 2.0.3.7 2009.09.17 -
Authentium 5.1.2.4 2009.09.17 -
Avast 4.8.1351.0 2009.09.16 -
AVG 8.5.0.412 2009.09.16 -
BitDefender 7.2 2009.09.17 -
CAT-QuickHeal 10.00 2009.09.16 -
ClamAV 0.94.1 2009.09.17 -
Comodo 2344 2009.09.17 -
DrWeb 5.0.0.12182 2009.09.17 -
eSafe 7.0.17.0 2009.09.16 -
eTrust-Vet 31.6.6742 2009.09.16 -
F-Prot 4.5.1.85 2009.09.16 -
F-Secure 8.0.14470.0 2009.09.17 -
Fortinet 3.120.0.0 2009.09.16 -
GData 19 2009.09.17 -
Ikarus T3.1.1.72.0 2009.09.17 -
Jiangmin 11.0.800 2009.09.16 -
K7AntiVirus 7.10.846 2009.09.16 -
Kaspersky 7.0.0.125 2009.09.17 -
McAfee 5743 2009.09.16 -
McAfee+Artemis 5743 2009.09.16 -
McAfee-GW-Edition 6.8.5 2009.09.16 -
Microsoft 1.5005 2009.09.16 -
NOD32 4432 2009.09.17 -
Norman 6.01.09 2009.09.16 -
nProtect 2009.1.8.0 2009.09.16 -
Panda 10.0.2.2 2009.09.16 -
PCTools 4.4.2.0 2009.09.16 -
Prevx 3.0 2009.09.17 -
Rising 21.47.30.00 2009.09.17 -
Sophos 4.45.0 2009.09.17 -
Sunbelt 3.2.1858.2 2009.09.17 -
Symantec 1.4.4.12 2009.09.17 -
TheHacker 6.3.4.4.404 2009.09.15 -
TrendMicro 8.950.0.1094 2009.09.16 -
VBA32 3.12.10.10 2009.09.17 -
ViRobot 2009.9.17.1940 2009.09.17 -
VirusBuster 4.6.5.0 2009.09.16 -
Additional information
File size: 15814 bytes
MD5 : 372e1858d472c4c19617ad9d079a3443
SHA1 : 2ce6c5a4f6e92b97807d2f6bf5e73db0b9b08429
SHA256: bf42e205e75e7ffec4bbbc4dba072ac36c5d219e48cb6653c96fb026bc6d3013
TrID : File type identification
MPEG Video (100.0%)
ssdeep: 384:gIMlD0bCWJFqt0qNa/ZXS97DFwXKDin33avlznuo:gITbCWJI0jhs7DFk33avlznuo
PEiD : -
RDS : NSRL Reference Data Set
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
File::
c:\windows\yloq.com
c:\windows\mepel.com
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
sara1221
2009-09-18, 07:47
ComboFix 09-09-17.04 - Owner 09/18/2009 0:31.4.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.221.100 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\computerhelp.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FILE ::
"c:\windows\mepel.com"
"c:\windows\yloq.com"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\mepel.com
c:\windows\yloq.com
.
((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 )))))))))))))))))))))))))))))))
.
2009-09-14 06:31 . 2008-10-16 18:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-09-14 06:31 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-14 06:09 . 2009-09-14 06:09 -------- d-----w- C:\computerhelp
2009-09-13 04:23 . 2009-09-13 04:23 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-11 01:47 . 2009-09-11 01:47 -------- d-sh--w- c:\documents and settings\Administrator.JUMHAUER-EBD14A.000\PrivacIE
2009-09-11 01:38 . 2009-09-11 01:38 -------- d-----w- c:\documents and settings\Administrator.JUMHAUER-EBD14A.000\Local Settings\Application Data\Mozilla
2009-09-06 20:20 . 2009-09-06 20:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
2009-09-06 20:20 . 2009-09-06 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-06 20:19 . 2009-09-06 20:19 -------- d-----w- c:\program files\Yahoo!
2009-09-05 20:38 . 2009-09-05 20:38 396288 ----a-w- C:\HijackThis.exe
2009-09-05 20:33 . 2009-09-05 20:33 -------- d-----w- c:\program files\ERUNT
2009-09-01 15:30 . 2009-09-01 15:30 12175 ----a-w- c:\program files\Common Files\pehobi.dat
2009-09-01 04:19 . 2009-09-01 04:19 -------- d-----w- c:\program files\Bonjour
2009-08-31 02:05 . 2009-08-31 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\hitpointstudios
2009-08-31 00:07 . 2009-08-31 00:07 -------- d-----w- c:\documents and settings\Owner\Application Data\GOL_byHasbro
2009-08-28 05:06 . 2009-08-28 05:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-28 01:32 . 2009-08-28 01:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Logs
2009-08-26 05:49 . 2009-08-26 05:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-08-23 15:57 . 2009-08-23 15:57 -------- d-----w- c:\windows\Sun
2009-08-23 05:51 . 2009-08-23 05:51 0 ----a-w- c:\windows\nsreg.dat
2009-08-23 05:50 . 2009-08-23 05:50 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla
2009-08-23 05:43 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-23 05:43 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-23 05:43 . 2009-09-11 03:05 -------- d-----w- c:\windows\ie8updates
2009-08-23 05:42 . 2009-07-01 07:08 101376 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-23 05:39 . 2009-08-23 05:41 -------- dc-h--w- c:\windows\ie8
2009-08-23 05:08 . 2009-08-23 05:08 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-23 04:58 . 2009-08-23 05:02 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2009-08-23 04:58 . 2009-08-23 05:02 -------- d-s---w- c:\documents and settings\Administrator
2009-08-22 17:56 . 2009-08-22 17:56 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2009-08-22 17:55 . 2009-08-22 17:55 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2009-08-22 17:54 . 2009-08-22 17:54 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-17 17:51 . 2009-08-09 22:34 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2009-08-30 04:56 . 2008-11-13 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
2009-08-11 16:24 . 2008-11-25 01:15 17280 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-09 22:31 . 2009-08-09 22:31 -------- d-----w- c:\program files\OpenOffice.org 2.4
2009-08-09 22:29 . 2008-11-13 17:18 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 16:21 . 2004-08-04 12:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-04 12:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet(4).dll
2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet(2)(2).dll
2009-06-29 16:12 . 2004-08-04 12:00 1159680 ----a-w- c:\windows\system32\urlmon(4).dll
2009-06-29 16:12 . 2004-08-04 12:00 1159680 ----a-w- c:\windows\system32\urlmon(2)(2).dll
2009-06-29 16:12 . 2004-08-04 12:00 105984 ----a-w- c:\windows\system32\url(2)(2).dll
2009-06-29 16:12 . 2007-08-13 23:34 268288 ----a-w- c:\windows\system32\iertutil(2)(2).dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-09-13_05.21.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 23:41 . 2009-07-11 23:41 97280 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
+ 2008-11-13 01:01 . 2009-09-14 06:18 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-13 01:01 . 2009-09-13 05:20 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-13 01:01 . 2009-09-14 06:18 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-11-13 01:01 . 2009-09-13 05:20 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-08-28 05:06 . 2009-09-14 06:18 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-08-28 05:06 . 2009-09-13 05:20 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-09-14 07:01 . 2009-09-14 07:01 248832 c:\windows\Installer\1e9608.msi
+ 2009-09-17 04:33 . 2009-09-17 04:33 163840 c:\windows\ERDNT\AutoBackup\9-17-2009\Users\00000002\UsrClass.dat
+ 2009-09-17 04:33 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\9-17-2009\ERDNT.EXE
+ 2009-09-16 17:03 . 2009-09-16 17:03 163840 c:\windows\ERDNT\AutoBackup\9-16-2009\Users\00000002\UsrClass.dat
+ 2009-09-16 17:03 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\9-16-2009\ERDNT.EXE
+ 2009-09-15 05:30 . 2009-09-15 05:30 163840 c:\windows\ERDNT\AutoBackup\9-15-2009\Users\00000002\UsrClass.dat
+ 2009-09-15 05:30 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\9-15-2009\ERDNT.EXE
+ 2009-09-14 06:29 . 2009-09-14 06:29 163840 c:\windows\ERDNT\AutoBackup\9-14-2009\Users\00000002\UsrClass.dat
+ 2009-09-14 06:29 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\9-14-2009\ERDNT.EXE
+ 2009-09-17 04:33 . 2009-09-17 04:33 5992448 c:\windows\ERDNT\AutoBackup\9-17-2009\Users\00000001\ntuser.dat
+ 2009-09-16 17:03 . 2009-09-16 17:03 5992448 c:\windows\ERDNT\AutoBackup\9-16-2009\Users\00000001\ntuser.dat
+ 2009-09-15 05:30 . 2009-09-15 05:30 5992448 c:\windows\ERDNT\AutoBackup\9-15-2009\Users\00000001\ntuser.dat
+ 2009-09-14 06:29 . 2009-09-14 06:29 5992448 c:\windows\ERDNT\AutoBackup\9-14-2009\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-02-02 155648]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2004-05-12 249856]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-13 1234712]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-11-19 88363]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2008-11-12 335872]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-11-13 118784]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/13/2008 1:32 PM 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/13/2008 1:32 PM 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/13/2008 1:32 PM 76040]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/13/2008 1:32 PM 875288]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2008-11-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sxvneur4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.inbox.com/homepage.aspx?tbid=80208
FF - prefs.js: keyword.URL - hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=sf&tbid=80208&language=en&qkw=
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-18 00:40
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2009-09-18 0:44
ComboFix-quarantined-files.txt 2009-09-18 04:44
ComboFix2.txt 2009-09-16 04:45
ComboFix3.txt 2009-09-14 06:35
ComboFix4.txt 2009-09-13 05:23
Pre-Run: 8,927,346,688 bytes free
Post-Run: 9,105,907,712 bytes free
194 --- E O F --- 2009-09-14 07:01
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
Due to the lack of feedback this Topic is closed.
If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
Everyone else please begin a New Topic.