View Full Version : Something Blocking/killing Spybot, and others
Redfefnir
2010-07-19, 01:00
Hello.
I think I'll just get right to the point. Currently, I am on Windows XP SP3 with this computer, it is my older brothers. Long story short. He has a history of Viruses. from those little annoying Pop-ups to the 'Congratulations you've won!' soundbites.
It's easy enough to remove them, between Spybot S&D, and COMODO Antivirus (version 3.8.65951.477)
I helped clear out his computer a number of months ago. and now he keeps complaining of not being able to connect to the internet. Which is generally easily done, he rarely uses the computer, so whatever, I thought.
Well, he started complaining that COMODO wasn't updating. The last update was on Jan 01, 2010. Upon trying it simply said that I needed to check my internet connection and try later. Which, as I have internet, is annoying. Scans were clear. But, seeing as it's using 7 month old definitions, isn't surprising.
I did some searching on their forums and found that it isn't exactly the strangest of occurances. So I went to uninstall/re-install it, thats where things started to get... Annoying.
COMODO wasn't in the list of add/remove programs. I started to try and manually uninstalling it, but instead downloaded the latest version, which, when trying to install, will uninstall the old version and then install the new version. When I tried this. The installer wouldn't complete.
Spybot, oddly. Would not run. Simply noting that "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.", seeing as the computer has one account, which is an admin, and I was on it. Was weird. Maybe it was a bad install, Spybot's updater worked fine. So whatever, I thought, I pressed on.
chalking it up to faulty software, I closed out all of my COMODO and tried Avast!.
I never like mixing anti-virus software. But i had to try something. Call it a hunch. Avast! Loaded without incident, and I started a full system scan. Within 4 or 5 minutes of starting the scan. All of the Anti-virus Shield things from Avast! stopped working. And the scan stopped. There is a large enough 'Fix' problem on the Avast! program, which, upon clicking, told me that it could not start any of the shield programs it had. Odd.
Thats when it started to hit me. It wasn't a bad install on Spybot, or innability to update on COMODO's part, this was something serious.
Searching this here forums, I found the 'back' way to start Spybot, which I did, and it loaded, fully updated. 'Alright', I thought, 'I got this, now.', and ran a scan.
about 3 seconds after starting the scan, Spybot closed out, blinked, disappeared. Upon checking the Taskbar, it wasn't running. Teabot was running, but not Spybot. Trying again through the back-way showed the same message as when I try the normal 'Spybot.exe', that I did not have permission and it could not open the file.
During this. I opened Comodo back up, as it was the only virus protection program on my computer that would actually run, I noted there was some 270 connections. Investigating, svchost.exe had 260+ connections. upon Ctrl+Alt+Deleting, a svchost.exe was using some 20,000k, which, was suspicious, so, naturally, I terminated it. All of the connections went away. It did not prompt me that this would be bad for my computer's stability, which I thought was supposed to happen with svchost. In Comodo, the full path was "C:\WINDOWS\system32\svchost.exe". Now, I know that svchost is supposed to have a connection, which, it does. Another svchost.exe is currently connected. Which I'm guessing is the normal one. An infected/virus one comes every once in a while and spams my connections, which I terminate and everything goes back to normal.
After some searching, I thought I would try Housecall. Downloaded it, ran it, it got to 5% before asking me to check my internet connection, as it failed.
I downloaded the 'dds' to include in my post. Upon running it, it ran and did it's thing, then disappeared. No report popping up in notepad, no nothing. I noted there was an evP.exe running after I ran it, at 72kb in my process list.
I tried running the dds a couple more times, each time either evP.exe coming up or edS.exe coming up. I ended those processes and started looking around.
In my Temp Folder there was a list of folders named '80.tmp' going all the way to '86.tmp' (No, I didn't run it 80 times :p) Inside those folders. Was the 'edS.exe' or evP.exe', upon trying to delete it, it told me I did not have permission, the same as when I try to run Spybot.
In that Temp folder, there was also a dds notepad file. which, I am including in this post, I was getting ready to post without it. I'm not sure if this is a full dds report, but this is what it gave me.
DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 17:36:52.37 on Sun 07/18/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2859 [GMT -4:00]
AV: COMODO Antivirus *On-access scanning enabled* (Outdated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Cory\Desktop\dds.scr
Long story short. (TL;DR) Something is stopping anti-viruses from scanning, running, updating or opening via taking away my permissions or at least giving that error to me. At random intervals a svchost.exe will open, and start spamming connections until my internet floods and stops. In the Taskbar the svchost.exe uses more memory then the normal svchosts by alot, and upon terminating it, the connection flood stops.
Halp.
Hi,
Rename dds.scr file to whatever.com and try to run it. Post back dds.txt & attach.txt log contents.
Redfefnir
2010-07-25, 04:15
Hello Blade,
Renaming DDS did nothing for me. I am now on my main computer and ran a DDS report to see how the thing actually ran,
DDS is getting killed on the infected computer, generally around the 5th or 6th little ::::: process bar. Just dies, no matter what I rename DDS too.
Hi,
Could you try in safe mode?
Redfefnir
2010-07-25, 19:11
Blade,
Nope. Both the normal dds.scr and the renamed dds.scr run for about 15 seconds, going about 5 :::::'s before closing down.
The screensaver dds renamed also does the same, then, upon trying to re-open when they were closed down, they instantly closed, not even loading any text.
Hi,
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Copy-paste following contents into custom scan -area:
netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
Redfefnir
2010-07-25, 23:41
Negative.
OTL Runs for about 15 seconds when I hit 'Run Scan' after putting in the text as you asked.
Did this in safe mode as well, no avail, it runs for about 15 seconds then goes bye-bye. Upon trying to re-open, 'Access is denied... -etc etc yadda yadda', the same error it gave me as stated in my first post. redownloading it simply repeats the process.
Boy this sure is something special huh.
Hi,
Make sure antivirus protection is disabled.
Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized, if not you'll find it in c:\rsit folder)
---
Please save this (http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe) file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
Redfefnir
2010-07-26, 00:02
Okay,
I think we're starting to get somewhere. I disabled my Antivirus protection (What protection it had, anyways. :p), then I downloaded RSIT and ran it, it went about 15-20 seconds before closing and going to the 'You don't have proper access' crap it goes though. But, in the RSIT folder, there was one file; log.txt, I'm guessing this is how far it got before it got closed down. It is posted below. Secondly, I ran the Win32kDiag.txt, and that ran without incident.
Log.txt;
Logfile of random's system information tool 1.08 (written by random/random)
Run by Cory at 2010-07-25 16:50:51
Microsoft Windows XP Professional Service Pack 3
System drive C: has 45 GB (34%) free of 131 GB
Total RAM: 3582 MB (87% free)
HijackThis download failed
======Scheduled tasks folder======
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job
C:\WINDOWS\tasks\EasyShare Registration Task.job
C:\WINDOWS\tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
C:\WINDOWS\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2009-05-03 320920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-05-03 259696]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll [2009-10-06 762864]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll [2009-05-03 470512]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-05-03 34816]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-05-03 73728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-05-03 259696]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-09-19 16844800]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-09-18 13574144]
"nwiz"=nwiz.exe /install []
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-05-03 136600]
"COMODO Internet Security"=C:\Program Files\COMODO\COMODO Internet Security\cfp.exe [2009-05-03 1851128]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-09-18 86016]
"ArcSoft Connection Service"=C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [2010-03-18 207360]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-11-11 417792]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2010-02-15 141608]
"xjoipuna"=C:\Documents and Settings\Cory\Local Settings\Application Data\sjnmikhmx\mmemyirtssd.exe [2010-07-01 286976]
"afvxjeub"=C:\Documents and Settings\Cory\Local Settings\Application Data\hwomitvvo\mdweoxetssd.exe [2010-07-01 286976]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-04-09 68856]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"EA Core"=C:\Program Files\Electronic Arts\EADM\Core.exe -silent []
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2009-04-23 691656]
"PopRock"=C:\DOCUME~1\Cory\LOCALS~1\Temp\e.exe []
"xjoipuna"=C:\Documents and Settings\Cory\Local Settings\Application Data\sjnmikhmx\mmemyirtssd.exe [2010-07-01 286976]
"afvxjeub"=C:\Documents and Settings\Cory\Local Settings\Application Data\hwomitvvo\mdweoxetssd.exe [2010-07-01 286976]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Documents and Settings\Cory\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2009-05-24 304128]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=1
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Cory\Desktop\WoW-BurningCrusade-enUS-Installer-downloader.exe"="C:\Documents and Settings\Cory\Desktop\WoW-BurningCrusade-enUS-Installer-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"C:\Documents and Settings\Cory\Desktop\wowclient-downloader.exe"="C:\Documents and Settings\Cory\Desktop\wowclient-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\CCP\EVE\bin\ExeFile.exe"="C:\Program Files\CCP\EVE\bin\ExeFile.exe:*:Enabled:CCP ExeFile"
"C:\Program Files\Electronic Arts\EADM\Core.exe"="C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dl
----------------------------------------
Win32kDiag.txt's file;
Running from: C:\Documents and Settings\Cory\Desktop\Win32kDiag.exe
Log file at : C:\Documents and Settings\Cory\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Found mount point :
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP155.tmp\ZAP155.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1F8.tmp\ZAP1F8.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP236.tmp\ZAP236.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP258.tmp\ZAP258.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP271.tmp\ZAP271.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d1\d1
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d2\d2
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d3\d3
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d4\d4
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d5\d5
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d6\d6
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d7\d7
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d8\d8
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ftpcache\ftpcache
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\mui\mui
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
[1] 2004-08-04 01:56:52 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)
[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe ()
[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PIF\PIF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0034610052cb298a78a7ba8a4f6282e6\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\01229cf5dcf0df67992cac35a2ba0b3f\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\035cdeeef9eaa07de20138b420444b17\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0fa2ac15b3f3d16ecfc880648002b82e\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\22f1a1e628f2ceada1948d2c604b5154\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\23e79e5fb28793d8cb1c2055b0d8dcb9\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\248802b74506342031e926839639c729\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\269630a60abe4177f0ba214686d6ebda\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\2e6b16219034e135b4f869efb7a10fee\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\50e2c72fd814d3841e776dd2c4918260\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\59732c3a78c987eaec1ee41ab88e3da8\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6a410a1bd174bc123056d235ac4829af\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\a4c8b51fef38872a7ec62d0a40ca147c\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7b0631e184025ba37e5a4ec1d8637e7\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b966082e6e248a4942b4768a4e4700f7\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\c0c52c03306062533f7dcb087bfcfa6b\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\da2a33b6770f970d7fe7262040f98a4f\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dacaa269b99f2225391948b21cc85d90\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\f2adb0f8440e5dbd459aa6bfcaed1ba5\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Default
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\system32\eventlog.dll
[1] 2004-08-04 01:56:44 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 20:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()
[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)
Cannot access: C:\WINDOWS\system32\MRT.exe
[1] 2009-11-05 13:36:21 26768832 C:\WINDOWS\system32\MRT.exe ()
Found mount point : C:\WINDOWS\Temp\Adobe\Acrobat\6.0\6.0
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\History\Results\Results
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\hsperfdata_SYSTEM\hsperfdata_SYSTEM
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\RtSigs\Data\Data
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\_avast5_\_avast5_
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Finished!
Sorry for the Doublespacing, thats how it pasted in.
Hi,
Download The Avenger by Swandog46 from here (http://swandog46.geekstogo.com/avenger2/download.php).
Unzip/extract it to a folder on your desktop.
Double click on avenger.exe to run The Avenger.
Click OK.
Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
Files to move:
C:\WINDOWS\system32\logevent.dll|C:\WINDOWS\system32\eventlog.dll
In the avenger window, click the Paste Script from Clipboard, http://img220.imageshack.us/img220/8923/pastets4.png button.
Click the Execute button.
You will be asked Are you sure you want to execute the current script?.
Click Yes.
You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
Click Yes.
Your PC will now be rebooted.
Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
Please post this log in your next reply.
Redfefnir
2010-07-26, 00:33
Blade,
Ran Avenger as posted without incident. I'm not sure if the log should be this short, but, here it is.
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File move operation "C:\WINDOWS\system32\logevent.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.
Completed script processing.
*******************
Finished! Terminate.
Worked as expected :)
Please save this (http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe) file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the Open box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r
See if you're able to run DDS now.
Redfefnir
2010-07-26, 00:57
Ran Win32kDiag as posted, ran without incident! Ran DDS afterwords, and it did a full scan! Now we're getting somewhere.
Win32kDiag's Scan-
---------------------------
Running from: C:\Documents and Settings\Cory\desktop\win32kdiag.exe
Log file at : C:\Documents and Settings\Cory\Desktop\Win32kDiag.txt
Removing all found mount points.
Attempting to reset file permissions.
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\addins\addins
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP155.tmp\ZAP155.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP155.tmp\ZAP155.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1F8.tmp\ZAP1F8.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1F8.tmp\ZAP1F8.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP236.tmp\ZAP236.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP236.tmp\ZAP236.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP258.tmp\ZAP258.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP258.tmp\ZAP258.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP271.tmp\ZAP271.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP271.tmp\ZAP271.tmp
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\temp\temp
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\tmp\tmp
Found mount point : C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Config\Config
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Found mount point : C:\WINDOWS\CSC\d1\d1
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d1\d1
Found mount point : C:\WINDOWS\CSC\d2\d2
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d2\d2
Found mount point : C:\WINDOWS\CSC\d3\d3
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d3\d3
Found mount point : C:\WINDOWS\CSC\d4\d4
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d4\d4
Found mount point : C:\WINDOWS\CSC\d5\d5
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d5\d5
Found mount point : C:\WINDOWS\CSC\d6\d6
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d6\d6
Found mount point : C:\WINDOWS\CSC\d7\d7
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d7\d7
Found mount point : C:\WINDOWS\CSC\d8\d8
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d8\d8
Found mount point : C:\WINDOWS\ftpcache\ftpcache
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ftpcache\ftpcache
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imejp\applets\applets
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imejp98\imejp98
Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\java\classes\classes
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\java\trustlib\trustlib
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo
Found mount point : C:\WINDOWS\mui\mui
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\mui\mui
Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES
Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH
Cannot access: C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
Attempting to restore permissions of : C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp
Found mount point : C:\WINDOWS\PIF\PIF
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PIF\PIF
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0034610052cb298a78a7ba8a4f6282e6\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\0034610052cb298a78a7ba8a4f6282e6\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\01229cf5dcf0df67992cac35a2ba0b3f\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\01229cf5dcf0df67992cac35a2ba0b3f\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\035cdeeef9eaa07de20138b420444b17\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\035cdeeef9eaa07de20138b420444b17\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0fa2ac15b3f3d16ecfc880648002b82e\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\0fa2ac15b3f3d16ecfc880648002b82e\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\22f1a1e628f2ceada1948d2c604b5154\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\22f1a1e628f2ceada1948d2c604b5154\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\23e79e5fb28793d8cb1c2055b0d8dcb9\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\23e79e5fb28793d8cb1c2055b0d8dcb9\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\248802b74506342031e926839639c729\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\248802b74506342031e926839639c729\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\269630a60abe4177f0ba214686d6ebda\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\269630a60abe4177f0ba214686d6ebda\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\2e6b16219034e135b4f869efb7a10fee\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\2e6b16219034e135b4f869efb7a10fee\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\50e2c72fd814d3841e776dd2c4918260\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\50e2c72fd814d3841e776dd2c4918260\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\59732c3a78c987eaec1ee41ab88e3da8\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\59732c3a78c987eaec1ee41ab88e3da8\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6a410a1bd174bc123056d235ac4829af\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\6a410a1bd174bc123056d235ac4829af\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\a4c8b51fef38872a7ec62d0a40ca147c\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\a4c8b51fef38872a7ec62d0a40ca147c\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7b0631e184025ba37e5a4ec1d8637e7\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\b7b0631e184025ba37e5a4ec1d8637e7\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b966082e6e248a4942b4768a4e4700f7\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\b966082e6e248a4942b4768a4e4700f7\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\c0c52c03306062533f7dcb087bfcfa6b\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\c0c52c03306062533f7dcb087bfcfa6b\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\da2a33b6770f970d7fe7262040f98a4f\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\da2a33b6770f970d7fe7262040f98a4f\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dacaa269b99f2225391948b21cc85d90\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dacaa269b99f2225391948b21cc85d90\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\f2adb0f8440e5dbd459aa6bfcaed1ba5\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\f2adb0f8440e5dbd459aa6bfcaed1ba5\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Default
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Default
Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Cannot access: C:\WINDOWS\system32\MRT.exe
Attempting to restore permissions of : C:\WINDOWS\system32\MRT.exe
Found mount point : C:\WINDOWS\Temp\Adobe\Acrobat\6.0\6.0
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\Adobe\Acrobat\6.0\6.0
Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar
Found mount point : C:\WINDOWS\Temp\History\Results\Results
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\History\Results\Results
Found mount point : C:\WINDOWS\Temp\hsperfdata_SYSTEM\hsperfdata_SYSTEM
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\hsperfdata_SYSTEM\hsperfdata_SYSTEM
Found mount point : C:\WINDOWS\Temp\RtSigs\Data\Data
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\RtSigs\Data\Data
Found mount point : C:\WINDOWS\Temp\_avast5_\_avast5_
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\_avast5_\_avast5_
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Finished!
-----------------------------------------------------------
DDS Report's Log.
DDS (Ver_10-03-17.01) - NTFSx86
Run by Cory at 17:52:56.75 on Sun 07/25/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3060 [GMT -4:00]
AV: COMODO Antivirus *On-access scanning disabled* (Outdated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Documents and Settings\Cory\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [PopRock] c:\docume~1\cory\locals~1\temp\e.exe
uRun: [xjoipuna] c:\documents and settings\cory\local settings\application data\sjnmikhmx\mmemyirtssd.exe
uRun: [afvxjeub] c:\documents and settings\cory\local settings\application data\hwomitvvo\mdweoxetssd.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [xjoipuna] c:\documents and settings\cory\local settings\application data\sjnmikhmx\mmemyirtssd.exe
mRun: [afvxjeub] c:\documents and settings\cory\local settings\application data\hwomitvvo\mdweoxetssd.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9f.exe
StartupFolder: c:\docume~1\cory\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241404943835
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.27.0.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\cory\applic~1\mozilla\firefox\profiles\uh958jmt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
============= SERVICES / DRIVERS ===============
=============== Created Last 30 ================
==================== Find3M ====================
2009-04-26 20:53:49 59904 --sha-w- c:\windows\system32\bavovayo.exe
2009-04-03 16:22:51 109056 --sha-w- c:\windows\system32\bedihidu.dll
2009-01-26 19:54:33 67072 --sha-w- c:\windows\system32\bozuneyi.dll
2009-04-04 16:23:06 109056 --sha-w- c:\windows\system32\dukazewe.dll
2009-04-27 07:55:15 99328 --sha-w- c:\windows\system32\duyesedi.dll.vir
2009-04-26 20:53:48 98816 --sha-w- c:\windows\system32\fuwoduke.dll
2009-03-24 04:42:20 2713 --sh--w- c:\windows\system32\gehazoze.exe
2009-01-15 00:23:33 69632 --sha-w- c:\windows\system32\hamaveho.dll
2009-04-15 00:22:42 69632 --sha-w- c:\windows\system32\hobolaku.dll
2009-04-10 19:45:58 110592 --sha-w- c:\windows\system32\hogumana.dll
2009-04-20 15:06:27 63488 --sha-w- c:\windows\system32\huvehibi.exe
2009-04-04 04:23:02 100352 --sha-w- c:\windows\system32\huyavodi.dll
2009-04-04 16:23:07 99328 --sha-w- c:\windows\system32\jakiyohe.dll
2009-04-07 23:48:34 108544 --sha-w- c:\windows\system32\josoguyi.dll
2009-04-27 19:55:19 58368 --sha-w- c:\windows\system32\juruzuhu.exe
2009-04-27 19:55:19 99328 --sha-w- c:\windows\system32\kanagule.dll
2009-04-05 16:23:17 109056 --sha-w- c:\windows\system32\kupuweyo.dll
2009-01-02 14:19:15 68608 --sha-w- c:\windows\system32\lijuhidi.dll
2009-04-11 22:36:32 62976 --sha-w- c:\windows\system32\limereju.exe
2009-04-02 14:19:06 68608 --sha-w- c:\windows\system32\malusasu.dll
2009-04-10 19:45:59 102400 --sha-w- c:\windows\system32\merunime.dll
2009-04-04 04:23:02 109056 --sha-w- c:\windows\system32\metuyuli.dll
2009-04-12 16:12:33 64000 --sha-w- c:\windows\system32\mizenode.exe
2009-01-26 19:54:33 67072 --sha-w- c:\windows\system32\movezisa.dll
2009-01-09 21:38:37 70656 --sha-w- c:\windows\system32\neyuvena.dll
2009-01-15 00:23:33 69632 --sha-w- c:\windows\system32\nijufagi.dll
2009-04-07 23:48:33 100864 --sha-w- c:\windows\system32\nivunaso.dll
2009-04-27 07:55:16 60928 --sha-w- c:\windows\system32\nuyafeku.exe
2009-04-20 15:06:29 109568 --sha-w- c:\windows\system32\pihuwali.dll
2009-04-20 15:06:29 109568 --sha-w- c:\windows\system32\pihuwali.dll.vir
2009-04-11 22:36:33 109568 --sha-w- c:\windows\system32\pinofivu.dll
2009-04-09 21:38:03 70656 --sha-w- c:\windows\system32\pofegohu.dll
2009-04-15 00:22:22 107520 --sha-w- c:\windows\system32\ravebavi.dll
2009-01-09 21:38:37 70656 --sha-w- c:\windows\system32\sudinasu.dll
2009-04-09 21:37:33 63488 --sha-w- c:\windows\system32\tadebava.exe
2009-04-10 19:45:58 64512 --sha-w- c:\windows\system32\tesavohi.exe
2009-03-21 22:34:55 2713 --sh--w- c:\windows\system32\tizomovu.exe
2009-04-26 19:54:30 67072 --sha-w- c:\windows\system32\vakumene.dll
2009-04-03 16:22:52 100352 --sha-w- c:\windows\system32\vehuyafa.dll
2009-01-09 21:38:37 70656 --sha-w- c:\windows\system32\vevesadi.dll
2009-04-12 16:12:32 109056 --sha-w- c:\windows\system32\vozafiwu.dll
2009-01-26 19:54:33 67072 --sha-w- c:\windows\system32\wahewozi.dll.vir
2009-01-02 14:19:15 68608 --sha-w- c:\windows\system32\wewidilu.dll
2009-04-09 21:37:34 108544 --sha-w- c:\windows\system32\wonizaki.dll
2009-04-05 16:23:18 100352 --sha-w- c:\windows\system32\yonoguja.dll
2009-01-02 14:19:16 68608 --sha-w- c:\windows\system32\yumaluso.dll
2009-04-09 21:37:34 101376 --sha-w- c:\windows\system32\yunukino.dll
2009-04-05 04:23:12 98816 --sha-w- c:\windows\system32\yuwefayi.dll
2009-04-11 22:36:32 102400 --sha-w- c:\windows\system32\zareheli.dll
2009-04-26 19:54:48 98816 --sha-w- c:\windows\system32\zerakede.dll
2009-04-05 04:23:12 109056 --sha-w- c:\windows\system32\zinubiji.dll
2008-10-23 17:32:24 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102320081024\index.dat
2009-12-31 02:44:00 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-12-31 02:44:00 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-12-31 02:44:00 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
============= FINISH: 17:54:03.20 ===============
Hi,
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds logs (both dds.txt & attach.txt contents this time).
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Redfefnir
2010-07-26, 03:40
Blade,
Went through Combofix as you said, ran it, here is the log, followed by a dds report and attached... attach.
ComboFix 10-07-24.04 - Cory 07/25/2010 20:12:14.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3098 [GMT -4:00]
Running from: c:\documents and settings\Cory\Desktop\ComboFix.exe
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
The following files were disabled during the run:
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server\txgafo.dll
ADS - svchost.exe: deleted 88 bytes in 2 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Cory\Local Settings\Application Data\hwomitvvo
c:\documents and settings\Cory\Local Settings\Application Data\hwomitvvo\mdweoxetssd.exe
c:\documents and settings\Cory\Local Settings\Application Data\sjnmikhmx
c:\documents and settings\Cory\Local Settings\Application Data\sjnmikhmx\mmemyirtssd.exe
c:\documents and settings\Cory\Local Settings\Application Data\Windows Server
c:\documents and settings\Cory\Local Settings\Application Data\Windows Server\txgafo.dll
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server\txgafo.dll
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server\txgafo.dll.vir
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server\txgafo.dll
c:\windows\_000004_.tmp.dll
c:\windows\msa.exe
c:\windows\system32\adisozih.ini
c:\windows\system32\alatopus.ini
c:\windows\system32\amosejoh.ini
c:\windows\system32\bavovayo.exe
c:\windows\system32\bedihidu.dll
c:\windows\system32\bozuneyi.dll
c:\windows\system32\diduvohe.dll
c:\windows\system32\dukazewe.dll
c:\windows\system32\felerevo.dll
c:\windows\system32\fuwoduke.dll
c:\windows\system32\hamaveho.dll
c:\windows\system32\hobolaku.dll
c:\windows\system32\hogumana.dll
c:\windows\system32\hojesoma.dll
c:\windows\system32\huvehibi.exe
c:\windows\system32\huyavodi.dll
c:\windows\system32\iriyanut.ini
c:\windows\system32\iyubofov.ini
c:\windows\system32\jakiyohe.dll
c:\windows\system32\josoguyi.dll
c:\windows\system32\juruzuhu.exe
c:\windows\system32\kanagule.dll
c:\windows\system32\kipiheba.dll
c:\windows\system32\kufubabe.dll
c:\windows\system32\kupuweyo.dll
c:\windows\system32\lijuhidi.dll
c:\windows\system32\limereju.exe
c:\windows\system32\malusasu.dll
c:\windows\system32\merunime.dll
c:\windows\system32\metuyuli.dll
c:\windows\system32\mizenode.exe
c:\windows\system32\movezisa.dll
c:\windows\system32\neyuvena.dll
c:\windows\system32\nijufagi.dll
c:\windows\system32\nivunaso.dll
c:\windows\system32\nohevawo.dll
c:\windows\system32\nuyafeku.exe
c:\windows\system32\ofazolor.ini
c:\windows\system32\ofuyoguw.ini
c:\windows\system32\oliwusur.ini
c:\windows\system32\opevatep.ini
c:\windows\system32\oteraget.ini
c:\windows\system32\overelef.ini
c:\windows\system32\owavehon.ini
c:\windows\system32\petavepo.dll
c:\windows\system32\pihuwali.dll
c:\windows\system32\pinofivu.dll
c:\windows\system32\pofegohu.dll
c:\windows\system32\pumohigu.dll
c:\windows\system32\ravebavi.dll
c:\windows\system32\rolozafo.dll
c:\windows\system32\rusuwilo.dll
c:\windows\system32\salizuya.dll
c:\windows\system32\sudinasu.dll
c:\windows\system32\tadebava.exe
c:\windows\system32\tesavohi.exe
c:\windows\system32\ugihomup.ini
c:\windows\system32\vakumene.dll
c:\windows\system32\vehuyafa.dll
c:\windows\system32\vevesadi.dll
c:\windows\system32\vofobuyi.dll
c:\windows\system32\vozafiwu.dll
c:\windows\system32\wewidilu.dll
c:\windows\system32\wonizaki.dll
c:\windows\system32\wugoyufo.dll
c:\windows\system32\yonoguja.dll
c:\windows\system32\yumaluso.dll
c:\windows\system32\yunukino.dll
c:\windows\system32\yuwefayi.dll
c:\windows\system32\zareheli.dll
c:\windows\system32\zerakede.dll
c:\windows\system32\zinubiji.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
((((((((((((((((((((((((( Files Created from 2010-06-26 to 2010-07-26 )))))))))))))))))))))))))))))))
.
2010-07-26 00:19 . 2010-07-26 00:23 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
2010-07-26 00:19 . 2010-07-26 00:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
2010-07-25 20:50 . 2010-07-25 20:50 -------- d-----w- C:\rsit
2010-07-25 20:50 . 2010-07-25 20:50 -------- d-----w- c:\program files\trend micro
2010-07-18 19:39 . 2010-07-25 20:36 -------- d-----w- c:\documents and settings\Administrator
2010-07-18 19:24 . 2010-07-18 19:24 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-18 19:24 . 2010-07-18 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-18 19:03 . 2010-07-18 19:03 -------- d-----w- c:\program files\Alwil Software
2010-07-18 19:03 . 2010-07-18 19:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-02 03:32 . 2010-07-02 03:32 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-26 00:24 . 2009-10-26 21:06 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-07-25 20:47 . 2009-10-19 20:01 0 ----a-w- c:\windows\win32k.sys
2010-07-25 15:52 . 2010-07-25 15:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2010-07-24 20:47 . 2001-08-23 12:00 14336 ----a-w- c:\windows\system32\svchost.exe
2010-07-24 20:37 . 2010-07-24 18:36 -------- d-----w- c:\program files\Steam
2010-07-18 20:47 . 2008-04-10 01:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-18 20:35 . 2010-07-18 20:35 -------- d-----w- c:\program files\ERUNT
2010-07-18 20:13 . 2008-04-23 19:21 -------- d-----w- c:\program files\LimeWire
2010-07-18 20:12 . 2008-04-10 01:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-18 20:11 . 2010-07-18 20:11 525824 ----a-w- C:\dds.com
2010-07-18 20:11 . 2010-07-18 20:11 525824 ----a-w- C:\vgaevafaefae.com.scr
2010-07-18 19:02 . 2009-05-04 04:19 -------- d-----w- c:\program files\Panda Security
2010-07-18 19:00 . 2009-05-04 01:29 -------- d-----w- c:\program files\Sophos
2010-07-18 18:56 . 2008-04-23 19:26 -------- d-----w- c:\documents and settings\Cory\Application Data\LimeWire
2010-05-30 00:16 . 2009-09-17 20:36 -------- d-----w- c:\documents and settings\Cory\Application Data\Apple Computer
2010-05-30 00:13 . 2009-09-17 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-05-06 10:41 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2001-08-23 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2008-03-12 10:42 . 2008-04-10 01:36 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-03-12 10:42 . 2008-04-10 01:36 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-03-12 10:42 . 2008-04-10 01:36 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-03-12 10:42 . 2008-04-10 01:36 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-03-12 10:42 . 2008-04-10 01:36 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-04-27 07:55 . 2009-01-27 07:55 99328 --sha-w- c:\windows\system32\duyesedi.dll.vir
2009-03-24 04:42 . 2009-03-24 04:42 2713 --sh--w- c:\windows\system32\gehazoze.exe
2009-04-20 15:06 . 2009-01-20 15:06 109568 --sha-w- c:\windows\system32\pihuwali.dll.vir
2009-03-21 22:34 . 2009-03-21 22:34 2713 --sh--w- c:\windows\system32\tizomovu.exe
2009-01-26 19:54 . 2009-01-26 19:54 67072 --sha-w- c:\windows\system32\wahewozi.dll.vir
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-10 68856]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 16844800]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"nwiz"="nwiz.exe" [2008-09-18 1657376]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-04 136600]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-05-04 1851128]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
c:\documents and settings\Cory\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicDownloader\\RelicDownloader.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [5/4/2009 12:19 AM 28544]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [3/19/2009 12:40 PM 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [3/19/2009 12:40 PM 24336]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/9/2008 11:02 PM 24652]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\43.tmp --> c:\windows\system32\43.tmp [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/5/2009 12:44 AM 721904]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2009-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.27.0.cab
FF - ProfilePath - c:\documents and settings\Cory\Application Data\Mozilla\Firefox\Profiles\uh958jmt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKCU-Run-xjoipuna - c:\documents and settings\Cory\Local Settings\Application Data\sjnmikhmx\mmemyirtssd.exe
HKCU-Run-afvxjeub - c:\documents and settings\Cory\Local Settings\Application Data\hwomitvvo\mdweoxetssd.exe
HKLM-Run-xjoipuna - c:\documents and settings\Cory\Local Settings\Application Data\sjnmikhmx\mmemyirtssd.exe
HKLM-Run-afvxjeub - c:\documents and settings\Cory\Local Settings\Application Data\hwomitvvo\mdweoxetssd.exe
HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil9f.exe
AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\program files\NOS\bin\getPlus_Helper.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-25 20:24
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwClose, ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\43.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1078081533-789336058-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b2,ef,31,0b,e3,ce,c7,f8,1d,14,4d,5e,e7,ae,a0,aa,e0,21,dd,92,62,6d,d7,
e2,f5,69,e5,0c,5b,9a,95,b5,8d,41,f7,95,80,2d,e1,c9,a2,41,c4,33,a2,1e,fb,aa,\
"??"=hex:47,88,b9,f6,c0,11,83,a9,b6,3f,09,2b,31,0b,2b,6f
[HKEY_USERS\S-1-5-21-1078081533-789336058-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:e1,3e,66,bb,b9,4d,85,db,bf,b4,86,60,c0,9d,55,b1,ce,96,75,69,b5,
d1,9e,ca,dc,31,82,20,d1,02,d2,ee,a5,0f,f1,d3,0e,f9,23,50,ed,fd,18,1a,43,d6,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\guard32.dll
- - - - - - - > 'lsass.exe'(828)
c:\windows\system32\guard32.dll
- - - - - - - > 'explorer.exe'(3968)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\windows\system32\nview.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-07-25 20:29:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-26 00:29
Pre-Run: 47,026,417,664 bytes free
Post-Run: 47,498,272,768 bytes free
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 2B78625EDCC46674A6A49F3E14EB26B0
-----------------------------------------------------------
DDS Report;
-----------------------------------------------------------
DDS (Ver_10-03-17.01) - NTFSx86
Run by Cory at 20:33:22.28 on Sun 07/25/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3058 [GMT -4:00]
AV: COMODO Antivirus *On-access scanning disabled* (Outdated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Cory\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\cory\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241404943835
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.27.0.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\cory\applic~1\mozilla\firefox\profiles\uh958jmt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
============= SERVICES / DRIVERS ===============
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-5-4 28544]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-3-19 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-3-19 24336]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-3-19 700152]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-4-9 24652]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\43.tmp --> c:\windows\system32\43.tmp [?]
=============== Created Last 30 ================
2010-07-25 22:53:17 0 d-sha-r- C:\cmdcons
2010-07-25 22:49:55 98816 ----a-w- c:\windows\sed.exe
2010-07-25 22:49:55 77312 ----a-w- c:\windows\MBR.exe
2010-07-25 22:49:55 256512 ----a-w- c:\windows\PEV.exe
2010-07-25 22:49:55 161792 ----a-w- c:\windows\SWREG.exe
2010-07-25 20:50:51 0 d-----w- c:\program files\trend micro
2010-07-24 18:36:58 0 d-----w- c:\program files\Steam
2010-07-18 20:11:31 525824 ----a-w- C:\dds.com
2010-07-18 20:11:05 525824 ----a-w- C:\vgaevafaefae.com.scr
2010-07-18 19:24:57 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-18 19:03:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
==================== Find3M ====================
2010-07-24 20:47:42 14336 ----a-w- c:\windows\system32\svchost.exe
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2009-04-27 07:55:15 99328 --sha-w- c:\windows\system32\duyesedi.dll.vir
2009-03-24 04:42:20 2713 --sh--w- c:\windows\system32\gehazoze.exe
2009-04-20 15:06:29 109568 --sha-w- c:\windows\system32\pihuwali.dll.vir
2009-03-21 22:34:55 2713 --sh--w- c:\windows\system32\tizomovu.exe
2009-01-26 19:54:33 67072 --sha-w- c:\windows\system32\wahewozi.dll.vir
2008-10-23 17:32:24 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102320081024\index.dat
============= FINISH: 20:33:37.54 ===============
Attach is Attached. If you want me to post it I can do that also.
Just wanted to put this out there that this is a huge help, thank you very muchly. I know we're not done yet, but still. Thank you.
Hi again,
Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer
Open notepad and copy/paste the text in the quotebox below into it:
Folder::
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
c:\program files\LimeWire
c:\documents and settings\Cory\Application Data\LimeWire
File::
c:\windows\system32\duyesedi.dll.vir
c:\windows\system32\gehazoze.exe
c:\windows\system32\pihuwali.dll.vir
c:\windows\system32\tizomovu.exe
c:\windows\system32\wahewozi.dll.vir
DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Uninstall old Adobe Reader versions and get the latest one with updates (9.3 and updates 9.3.2 & 9.3.3) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 21 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
Redfefnir
2010-07-27, 04:52
Blade,
Alrighty, I ran into a small problem off the bat, I cannot open Spybot S&D, and as such I could not just 'disable' teatimer, used all of the previous methods, which did not work. instead I made the decision to exit Teatimer for the time being. Hope it didn't interfere with anything.
First up, KAS.txt, followed by a fresh DDS, followed by Combofix
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, July 26, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, July 26, 2010 18:17:39
Records in database: 4199938
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
H:\
Scan statistics:
Objects scanned: 100364
Threats found: 13
Infected objects found: 167
Suspicious objects found: 0
Scan duration: 01:10:05
File name / Threat / Threats count
C:\Documents and Settings\Cory\Application Data\Sun\Java\Deployment\cache\6.0\58\4faee1fa-570ee0c4 Infected: Trojan-Downloader.Java.Agent.ea 1
C:\Documents and Settings\Cory\My Documents\LimeWire\Saved\Golden Earring - Radar love.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\Cory\My Documents\LimeWire\Saved\im my own grandpa ray stevens.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\Cory\My Documents\LimeWire\Saved\in da club intstrumental.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\Cory\My Documents\LimeWire\Saved\Kris Kristofferson - Vietnam Blues.wma Infected: Trojan-Downloader.WMA.GetCodec.a 1
C:\ErdUndoCache\rp250\A0017307.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\ErdUndoCache\rp250\A0017308.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\ErdUndoCache\rp250\A0017309.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\ErdUndoCache\rp250\A0017310.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\ErdUndoCache\rp250\A0017311.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\ErdUndoCache\rp250\A0017312.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\ErdUndoCache\rp250\A0017313.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\ErdUndoCache\rp250\A0017314.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\ErdUndoCache\rp250\A0017315.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\ErdUndoCache\rp258\A0018599.dll Infected: Hoax.Win32.Renos.vawl 1
C:\ErdUndoCache\rp258\A0018614.dll Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\ErdUndoCache\rp258\A0018615.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\ErdUndoCache\rp260\A0018652.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\ErdUndoCache\rp267\A0019661.dll Infected: Trojan.Win32.Monder.bzea 1
C:\ErdUndoCache\rp267\A0019662.dll Infected: Trojan.Win32.Monder.bzea 1
C:\ErdUndoCache\rp267\A0019663.dll Infected: Trojan.Win32.Monder.bzea 1
C:\ErdUndoCache\rp270\A0019714.dll Infected: Packed.Win32.Krap.p 1
C:\ErdUndoCache\rp270\A0019715.dll Infected: Packed.Win32.Krap.p 1
C:\ErdUndoCache\rp270\A0019717.dll Infected: Packed.Win32.Krap.p 1
C:\ErdUndoCache\rp272\A0019768.dll Infected: Packed.Win32.Krap.p 1
C:\ErdUndoCache\rp272\A0019769.dll Infected: Packed.Win32.Krap.p 1
C:\ErdUndoCache\rp272\A0019770.dll Infected: Packed.Win32.Krap.p 1
C:\ErdUndoCache\rp272\A0019806.dll Infected: Packed.Win32.Krap.p 1
C:\ErdUndoCache\rp272\A0019815.dll Infected: Packed.Win32.Krap.p 1
C:\ErdUndoCache\rp272\A0019819.dll Infected: Packed.Win32.Krap.p 1
C:\ErdUndoCache\rp272\A0019820.dll Infected: Packed.Win32.Krap.p 1
C:\Qoobox\32788R22FWJFW\pci.sys Infected: Rootkit.Win32.TDSS.ap 1
C:\Qoobox\Quarantine\C\Documents and Settings\Cory\Local Settings\Application Data\hwomitvvo\mdweoxetssd.exe.vir Infected: Trojan.Win32.FraudPack.ayhk 1
C:\Qoobox\Quarantine\C\Documents and Settings\Cory\Local Settings\Application Data\sjnmikhmx\mmemyirtssd.exe.vir Infected: Trojan.Win32.FraudPack.ayhk 1
C:\Qoobox\Quarantine\C\Documents and Settings\Cory\Local Settings\Application Data\Windows Server\txgafo.dll.vir Infected: Trojan-Dropper.Win32.Drooptroop.cpt 1
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Local Settings\Application Data\Windows Server\txgafo.dll.vir Infected: Trojan-Dropper.Win32.Drooptroop.cpt 1
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Local Settings\Application Data\Windows Server\txgafo.dll.vir.vir Infected: Trojan-Dropper.Win32.Drooptroop.cpt 1
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\Windows Server\txgafo.dll.vir Infected: Trojan-Dropper.Win32.Drooptroop.cpt 1
C:\Qoobox\Quarantine\C\WINDOWS\msa.exe.vir Infected: Packed.Win32.Krap.ag 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\bavovayo.exe.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\bedihidu.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\bozuneyi.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\diduvohe.dll.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\dukazewe.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\felerevo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\fuwoduke.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hamaveho.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hobolaku.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hogumana.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hojesoma.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\huvehibi.exe.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\huyavodi.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jakiyohe.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\josoguyi.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\juruzuhu.exe.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kanagule.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kipiheba.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kufubabe.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kupuweyo.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\lijuhidi.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\malusasu.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\merunime.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\metuyuli.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\movezisa.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\neyuvena.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nijufagi.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nivunaso.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nohevawo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nuyafeku.exe.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\petavepo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pihuwali.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pinofivu.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pofegohu.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pumohigu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ravebavi.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rolozafo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rusuwilo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\salizuya.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sudinasu.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tadebava.exe.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tesavohi.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.edj 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vakumene.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vehuyafa.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vevesadi.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vofobuyi.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vozafiwu.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wewidilu.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wonizaki.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wugoyufo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yonoguja.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yumaluso.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yunukino.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yuwefayi.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\zareheli.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\zerakede.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\zinubiji.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\[4]-Submit_2010-07-26_18.01.34.zip Infected: Packed.Win32.Krap.p 3
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0000877.dll Infected: Trojan-Dropper.Win32.Drooptroop.cpt 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002011.dll Infected: Trojan-Dropper.Win32.Drooptroop.cpt 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002040.exe Infected: Trojan.Win32.FraudPack.ayhk 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002041.exe Infected: Trojan.Win32.FraudPack.ayhk 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002042.dll Infected: Trojan-Dropper.Win32.Drooptroop.cpt 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002043.dll Infected: Trojan-Dropper.Win32.Drooptroop.cpt 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002045.exe Infected: Packed.Win32.Krap.ag 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002049.exe Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002050.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002051.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002052.dll Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002053.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002054.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002055.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002056.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002057.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002058.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002059.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002060.exe Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002061.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002064.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002065.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002066.exe Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002067.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002068.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002069.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002070.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002071.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002073.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002074.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002075.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002077.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002078.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002079.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002080.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002081.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002082.exe Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002090.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002091.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002092.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002093.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002094.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002095.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002096.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002097.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002098.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002099.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002100.exe Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002101.exe Infected: Trojan-Downloader.Win32.FraudLoad.edj 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002103.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002104.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002105.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002106.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002107.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002108.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002109.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002110.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002111.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002112.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002113.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002114.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002115.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002116.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002117.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002136.dll Infected: Trojan-Dropper.Win32.Drooptroop.cpt 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002137.dll Infected: Trojan-Dropper.Win32.Drooptroop.cpt 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP4\A0000561.dll Infected: Trojan-Dropper.Win32.Drooptroop.cpt 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4DYF89QV\d[1].htm Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
Selected area has been scanned.
--------------------------------------------------
DDS.txt
--------------------------------------------------
DDS (Ver_10-03-17.01) - NTFSx86
Run by Cory at 21:42:48.82 on Mon 07/26/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2807 [GMT -4:00]
AV: COMODO Antivirus *On-access scanning disabled* (Outdated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Cory\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\cory\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241404943835
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.27.0.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\cory\applic~1\mozilla\firefox\profiles\uh958jmt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-3-19 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-3-19 24336]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-3-19 700152]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-4-9 24652]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\43.tmp --> c:\windows\system32\43.tmp [?]
=============== Created Last 30 ================
2010-07-26 22:30:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-07-26 22:30:10 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-26 01:57:06 0 d-----w- c:\windows\Logs
2010-07-26 01:17:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo Downloader
2010-07-25 22:53:17 0 d-sha-r- C:\cmdcons
2010-07-25 22:49:55 98816 ----a-w- c:\windows\sed.exe
2010-07-25 22:49:55 77312 ----a-w- c:\windows\MBR.exe
2010-07-25 22:49:55 256512 ----a-w- c:\windows\PEV.exe
2010-07-25 22:49:55 161792 ----a-w- c:\windows\SWREG.exe
2010-07-25 20:50:51 0 d-----w- c:\program files\trend micro
2010-07-24 18:36:58 0 d-----w- c:\program files\Steam
2010-07-18 20:11:31 525824 ----a-w- C:\dds.com
2010-07-18 20:11:05 525824 ----a-w- C:\vgaevafaefae.com.scr
2010-07-18 19:24:57 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-18 19:03:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
==================== Find3M ====================
2010-07-24 20:47:42 14336 ----a-w- c:\windows\system32\svchost.exe
2010-06-02 08:55:30 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-06-02 08:55:30 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-06-02 08:55:30 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-05-26 15:41:02 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-05-26 15:41:02 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-05-26 15:41:02 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-05-26 15:41:02 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-05-26 15:41:02 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2008-10-23 17:32:24 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102320081024\index.dat
============= FINISH: 21:43:06.84 ===============
Combofix is in the next post.
Redfefnir
2010-07-27, 04:54
ComboFix 10-07-24.06 - Cory 07/26/2010 18:01:42.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3117 [GMT -4:00]
Running from: c:\documents and settings\Cory\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Cory\Desktop\CFScript.txt
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
FILE ::
"c:\windows\system32\duyesedi.dll.vir"
"c:\windows\system32\gehazoze.exe"
"c:\windows\system32\pihuwali.dll.vir"
"c:\windows\system32\tizomovu.exe"
"c:\windows\system32\wahewozi.dll.vir"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Cory\Application Data\LimeWire
c:\documents and settings\Cory\Application Data\LimeWire\.AppSpecialShare\Batman Begins.wmv.torrent.bak
c:\documents and settings\Cory\Application Data\LimeWire\.AppSpecialShare\BB4E - BATMAN RETURNS.torrent.bak
c:\documents and settings\Cory\Application Data\LimeWire\browser\xul-v2.0b2.4-do-not-remove
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\AccessibleMarshal.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\chrome\branding.jar
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\chrome\branding.manifest
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\chrome\classic.jar
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\chrome\classic.manifest
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\chrome\comm.jar
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\chrome\comm.manifest
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\chrome\en-US.jar
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\chrome\en-US.manifest
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\chrome\limewire.jar
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\chrome\limewire.manifest
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\chrome\pippki.jar
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\chrome\pippki.manifest
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\chrome\toolkit.jar
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\chrome\toolkit.manifest
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\accessibility-msaa.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\accessibility.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\alerts.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\appshell.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\appshell_modal.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\appshell_modal.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\appstartup.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\auth.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\autocomplete.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\autoconfig.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\autoconfig.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\caps.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\chardet.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\chrome.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\commandhandler.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\commandlines.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\composer.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\content_base.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\content_html.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\content_htmldoc.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\content_xmldoc.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\content_xslt.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\content_xtf.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\contentprefs.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\cookie.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\directory.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\docshell_base.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_base.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_canvas.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_core.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_css.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_events.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_html.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_json.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_loadsave.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_offline.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_range.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_sidebar.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_storage.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_stylesheets.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_svg.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_traversal.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_views.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_xbl.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_xpath.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_xul.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\downloads.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\editor.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\embed_base.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\extensions.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\exthandler.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\exthelper.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\fastfind.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\FeedProcessor.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\feeds.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\find.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\gfx.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\htmlparser.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\imgicon.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\imglib2.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\inspector.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\intl.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\jar.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\jsconsole-clhandler.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\jsdservice.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\layout_base.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\layout_printing.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\layout_xul.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\layout_xul_tree.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\locale.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\loginmgr.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\lwbrk.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\mimetype.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\mozbrwsr.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\mozfind.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\necko.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\necko_about.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\necko_cache.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\necko_cookie.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\necko_dns.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\necko_file.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\necko_ftp.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\necko_http.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\necko_res.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\necko_socket.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\necko_strconv.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\necko_viewsource.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsAddonRepository.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsBadCertHandler.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsBlocklistService.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsContentDispatchChooser.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsContentPrefService.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsDefaultCLH.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsDictionary.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsDownloadManagerUI.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsExtensionManager.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsHandlerService.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsHelperAppDlg.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsLivemarkService.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsLoginInfo.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsLoginManager.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsLoginManagerPrompter.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsPostUpdateWin.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsProgressDialog.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsProxyAutoConfig.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsResetPref.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsTaggingService.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsTryToClose.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsUpdateService.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsURLFormatter.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsWebHandlerApp.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsXmlRpcClient.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsXULAppInstall.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\oji.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\parentalcontrols.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\pipboot.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\pipboot.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\pipnss.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\pipnss.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\pippki.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\pippki.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\places.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\plugin.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\pluginGlue.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\pref.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\prefetch.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\profile.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\proxyObject.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\rdf.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\satchel.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\saxparser.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\shistory.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\spellchecker.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\storage-Legacy.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\storage.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\toolkitprofile.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\transformiix.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\txEXSLTRegExFunctions.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\txmgr.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\txtsvc.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\uconv.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\unicharutil.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\universalchardet.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\update.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\uriloader.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\urlformatter.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\webBrowser_core.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\webbrowserpersist.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\webshell_idls.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\websrvcs.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\widget.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\windowds.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\windowwatcher.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xml-rpc.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xmlextras.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xpcom_base.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xpcom_components.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xpcom_ds.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xpcom_io.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xpcom_system.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xpcom_thread.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xpcom_xpti.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xpconnect.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xpinstall.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xulapp.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xulapp_setup.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xuldoc.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xultmpl.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xulutil.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\zipwriter.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\crashreporter.exe
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\crashreporter.ini
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\defaults\autoconfig\platform.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\defaults\autoconfig\prefcalls.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\defaults\pref\xulrunner.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\defaults\profile\chrome\userChrome-example.css
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\defaults\profile\chrome\userContent-example.css
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\defaults\profile\localstore.rdf
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userChrome-example.css
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userContent-example.css
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\localstore.rdf
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\dependentlibs.list
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\dictionaries\en-US.aff
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\dictionaries\en-US.dic
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\freebl3.chk
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\freebl3.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\greprefs\all.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\greprefs\security-prefs.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\greprefs\xpinstall.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\IA2Marshal.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\javaxpcom.jar
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\javaxpcomglue.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\js3250.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\LICENSE
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\modules\debug.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\modules\DownloadUtils.jsm
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\modules\ISO8601DateUtils.jsm
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\modules\JSON.jsm
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\modules\Microformats.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\modules\PluralForm.jsm
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\modules\utils.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\modules\XPCOMUtils.jsm
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\mozctl.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\mozctlx.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\MSVCP71.DLL
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\msvcr71.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\nspr4.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\nss3.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\nssckbi.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\nssdbm3.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\nssutil3.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\platform.ini
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\plc4.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\plds4.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\plugins\npnul32.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\README.txt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\arrow.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\arrowd.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\broken-image.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\charsetalias.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\charsetData.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\contenteditable.css
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\designmode.css
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\dtd\mathml.dtd
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\dtd\xhtml11.dtd
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\EditorOverride.css
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Latin1.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Special.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Symbols.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\entityTables\htmlEntityVersions.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\entityTables\mathml20.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\entityTables\transliterate.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfont.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontStandardSymbolsL.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSTIXNonUnicode.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSTIXSize1.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSymbol.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontUnicode.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\forms.css
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\grabber.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\hiddenWindow.html
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\html.css
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\html\folder.png
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\langGroups.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\language.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\loading-image.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\mathml.css
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\quirk.css
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\svg.css
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after-active.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after-hover.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before-active.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before-hover.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after-active.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after-hover.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before-active.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before-hover.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-remove-column-active.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-remove-column-hover.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-remove-column.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-remove-row-active.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-remove-row-hover.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-remove-row.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\ua.css
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\viewsource.css
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\wincharset.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\smime3.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\softokn3.chk
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\softokn3.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\sqlite3.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\ssl3.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\updater.exe
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\version.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\xpcom.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\xpcshell.exe
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\xpicleanup.exe
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\xpidl.exe
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\xpt_dump.exe
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\xpt_link.exe
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\xul.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\xulrunner-stub.exe
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\xulrunner.exe
c:\documents and settings\Cory\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\Cory\Application Data\LimeWire\createtimes.cache
c:\documents and settings\Cory\Application Data\LimeWire\downloads.dat
c:\documents and settings\Cory\Application Data\LimeWire\fileurns.bak
c:\documents and settings\Cory\Application Data\LimeWire\fileurns.cache
c:\documents and settings\Cory\Application Data\LimeWire\filters.props
c:\documents and settings\Cory\Application Data\LimeWire\installation.props
c:\documents and settings\Cory\Application Data\LimeWire\library.dat
c:\documents and settings\Cory\Application Data\LimeWire\library5.dat
c:\documents and settings\Cory\Application Data\LimeWire\limewire.props
c:\documents and settings\Cory\Application Data\LimeWire\lock
c:\documents and settings\Cory\Application Data\LimeWire\mojito.props
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\.autoreg
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_001_
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_002_
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_003_
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_MAP_
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\Cache\280E3FA7d01
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\Cache\6E4DF74Ad01
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\Cache\7BD6A121d01
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\Cache\AE98BDEDd01
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\Cache\BAFF9A9Bd01
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\cert8.db
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\compreg.dat
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\cookies.sqlite
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\downloads.sqlite
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\extensions.cache
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\extensions.ini
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\history.dat
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\key3.db
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\permissions.sqlite
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\places.sqlite-journal
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\places.sqlite
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\pluginreg.dat
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\prefs.js
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\secmod.db
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\XPC.mfl
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\xpti.dat
c:\documents and settings\Cory\Application Data\LimeWire\player.props
c:\documents and settings\Cory\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\Cory\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\Cory\Application Data\LimeWire\promotion\promodb.lck
c:\documents and settings\Cory\Application Data\LimeWire\promotion\promodb.log
c:\documents and settings\Cory\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\Cory\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\Cory\Application Data\LimeWire\questions.props
c:\documents and settings\Cory\Application Data\LimeWire\responses.cache
c:\documents and settings\Cory\Application Data\LimeWire\simpp.xml
c:\documents and settings\Cory\Application Data\LimeWire\spam.dat
c:\documents and settings\Cory\Application Data\LimeWire\tables.props
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\logo.png
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\notsearching.png
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\searching.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\Cory\Application Data\LimeWire\ttdata.cache
c:\documents and settings\Cory\Application Data\LimeWire\ttrees.cache
c:\documents and settings\Cory\Application Data\LimeWire\ttroot.cache
c:\documents and settings\Cory\Application Data\LimeWire\version.xml
c:\documents and settings\Cory\Application Data\LimeWire\versions.props
c:\documents and settings\Cory\Application Data\LimeWire\xml\data\audio.sxml2
c:\documents and settings\Cory\Application Data\LimeWire\xml\data\audio.sxml3
c:\documents and settings\Cory\Application Data\LimeWire\xml\data\image.sxml2
c:\documents and settings\Cory\Application Data\LimeWire\xml\data\image.sxml3
c:\documents and settings\Cory\Application Data\LimeWire\xml\data\video.sxml2
c:\documents and settings\Cory\Application Data\LimeWire\xml\data\video.sxml3
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
c:\program files\LimeWire
c:\program files\LimeWire\aopalliance.pack
c:\program files\LimeWire\clink.pack
c:\program files\LimeWire\commons-codec-1.3.pack
c:\program files\LimeWire\commons-logging.pack
c:\program files\LimeWire\commons-net.pack
c:\program files\LimeWire\daap.pack
c:\program files\LimeWire\dnsjava.pack
c:\program files\LimeWire\forms.pack
c:\program files\LimeWire\foxtrot.pack
c:\program files\LimeWire\gettext-commons.pack
c:\program files\LimeWire\guice-1.0.pack
c:\program files\LimeWire\hs_err_pid1100.log
c:\program files\LimeWire\hs_err_pid2008.log
c:\program files\LimeWire\hs_err_pid2276.log
c:\program files\LimeWire\hs_err_pid2464.log
c:\program files\LimeWire\hs_err_pid3004.log
c:\program files\LimeWire\hs_err_pid3324.log
c:\program files\LimeWire\hs_err_pid3604.log
c:\program files\LimeWire\hs_err_pid3632.log
c:\program files\LimeWire\hs_err_pid3980.log
c:\program files\LimeWire\hs_err_pid4952.log
c:\program files\LimeWire\hsqldb.pack
c:\program files\LimeWire\httpclient-4.0-alpha5-20080522.192134-5.pack
c:\program files\LimeWire\httpcore-4.0-beta2-20080510.140437-10.pack
c:\program files\LimeWire\httpcore-nio-4.0-beta2-20080510.140437-10.pack
c:\program files\LimeWire\icu4j.pack
c:\program files\LimeWire\jaudiotagger.pack
c:\program files\LimeWire\jcraft.pack
c:\program files\LimeWire\jdic.pack
c:\program files\LimeWire\jdic_stub.pack
c:\program files\LimeWire\jflac.pack
c:\program files\LimeWire\jl.pack
c:\program files\LimeWire\jmdns.pack
c:\program files\LimeWire\jogg.pack
c:\program files\LimeWire\jorbis.pack
c:\program files\LimeWire\lib\avg\ATL80.dll
c:\program files\LimeWire\lib\avg\avgcorex.dll
c:\program files\LimeWire\lib\avg\avgsdk.dll
c:\program files\LimeWire\lib\avg\avgsdkcom.dll
c:\program files\LimeWire\lib\avg\avgsdkupd.dll
c:\program files\LimeWire\lib\avg\Microsoft.VC80.ATL.manifest
c:\program files\LimeWire\lib\avg\Microsoft.VC80.CRT.manifest
c:\program files\LimeWire\lib\avg\msvcr80.dll
c:\program files\LimeWire\lib\jacob-1.15-M1-lw-x86.dll
c:\program files\LimeWire\lib\jdshow.dll
c:\program files\LimeWire\lib\JMediaFoundation.dll
c:\program files\LimeWire\lib\Microsoft.VC90.CRT.manifest
c:\program files\LimeWire\lib\msvcm90.dll
c:\program files\LimeWire\lib\msvcp90.dll
c:\program files\LimeWire\lib\msvcr90.dll
c:\program files\LimeWire\lib\torrent-wrapper.dll
c:\program files\LimeWire\lib\UnpackedJars.7z
c:\program files\LimeWire\LimeWire.jar.tmp
c:\program files\LimeWire\log4j.pack
c:\program files\LimeWire\looks.pack
c:\program files\LimeWire\messages.pack
c:\program files\LimeWire\mp3spi.pack
c:\program files\LimeWire\msvcr71.dll
c:\program files\LimeWire\onion-common.pack
c:\program files\LimeWire\onion-fec.pack
c:\program files\LimeWire\ProgressTabs.pack
c:\program files\LimeWire\swt.pack
c:\program files\LimeWire\themes.pack
c:\program files\LimeWire\tritonus.pack
c:\program files\LimeWire\unpack200.exe
c:\program files\LimeWire\vorbisspi.pack
c:\windows\system32\duyesedi.dll.vir
c:\windows\system32\gehazoze.exe
c:\windows\system32\pihuwali.dll.vir
c:\windows\system32\tizomovu.exe
c:\windows\system32\wahewozi.dll.vir
.
((((((((((((((((((((((((( Files Created from 2010-06-26 to 2010-07-26 )))))))))))))))))))))))))))))))
.
2010-07-26 01:57 . 2010-07-26 01:57 -------- d-----w- c:\windows\Logs
2010-07-26 01:17 . 2010-07-26 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
2010-07-25 20:50 . 2010-07-25 20:50 -------- d-----w- C:\rsit
2010-07-25 20:50 . 2010-07-25 20:50 -------- d-----w- c:\program files\trend micro
2010-07-18 19:39 . 2010-07-25 20:36 -------- d-----w- c:\documents and settings\Administrator
2010-07-18 19:24 . 2010-07-18 19:24 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-18 19:24 . 2010-07-18 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-18 19:03 . 2010-07-18 19:03 -------- d-----w- c:\program files\Alwil Software
2010-07-18 19:03 . 2010-07-18 19:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-02 03:32 . 2010-07-02 03:32 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-26 21:58 . 2009-10-26 21:06 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-07-26 21:50 . 2008-04-10 01:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-26 21:48 . 2008-04-10 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-30 00:16 . 2009-09-17 20:36 -------- d-----w- c:\documents and settings\Cory\Application Data\Apple Computer
2010-05-30 00:13 . 2009-09-17 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-05-26 15:41 . 2010-07-26 01:58 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-05-26 15:41 . 2010-07-26 01:58 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-05-26 15:41 . 2010-07-26 01:58 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-05-26 15:41 . 2010-07-26 01:58 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-05-26 15:41 . 2010-07-26 01:58 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-05-06 10:41 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2001-08-23 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2008-03-12 10:42 . 2008-04-10 01:36 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-03-12 10:42 . 2008-04-10 01:36 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-03-12 10:42 . 2008-04-10 01:36 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-03-12 10:42 . 2008-04-10 01:36 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-03-12 10:42 . 2008-04-10 01:36 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-07-26_00.24.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-26 21:58 . 2010-07-26 21:58 16384 c:\windows\Temp\Perflib_Perfdata_638.dat
+ 2010-07-26 01:58 . 2010-06-02 08:55 74072 c:\windows\system32\XAPOFX1_5.dll
+ 2010-07-26 01:58 . 2010-02-04 14:01 74072 c:\windows\system32\XAPOFX1_4.dll
+ 2010-07-26 01:58 . 2009-09-04 21:44 69464 c:\windows\system32\XAPOFX1_3.dll
+ 2010-07-26 01:58 . 2008-10-27 14:04 70992 c:\windows\system32\XAPOFX1_2.dll
+ 2010-07-26 01:58 . 2008-07-31 14:41 68616 c:\windows\system32\XAPOFX1_1.dll
+ 2010-07-26 01:58 . 2008-05-30 18:17 65032 c:\windows\system32\XAPOFX1_0.dll
+ 2010-07-26 01:58 . 2010-02-04 14:01 22360 c:\windows\system32\X3DAudio1_7.dll
+ 2010-07-26 01:58 . 2009-03-16 18:18 22360 c:\windows\system32\X3DAudio1_6.dll
+ 2010-07-26 01:58 . 2008-10-27 14:04 23376 c:\windows\system32\X3DAudio1_5.dll
+ 2010-07-26 01:58 . 2008-05-30 18:17 25608 c:\windows\system32\X3DAudio1_4.dll
+ 2010-07-26 01:58 . 2008-03-05 20:00 25608 c:\windows\system32\X3DAudio1_3.dll
+ 2010-07-26 01:58 . 2007-10-22 07:37 17928 c:\windows\system32\X3DAudio1_2.dll
+ 2010-07-26 01:58 . 2010-07-26 01:58 12800 c:\windows\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
- 2010-03-12 17:58 . 2010-03-12 17:58 12800 c:\windows\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2010-07-26 01:58 . 2010-07-26 01:58 53248 c:\windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
- 2010-03-12 17:58 . 2010-03-12 17:58 53248 c:\windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2010-07-26 01:58 . 2010-06-02 08:55 527192 c:\windows\system32\XAudio2_7.dll
+ 2010-07-26 01:58 . 2010-02-04 14:01 528216 c:\windows\system32\XAudio2_6.dll
+ 2010-07-26 01:58 . 2009-09-04 21:44 515416 c:\windows\system32\XAudio2_5.dll
+ 2010-07-26 01:58 . 2009-03-16 18:18 517448 c:\windows\system32\XAudio2_4.dll
+ 2010-07-26 01:58 . 2008-10-27 14:04 514384 c:\windows\system32\XAudio2_3.dll
+ 2010-07-26 01:58 . 2008-07-31 14:40 509448 c:\windows\system32\XAudio2_2.dll
+ 2010-07-26 01:58 . 2008-05-30 18:19 507400 c:\windows\system32\XAudio2_1.dll
+ 2010-07-26 01:58 . 2008-03-05 20:03 479752 c:\windows\system32\XAudio2_0.dll
+ 2010-07-26 01:58 . 2010-06-02 08:55 239960 c:\windows\system32\xactengine3_7.dll
+ 2010-07-26 01:58 . 2010-02-04 14:01 238936 c:\windows\system32\xactengine3_6.dll
+ 2010-07-26 01:58 . 2009-09-04 21:44 238936 c:\windows\system32\xactengine3_5.dll
+ 2010-07-26 01:58 . 2009-03-16 18:18 235352 c:\windows\system32\xactengine3_4.dll
+ 2010-07-26 01:58 . 2008-10-27 14:04 235856 c:\windows\system32\xactengine3_3.dll
+ 2010-07-26 01:58 . 2008-07-31 14:41 238088 c:\windows\system32\xactengine3_2.dll
+ 2010-07-26 01:58 . 2008-05-30 18:18 238088 c:\windows\system32\xactengine3_1.dll
+ 2010-07-26 01:58 . 2008-03-05 20:03 238088 c:\windows\system32\xactengine3_0.dll
+ 2010-07-26 01:58 . 2007-07-20 04:57 267112 c:\windows\system32\xactengine2_9.dll
+ 2010-07-26 01:58 . 2007-06-21 00:46 266088 c:\windows\system32\xactengine2_8.dll
+ 2010-07-26 01:58 . 2007-10-22 07:39 267272 c:\windows\system32\xactengine2_10.dll
+ 2010-07-26 01:58 . 2009-09-04 21:29 235344 c:\windows\system32\d3dx11_42.dll
+ 2010-07-26 01:58 . 2009-09-04 21:29 453456 c:\windows\system32\d3dx10_42.dll
+ 2010-07-26 01:58 . 2009-03-09 19:27 453456 c:\windows\system32\d3dx10_41.dll
+ 2010-07-26 01:58 . 2008-10-15 10:22 452440 c:\windows\system32\d3dx10_40.dll
+ 2010-07-26 01:58 . 2008-07-10 15:01 467984 c:\windows\system32\d3dx10_39.dll
+ 2010-07-26 01:58 . 2008-05-30 18:11 467984 c:\windows\system32\d3dx10_38.dll
+ 2010-07-26 01:58 . 2008-02-06 03:07 462864 c:\windows\system32\d3dx10_37.dll
+ 2010-07-26 01:58 . 2007-10-02 13:56 444776 c:\windows\system32\d3dx10_36.dll
+ 2010-07-26 01:58 . 2006-03-31 15:27 578560 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2911.0\Microsoft.DirectX.Direct3DX.dll
+ 2010-07-26 21:31 . 2010-07-26 21:31 184320 c:\windows\ERDNT\AutoBackup\7-26-2010\Users\00000002\UsrClass.dat
+ 2010-07-26 21:31 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\7-26-2010\ERDNT.EXE
+ 2010-07-26 01:58 . 2010-07-26 01:58 223232 c:\windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
- 2010-03-12 17:58 . 2010-03-12 17:58 223232 c:\windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
- 2010-03-12 17:58 . 2010-03-12 17:58 178176 c:\windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2010-07-26 01:58 . 2010-07-26 01:58 178176 c:\windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2010-07-26 01:58 . 2010-07-26 01:58 364544 c:\windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
- 2010-03-12 17:58 . 2010-03-12 17:58 364544 c:\windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
+ 2010-07-26 01:58 . 2010-07-26 01:58 159232 c:\windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
- 2010-03-12 17:58 . 2010-03-12 17:58 159232 c:\windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
+ 2010-07-26 01:58 . 2010-07-26 01:58 145920 c:\windows\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
- 2010-03-12 17:58 . 2010-03-12 17:58 145920 c:\windows\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
+ 2010-07-26 01:58 . 2010-07-26 01:58 578560 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-07-26 01:58 . 2010-07-26 01:58 578560 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-23 04:46 . 2009-02-23 04:46 578560 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-07-26 01:58 . 2010-07-26 01:58 577536 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-23 04:46 . 2009-02-23 04:46 577536 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-07-26 01:58 . 2010-07-26 01:58 577536 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-23 04:46 . 2009-02-23 04:46 577536 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-07-26 01:58 . 2010-07-26 01:58 577024 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-23 04:46 . 2009-02-23 04:46 577024 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-07-26 01:58 . 2010-07-26 01:58 576000 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-23 04:46 . 2009-02-23 04:46 576000 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-07-26 01:58 . 2010-07-26 01:58 567296 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2010-03-12 17:58 . 2010-03-12 17:58 567296 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-07-26 01:57 . 2010-07-26 01:57 563712 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-23 04:46 . 2009-02-23 04:46 563712 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-07-26 01:58 . 2010-07-26 01:58 473600 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
- 2010-03-12 17:58 . 2010-03-12 17:58 473600 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2010-07-26 01:58 . 2009-09-04 21:29 1892184 c:\windows\system32\D3DX9_42.dll
+ 2010-07-26 01:58 . 2009-03-09 19:27 4178264 c:\windows\system32\D3DX9_41.dll
+ 2010-07-26 01:58 . 2008-10-15 10:22 4379984 c:\windows\system32\D3DX9_40.dll
+ 2010-07-26 01:58 . 2008-07-10 15:00 3851784 c:\windows\system32\D3DX9_39.dll
+ 2010-07-26 01:58 . 2008-05-30 18:11 3850760 c:\windows\system32\D3DX9_38.dll
+ 2010-07-26 01:58 . 2008-03-05 19:56 3786760 c:\windows\system32\D3DX9_37.dll
+ 2010-07-26 01:58 . 2007-10-12 19:14 3734536 c:\windows\system32\d3dx9_36.dll
+ 2010-07-26 01:58 . 2009-09-04 21:29 5501792 c:\windows\system32\d3dcsx_42.dll
+ 2010-07-26 01:58 . 2009-09-04 21:29 1974616 c:\windows\system32\D3DCompiler_42.dll
+ 2010-07-26 01:58 . 2009-03-09 19:27 1846632 c:\windows\system32\D3DCompiler_41.dll
+ 2010-07-26 01:58 . 2008-10-15 10:22 2036576 c:\windows\system32\D3DCompiler_40.dll
+ 2010-07-26 01:58 . 2008-07-10 15:00 1493528 c:\windows\system32\D3DCompiler_39.dll
+ 2010-07-26 01:58 . 2008-05-30 18:11 1491992 c:\windows\system32\D3DCompiler_38.dll
+ 2010-07-26 01:58 . 2008-03-05 19:56 1420824 c:\windows\system32\D3DCompiler_37.dll
+ 2010-07-26 01:58 . 2007-10-12 19:14 1374232 c:\windows\system32\D3DCompiler_36.dll
+ 2010-07-26 21:31 . 2010-07-26 21:31 6533120 c:\windows\ERDNT\AutoBackup\7-26-2010\Users\00000001\ntuser.dat
- 2009-02-23 04:46 . 2009-02-23 04:46 2846720 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-07-26 01:57 . 2010-07-26 01:57 2846720 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-23 04:46 . 2009-02-23 04:46 2676224 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-07-26 01:57 . 2010-07-26 01:57 2676224 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-05-04 00:07 . 2010-05-28 16:37 32472008 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-10 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 16844800]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"nwiz"="nwiz.exe" [2008-09-18 1657376]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-04 136600]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-05-04 1851128]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
c:\documents and settings\Cory\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicDownloader\\RelicDownloader.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\arma 2 operation arrowhead demo\\ArmA2OA_Demo.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [5/4/2009 12:19 AM 28544]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [3/19/2009 12:40 PM 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [3/19/2009 12:40 PM 24336]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/9/2008 11:02 PM 24652]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\43.tmp --> c:\windows\system32\43.tmp [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/5/2009 12:44 AM 721904]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2009-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.27.0.cab
FF - ProfilePath - c:\documents and settings\Cory\Application Data\Mozilla\Firefox\Profiles\uh958jmt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-26 18:08
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwClose, ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\43.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1078081533-789336058-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b2,ef,31,0b,e3,ce,c7,f8,1d,14,4d,5e,e7,ae,a0,aa,e0,21,dd,92,62,6d,d7,
e2,f5,69,e5,0c,5b,9a,95,b5,8d,41,f7,95,80,2d,e1,c9,a2,41,c4,33,a2,1e,fb,aa,\
"??"=hex:47,88,b9,f6,c0,11,83,a9,b6,3f,09,2b,31,0b,2b,6f
[HKEY_USERS\S-1-5-21-1078081533-789336058-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:e1,3e,66,bb,b9,4d,85,db,bf,b4,86,60,c0,9d,55,b1,ce,96,75,69,b5,
d1,9e,ca,dc,31,82,20,d1,02,d2,ee,a5,0f,f1,d3,0e,f9,23,50,ed,fd,18,1a,43,d6,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------
Redfefnir
2010-07-27, 04:54
- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\guard32.dll
- - - - - - - > 'lsass.exe'(824)
c:\windows\system32\guard32.dll
.
Completion time: 2010-07-26 18:10:07
ComboFix-quarantined-files.txt 2010-07-26 22:10
ComboFix2.txt 2010-07-26 00:29
Pre-Run: 44,216,897,536 bytes free
Post-Run: 44,164,698,112 bytes free
- - End Of File - - A8DF39A8CB09FA4A98FA0C252A59AD06
Hi,
Delete following files if found:
C:\Documents and Settings\Cory\Application Data\Sun\Java\Deployment\cache\6.0\58\4faee1fa-570ee0c4
C:\Documents and Settings\Cory\My Documents\LimeWire\Saved\Golden Earring - Radar love.mp3
C:\Documents and Settings\Cory\My Documents\LimeWire\Saved\im my own grandpa ray stevens.mp3
C:\Documents and Settings\Cory\My Documents\LimeWire\Saved\in da club intstrumental.mp3
C:\Documents and Settings\Cory\My Documents\LimeWire\Saved\Kris Kristofferson - Vietnam Blues.wma
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4DYF89QV\d[1].htm
Please reinstall Spybot to make it work again. Let me know how it goes.
Redfefnir
2010-07-28, 19:26
Spybot installed and works peachy, at least at the moment. I'm on lunch break from work so I'll run it later when I get home. Expect an update in a few hours.
Redfefnir
2010-07-29, 00:44
Alright, fired Spybot up and ran it, Win32.PornPopUp was found, 2 tracking cookies in firefox. Don't know if theres a way to post a report, but thats what it was.
Anything else you need me to run? And also, should I be worried about passwords being protected, and should I re-password everything on a seperate, uninfected computer.
Thanks
Hi,
I wouldn't worry about those tracking cookies. However, you can reduce cookie amounts for example by installing hosts file (instructions below). Changing passwords occasionally would be recommended.
Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK
Please download OTC (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.
Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Download and run Secunia Personal Software Inspector (PSI) (http://secunia.com/vulnerability_scanning/personal/) and fix its findings.
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
Redfefnir
2010-07-30, 02:31
Blade,
When I turned off my System Restore, Comodo shot up with a virus alert.
-Location
C:\System Volume Information\_restore{121510F7-0a63-4ff1-9220-0466527DAD05}\RP13\A0002631.exe
-Malware name
ApplicUnsaf.Win32.hide.~AB@5325787
There are two entries, one for Detect, and one for Quarantine.
System Restore is now off, and such.
Also, Comodo is still not updating. Is there a way I can uninstall it and reinstall a fresh, more recent copy? Or manually update it? Since the updater isn't updating Comodo at all and I feel the actual program is out of date. Granted it just detected a virus, and quarantined it for me. Which is awesome, but it needs to be updating and such.
Spybot is running and updating fine, though, still. Do you need another DDS report?
Hi,
I believe Comodo has same problem like Spybot had earlier. Please reinstall it.
Redfefnir
2010-08-01, 19:55
Blade,
Thanks for all your help with the virus removal. I tried re-installing Comodo, but with no success. The program isn't listed in my Add/Remove programs, and I've spent a lot of time trying to get it off so I can reinstall a newer version of it.
Everything listed for how to remove it hasn't helped either, trying to re-install it does nothing. Doesn't even notify that it's already been installed like normal.
Hi,
Copy this (http://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe) file to c:\program files folder. Then drag'n'drop C:\Program Files\COMODO folder to the inherit file and wait for a few minutes. Are you able to update Comodo now?
Redfefnir
2010-08-01, 22:45
Well. I did as you asked, and got Comodo to update, once. I got all happy and stuff, and my computer needed to be rebooted, so, after reboot, the virus signature thing was dated as 'August 1st 2010' and I was like 'Alright! Finally!'
Then it went back to 'January 2nd 2010'
And when I try to update it I get
"Error 113: Update could not be completed. Seems Internet connection lost halfway during update download. Please check you Internet connection and retry."
So yeah. Still nothing.
Also, should Svchost.exe be connecting to anything, internet wise? It keeps making a UDP Out connection. with data going in and out. I'm sure it's normal. I'm not trying to be paranoid, but there is a normal svchost.exe also listed with a TCP connection, seperate from the first svchost.exe.
Probably nothing wrong, but still. Just wanted to make 100%.
-Thanks
Hi,
Please try to drag'n'drop comodo folder on inherit file again. Are you able to reinstall Comodo after that? If any other program is acting like Comodo you have to drag 'n' drop its folder on inherit file in the same way.
Processes have different dll files and handles loaded and opened under them. If you suspect some svchost.exe process instance you get more information with Process Explorer (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx).
Hi,
Was the problem resolved?
Due to inactivity, this thread will now be closed.
Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.