Something Blocking/killing Spybot, and others

Redfefnir · Jul 18, 2010

Hello.

I think I'll just get right to the point. Currently, I am on Windows XP SP3 with this computer, it is my older brothers. Long story short. He has a history of Viruses. from those little annoying Pop-ups to the 'Congratulations you've won!' soundbites.

It's easy enough to remove them, between Spybot S&D, and COMODO Antivirus (version 3.8.65951.477)

I helped clear out his computer a number of months ago. and now he keeps complaining of not being able to connect to the internet. Which is generally easily done, he rarely uses the computer, so whatever, I thought.

Well, he started complaining that COMODO wasn't updating. The last update was on Jan 01, 2010. Upon trying it simply said that I needed to check my internet connection and try later. Which, as I have internet, is annoying. Scans were clear. But, seeing as it's using 7 month old definitions, isn't surprising.

I did some searching on their forums and found that it isn't exactly the strangest of occurances. So I went to uninstall/re-install it, thats where things started to get... Annoying.

COMODO wasn't in the list of add/remove programs. I started to try and manually uninstalling it, but instead downloaded the latest version, which, when trying to install, will uninstall the old version and then install the new version. When I tried this. The installer wouldn't complete.

Spybot, oddly. Would not run. Simply noting that "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.", seeing as the computer has one account, which is an admin, and I was on it. Was weird. Maybe it was a bad install, Spybot's updater worked fine. So whatever, I thought, I pressed on.

chalking it up to faulty software, I closed out all of my COMODO and tried Avast!.

I never like mixing anti-virus software. But i had to try something. Call it a hunch. Avast! Loaded without incident, and I started a full system scan. Within 4 or 5 minutes of starting the scan. All of the Anti-virus Shield things from Avast! stopped working. And the scan stopped. There is a large enough 'Fix' problem on the Avast! program, which, upon clicking, told me that it could not start any of the shield programs it had. Odd.

Thats when it started to hit me. It wasn't a bad install on Spybot, or innability to update on COMODO's part, this was something serious.

Searching this here forums, I found the 'back' way to start Spybot, which I did, and it loaded, fully updated. 'Alright', I thought, 'I got this, now.', and ran a scan.

about 3 seconds after starting the scan, Spybot closed out, blinked, disappeared. Upon checking the Taskbar, it wasn't running. Teabot was running, but not Spybot. Trying again through the back-way showed the same message as when I try the normal 'Spybot.exe', that I did not have permission and it could not open the file.

During this. I opened Comodo back up, as it was the only virus protection program on my computer that would actually run, I noted there was some 270 connections. Investigating, svchost.exe had 260+ connections. upon Ctrl+Alt+Deleting, a svchost.exe was using some 20,000k, which, was suspicious, so, naturally, I terminated it. All of the connections went away. It did not prompt me that this would be bad for my computer's stability, which I thought was supposed to happen with svchost. In Comodo, the full path was "C:\WINDOWS\system32\svchost.exe". Now, I know that svchost is supposed to have a connection, which, it does. Another svchost.exe is currently connected. Which I'm guessing is the normal one. An infected/virus one comes every once in a while and spams my connections, which I terminate and everything goes back to normal.

After some searching, I thought I would try Housecall. Downloaded it, ran it, it got to 5% before asking me to check my internet connection, as it failed.

I downloaded the 'dds' to include in my post. Upon running it, it ran and did it's thing, then disappeared. No report popping up in notepad, no nothing. I noted there was an evP.exe running after I ran it, at 72kb in my process list.
I tried running the dds a couple more times, each time either evP.exe coming up or edS.exe coming up. I ended those processes and started looking around.

In my Temp Folder there was a list of folders named '80.tmp' going all the way to '86.tmp' (No, I didn't run it 80 times

) Inside those folders. Was the 'edS.exe' or evP.exe', upon trying to delete it, it told me I did not have permission, the same as when I try to run Spybot.

In that Temp folder, there was also a dds notepad file. which, I am including in this post, I was getting ready to post without it. I'm not sure if this is a full dds report, but this is what it gave me.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 17:36:52.37 on Sun 07/18/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2859 [GMT -4:00]

AV: COMODO Antivirus *On-access scanning enabled* (Outdated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Cory\Desktop\dds.scr

Long story short. (TL;DR) Something is stopping anti-viruses from scanning, running, updating or opening via taking away my permissions or at least giving that error to me. At random intervals a svchost.exe will open, and start spamming connections until my internet floods and stops. In the Taskbar the svchost.exe uses more memory then the normal svchosts by alot, and upon terminating it, the connection flood stops.

Halp.

Blade81 · Jul 24, 2010

Hi,

Rename dds.scr file to whatever.com and try to run it. Post back dds.txt & attach.txt log contents.

Redfefnir · Jul 25, 2010

Hello Blade,

Renaming DDS did nothing for me. I am now on my main computer and ran a DDS report to see how the thing actually ran,

DDS is getting killed on the infected computer, generally around the 5th or 6th little ::::: process bar. Just dies, no matter what I rename DDS too.

Blade81 · Jul 25, 2010

Hi,

Could you try in safe mode?

Redfefnir · Jul 25, 2010

Blade,

Nope. Both the normal dds.scr and the renamed dds.scr run for about 15 seconds, going about 5 :::::'s before closing down.

The screensaver dds renamed also does the same, then, upon trying to re-open when they were closed down, they instantly closed, not even loading any text.

Blade81 · Jul 25, 2010

Hi,

Download OTL to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Copy-paste following contents into custom scan -area:
netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Redfefnir · Jul 25, 2010

Negative.

OTL Runs for about 15 seconds when I hit 'Run Scan' after putting in the text as you asked.

Did this in safe mode as well, no avail, it runs for about 15 seconds then goes bye-bye. Upon trying to re-open, 'Access is denied... -etc etc yadda yadda', the same error it gave me as stated in my first post. redownloading it simply repeats the process.

Boy this sure is something special huh.

Blade81 · Jul 25, 2010

Hi,

Make sure antivirus protection is disabled.

Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized, if not you'll find it in c:\rsit folder)

---

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Redfefnir · Jul 25, 2010

Okay,

I think we're starting to get somewhere. I disabled my Antivirus protection (What protection it had, anyways.

), then I downloaded RSIT and ran it, it went about 15-20 seconds before closing and going to the 'You don't have proper access' crap it goes though. But, in the RSIT folder, there was one file; log.txt, I'm guessing this is how far it got before it got closed down. It is posted below. Secondly, I ran the Win32kDiag.txt, and that ran without incident.

Log.txt;

Logfile of random's system information tool 1.08 (written by random/random)
Run by Cory at 2010-07-25 16:50:51
Microsoft Windows XP Professional Service Pack 3
System drive C: has 45 GB (34%) free of 131 GB
Total RAM: 3582 MB (87% free)

HijackThis download failed

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job
C:\WINDOWS\tasks\EasyShare Registration Task.job
C:\WINDOWS\tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
C:\WINDOWS\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2009-05-03 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-05-03 259696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll [2009-10-06 762864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll [2009-05-03 470512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-05-03 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-05-03 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-05-03 259696]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-09-19 16844800]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-09-18 13574144]
"nwiz"=nwiz.exe /install []
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-05-03 136600]
"COMODO Internet Security"=C:\Program Files\COMODO\COMODO Internet Security\cfp.exe [2009-05-03 1851128]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-09-18 86016]
"ArcSoft Connection Service"=C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [2010-03-18 207360]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-11-11 417792]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2010-02-15 141608]
"xjoipuna"=C:\Documents and Settings\Cory\Local Settings\Application Data\sjnmikhmx\mmemyirtssd.exe [2010-07-01 286976]
"afvxjeub"=C:\Documents and Settings\Cory\Local Settings\Application Data\hwomitvvo\mdweoxetssd.exe [2010-07-01 286976]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-04-09 68856]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"EA Core"=C:\Program Files\Electronic Arts\EADM\Core.exe -silent []
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2009-04-23 691656]
"PopRock"=C:\DOCUME~1\Cory\LOCALS~1\Temp\e.exe []
"xjoipuna"=C:\Documents and Settings\Cory\Local Settings\Application Data\sjnmikhmx\mmemyirtssd.exe [2010-07-01 286976]
"afvxjeub"=C:\Documents and Settings\Cory\Local Settings\Application Data\hwomitvvo\mdweoxetssd.exe [2010-07-01 286976]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Documents and Settings\Cory\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"C:\Documents and Settings\Cory\Desktop\WoW-BurningCrusade-enUS-Installer-downloader.exe"="C:\Documents and Settings\Cory\Desktop\WoW-BurningCrusade-enUS-Installer-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"C:\Documents and Settings\Cory\Desktop\wowclient-downloader.exe"="C:\Documents and Settings\Cory\Desktop\wowclient-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\CCP\EVE\bin\ExeFile.exe"="C:\Program Files\CCP\EVE\bin\ExeFile.exe:*:Enabled:CCP ExeFile"
"C:\Program Files\Electronic Arts\EADM\Core.exe"="C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled

xpsp3res.dl

----------------------------------------

Win32kDiag.txt's file;

Running from: C:\Documents and Settings\Cory\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Cory\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point :

C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP155.tmp\ZAP155.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1F8.tmp\ZAP1F8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP236.tmp\ZAP236.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP258.tmp\ZAP258.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP271.tmp\ZAP271.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe

[1] 2004-08-04 01:56:52 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe ()

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0034610052cb298a78a7ba8a4f6282e6\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\01229cf5dcf0df67992cac35a2ba0b3f\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\035cdeeef9eaa07de20138b420444b17\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0fa2ac15b3f3d16ecfc880648002b82e\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\22f1a1e628f2ceada1948d2c604b5154\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\23e79e5fb28793d8cb1c2055b0d8dcb9\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\248802b74506342031e926839639c729\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\269630a60abe4177f0ba214686d6ebda\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\2e6b16219034e135b4f869efb7a10fee\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\50e2c72fd814d3841e776dd2c4918260\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\59732c3a78c987eaec1ee41ab88e3da8\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6a410a1bd174bc123056d235ac4829af\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\a4c8b51fef38872a7ec62d0a40ca147c\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7b0631e184025ba37e5a4ec1d8637e7\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b966082e6e248a4942b4768a4e4700f7\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\c0c52c03306062533f7dcb087bfcfa6b\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\da2a33b6770f970d7fe7262040f98a4f\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dacaa269b99f2225391948b21cc85d90\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\f2adb0f8440e5dbd459aa6bfcaed1ba5\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Default

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 01:56:44 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Cannot access: C:\WINDOWS\system32\MRT.exe

[1] 2009-11-05 13:36:21 26768832 C:\WINDOWS\system32\MRT.exe ()

Found mount point : C:\WINDOWS\Temp\Adobe\Acrobat\6.0\6.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\History\Results\Results

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\hsperfdata_SYSTEM\hsperfdata_SYSTEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\RtSigs\Data\Data

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\_avast5_\_avast5_

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Finished!

Sorry for the Doublespacing, thats how it pasted in.

Blade81 · Jul 25, 2010

Hi,

Download The Avenger by Swandog46 from here.
Unzip/extract it to a folder on your desktop.
Double click on avenger.exe to run The Avenger.
Click OK.
Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
Code:
```
Files to move:
C:\WINDOWS\system32\logevent.dll|C:\WINDOWS\system32\eventlog.dll
```
In the avenger window, click the Paste Script from Clipboard,

button.
Click the Execute button.
You will be asked Are you sure you want to execute the current script?.
Click Yes.
You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
Click Yes.
Your PC will now be rebooted.
Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
Please post this log in your next reply.

Redfefnir · Jul 25, 2010

Blade,

Ran Avenger as posted without incident. I'm not sure if the log should be this short, but, here it is.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\system32\logevent.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Blade81 · Jul 25, 2010

Worked as expected

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the Open box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r

See if you're able to run DDS now.

Redfefnir · Jul 25, 2010

Ran Win32kDiag as posted, ran without incident! Ran DDS afterwords, and it did a full scan! Now we're getting somewhere.

Win32kDiag's Scan-

---------------------------

Running from: C:\Documents and Settings\Cory\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Cory\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP155.tmp\ZAP155.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP155.tmp\ZAP155.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1F8.tmp\ZAP1F8.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1F8.tmp\ZAP1F8.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP236.tmp\ZAP236.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP236.tmp\ZAP236.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP258.tmp\ZAP258.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP258.tmp\ZAP258.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP271.tmp\ZAP271.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP271.tmp\ZAP271.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ftpcache\ftpcache

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\mui\mui

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Cannot access: C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0034610052cb298a78a7ba8a4f6282e6\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\0034610052cb298a78a7ba8a4f6282e6\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\01229cf5dcf0df67992cac35a2ba0b3f\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\01229cf5dcf0df67992cac35a2ba0b3f\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\035cdeeef9eaa07de20138b420444b17\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\035cdeeef9eaa07de20138b420444b17\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0fa2ac15b3f3d16ecfc880648002b82e\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\0fa2ac15b3f3d16ecfc880648002b82e\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\22f1a1e628f2ceada1948d2c604b5154\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\22f1a1e628f2ceada1948d2c604b5154\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\23e79e5fb28793d8cb1c2055b0d8dcb9\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\23e79e5fb28793d8cb1c2055b0d8dcb9\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\248802b74506342031e926839639c729\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\248802b74506342031e926839639c729\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\269630a60abe4177f0ba214686d6ebda\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\269630a60abe4177f0ba214686d6ebda\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\2e6b16219034e135b4f869efb7a10fee\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\2e6b16219034e135b4f869efb7a10fee\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\50e2c72fd814d3841e776dd2c4918260\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\50e2c72fd814d3841e776dd2c4918260\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\59732c3a78c987eaec1ee41ab88e3da8\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\59732c3a78c987eaec1ee41ab88e3da8\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6a410a1bd174bc123056d235ac4829af\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\6a410a1bd174bc123056d235ac4829af\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\a4c8b51fef38872a7ec62d0a40ca147c\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\a4c8b51fef38872a7ec62d0a40ca147c\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7b0631e184025ba37e5a4ec1d8637e7\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\b7b0631e184025ba37e5a4ec1d8637e7\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b966082e6e248a4942b4768a4e4700f7\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\b966082e6e248a4942b4768a4e4700f7\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\c0c52c03306062533f7dcb087bfcfa6b\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\c0c52c03306062533f7dcb087bfcfa6b\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\da2a33b6770f970d7fe7262040f98a4f\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\da2a33b6770f970d7fe7262040f98a4f\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dacaa269b99f2225391948b21cc85d90\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dacaa269b99f2225391948b21cc85d90\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\f2adb0f8440e5dbd459aa6bfcaed1ba5\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\f2adb0f8440e5dbd459aa6bfcaed1ba5\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Default

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Default

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Cannot access: C:\WINDOWS\system32\MRT.exe

Attempting to restore permissions of : C:\WINDOWS\system32\MRT.exe

Found mount point : C:\WINDOWS\Temp\Adobe\Acrobat\6.0\6.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\Adobe\Acrobat\6.0\6.0

Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Found mount point : C:\WINDOWS\Temp\History\Results\Results

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\History\Results\Results

Found mount point : C:\WINDOWS\Temp\hsperfdata_SYSTEM\hsperfdata_SYSTEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\hsperfdata_SYSTEM\hsperfdata_SYSTEM

Found mount point : C:\WINDOWS\Temp\RtSigs\Data\Data

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RtSigs\Data\Data

Found mount point : C:\WINDOWS\Temp\_avast5_\_avast5_

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\_avast5_\_avast5_

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Finished!

-----------------------------------------------------------

DDS Report's Log.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Cory at 17:52:56.75 on Sun 07/25/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3060 [GMT -4:00]

AV: COMODO Antivirus *On-access scanning disabled* (Outdated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Documents and Settings\Cory\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [PopRock] c:\docume~1\cory\locals~1\temp\e.exe
uRun: [xjoipuna] c:\documents and settings\cory\local settings\application data\sjnmikhmx\mmemyirtssd.exe
uRun: [afvxjeub] c:\documents and settings\cory\local settings\application data\hwomitvvo\mdweoxetssd.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [xjoipuna] c:\documents and settings\cory\local settings\application data\sjnmikhmx\mmemyirtssd.exe
mRun: [afvxjeub] c:\documents and settings\cory\local settings\application data\hwomitvvo\mdweoxetssd.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9f.exe
StartupFolder: c:\docume~1\cory\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241404943835
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.27.0.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cory\applic~1\mozilla\firefox\profiles\uh958jmt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

==================== Find3M ====================

2009-04-26 20:53:49 59904 --sha-w- c:\windows\system32\bavovayo.exe
2009-04-03 16:22:51 109056 --sha-w- c:\windows\system32\bedihidu.dll
2009-01-26 19:54:33 67072 --sha-w- c:\windows\system32\bozuneyi.dll
2009-04-04 16:23:06 109056 --sha-w- c:\windows\system32\dukazewe.dll
2009-04-27 07:55:15 99328 --sha-w- c:\windows\system32\duyesedi.dll.vir
2009-04-26 20:53:48 98816 --sha-w- c:\windows\system32\fuwoduke.dll
2009-03-24 04:42:20 2713 --sh--w- c:\windows\system32\gehazoze.exe
2009-01-15 00:23:33 69632 --sha-w- c:\windows\system32\hamaveho.dll
2009-04-15 00:22:42 69632 --sha-w- c:\windows\system32\hobolaku.dll
2009-04-10 19:45:58 110592 --sha-w- c:\windows\system32\hogumana.dll
2009-04-20 15:06:27 63488 --sha-w- c:\windows\system32\huvehibi.exe
2009-04-04 04:23:02 100352 --sha-w- c:\windows\system32\huyavodi.dll
2009-04-04 16:23:07 99328 --sha-w- c:\windows\system32\jakiyohe.dll
2009-04-07 23:48:34 108544 --sha-w- c:\windows\system32\josoguyi.dll
2009-04-27 19:55:19 58368 --sha-w- c:\windows\system32\juruzuhu.exe
2009-04-27 19:55:19 99328 --sha-w- c:\windows\system32\kanagule.dll
2009-04-05 16:23:17 109056 --sha-w- c:\windows\system32\kupuweyo.dll
2009-01-02 14:19:15 68608 --sha-w- c:\windows\system32\lijuhidi.dll
2009-04-11 22:36:32 62976 --sha-w- c:\windows\system32\limereju.exe
2009-04-02 14:19:06 68608 --sha-w- c:\windows\system32\malusasu.dll
2009-04-10 19:45:59 102400 --sha-w- c:\windows\system32\merunime.dll
2009-04-04 04:23:02 109056 --sha-w- c:\windows\system32\metuyuli.dll
2009-04-12 16:12:33 64000 --sha-w- c:\windows\system32\mizenode.exe
2009-01-26 19:54:33 67072 --sha-w- c:\windows\system32\movezisa.dll
2009-01-09 21:38:37 70656 --sha-w- c:\windows\system32\neyuvena.dll
2009-01-15 00:23:33 69632 --sha-w- c:\windows\system32\nijufagi.dll
2009-04-07 23:48:33 100864 --sha-w- c:\windows\system32\nivunaso.dll
2009-04-27 07:55:16 60928 --sha-w- c:\windows\system32\nuyafeku.exe
2009-04-20 15:06:29 109568 --sha-w- c:\windows\system32\pihuwali.dll
2009-04-20 15:06:29 109568 --sha-w- c:\windows\system32\pihuwali.dll.vir
2009-04-11 22:36:33 109568 --sha-w- c:\windows\system32\pinofivu.dll
2009-04-09 21:38:03 70656 --sha-w- c:\windows\system32\pofegohu.dll
2009-04-15 00:22:22 107520 --sha-w- c:\windows\system32\ravebavi.dll
2009-01-09 21:38:37 70656 --sha-w- c:\windows\system32\sudinasu.dll
2009-04-09 21:37:33 63488 --sha-w- c:\windows\system32\tadebava.exe
2009-04-10 19:45:58 64512 --sha-w- c:\windows\system32\tesavohi.exe
2009-03-21 22:34:55 2713 --sh--w- c:\windows\system32\tizomovu.exe
2009-04-26 19:54:30 67072 --sha-w- c:\windows\system32\vakumene.dll
2009-04-03 16:22:52 100352 --sha-w- c:\windows\system32\vehuyafa.dll
2009-01-09 21:38:37 70656 --sha-w- c:\windows\system32\vevesadi.dll
2009-04-12 16:12:32 109056 --sha-w- c:\windows\system32\vozafiwu.dll
2009-01-26 19:54:33 67072 --sha-w- c:\windows\system32\wahewozi.dll.vir
2009-01-02 14:19:15 68608 --sha-w- c:\windows\system32\wewidilu.dll
2009-04-09 21:37:34 108544 --sha-w- c:\windows\system32\wonizaki.dll
2009-04-05 16:23:18 100352 --sha-w- c:\windows\system32\yonoguja.dll
2009-01-02 14:19:16 68608 --sha-w- c:\windows\system32\yumaluso.dll
2009-04-09 21:37:34 101376 --sha-w- c:\windows\system32\yunukino.dll
2009-04-05 04:23:12 98816 --sha-w- c:\windows\system32\yuwefayi.dll
2009-04-11 22:36:32 102400 --sha-w- c:\windows\system32\zareheli.dll
2009-04-26 19:54:48 98816 --sha-w- c:\windows\system32\zerakede.dll
2009-04-05 04:23:12 109056 --sha-w- c:\windows\system32\zinubiji.dll
2008-10-23 17:32:24 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102320081024\index.dat
2009-12-31 02:44:00 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-12-31 02:44:00 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-12-31 02:44:00 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 17:54:03.20 ===============

Blade81 · Jul 25, 2010

Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds logs (both dds.txt & attach.txt contents this time).

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Redfefnir · Jul 26, 2010

Blade,

Went through Combofix as you said, ran it, here is the log, followed by a dds report and attached... attach.

ComboFix 10-07-24.04 - Cory 07/25/2010 20:12:14.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3098 [GMT -4:00]
Running from: c:\documents and settings\Cory\Desktop\ComboFix.exe
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
The following files were disabled during the run:
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server\txgafo.dll

ADS - svchost.exe: deleted 88 bytes in 2 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Cory\Local Settings\Application Data\hwomitvvo
c:\documents and settings\Cory\Local Settings\Application Data\hwomitvvo\mdweoxetssd.exe
c:\documents and settings\Cory\Local Settings\Application Data\sjnmikhmx
c:\documents and settings\Cory\Local Settings\Application Data\sjnmikhmx\mmemyirtssd.exe
c:\documents and settings\Cory\Local Settings\Application Data\Windows Server
c:\documents and settings\Cory\Local Settings\Application Data\Windows Server\txgafo.dll
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server\txgafo.dll
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server\txgafo.dll.vir
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server\txgafo.dll
c:\windows\_000004_.tmp.dll
c:\windows\msa.exe
c:\windows\system32\adisozih.ini
c:\windows\system32\alatopus.ini
c:\windows\system32\amosejoh.ini
c:\windows\system32\bavovayo.exe
c:\windows\system32\bedihidu.dll
c:\windows\system32\bozuneyi.dll
c:\windows\system32\diduvohe.dll
c:\windows\system32\dukazewe.dll
c:\windows\system32\felerevo.dll
c:\windows\system32\fuwoduke.dll
c:\windows\system32\hamaveho.dll
c:\windows\system32\hobolaku.dll
c:\windows\system32\hogumana.dll
c:\windows\system32\hojesoma.dll
c:\windows\system32\huvehibi.exe
c:\windows\system32\huyavodi.dll
c:\windows\system32\iriyanut.ini
c:\windows\system32\iyubofov.ini
c:\windows\system32\jakiyohe.dll
c:\windows\system32\josoguyi.dll
c:\windows\system32\juruzuhu.exe
c:\windows\system32\kanagule.dll
c:\windows\system32\kipiheba.dll
c:\windows\system32\kufubabe.dll
c:\windows\system32\kupuweyo.dll
c:\windows\system32\lijuhidi.dll
c:\windows\system32\limereju.exe
c:\windows\system32\malusasu.dll
c:\windows\system32\merunime.dll
c:\windows\system32\metuyuli.dll
c:\windows\system32\mizenode.exe
c:\windows\system32\movezisa.dll
c:\windows\system32\neyuvena.dll
c:\windows\system32\nijufagi.dll
c:\windows\system32\nivunaso.dll
c:\windows\system32\nohevawo.dll
c:\windows\system32\nuyafeku.exe
c:\windows\system32\ofazolor.ini
c:\windows\system32\ofuyoguw.ini
c:\windows\system32\oliwusur.ini
c:\windows\system32\opevatep.ini
c:\windows\system32\oteraget.ini
c:\windows\system32\overelef.ini
c:\windows\system32\owavehon.ini
c:\windows\system32\petavepo.dll
c:\windows\system32\pihuwali.dll
c:\windows\system32\pinofivu.dll
c:\windows\system32\pofegohu.dll
c:\windows\system32\pumohigu.dll
c:\windows\system32\ravebavi.dll
c:\windows\system32\rolozafo.dll
c:\windows\system32\rusuwilo.dll
c:\windows\system32\salizuya.dll
c:\windows\system32\sudinasu.dll
c:\windows\system32\tadebava.exe
c:\windows\system32\tesavohi.exe
c:\windows\system32\ugihomup.ini
c:\windows\system32\vakumene.dll
c:\windows\system32\vehuyafa.dll
c:\windows\system32\vevesadi.dll
c:\windows\system32\vofobuyi.dll
c:\windows\system32\vozafiwu.dll
c:\windows\system32\wewidilu.dll
c:\windows\system32\wonizaki.dll
c:\windows\system32\wugoyufo.dll
c:\windows\system32\yonoguja.dll
c:\windows\system32\yumaluso.dll
c:\windows\system32\yunukino.dll
c:\windows\system32\yuwefayi.dll
c:\windows\system32\zareheli.dll
c:\windows\system32\zerakede.dll
c:\windows\system32\zinubiji.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2010-06-26 to 2010-07-26 )))))))))))))))))))))))))))))))
.

2010-07-26 00:19 . 2010-07-26 00:23 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
2010-07-26 00:19 . 2010-07-26 00:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
2010-07-25 20:50 . 2010-07-25 20:50 -------- d-----w- C:\rsit
2010-07-25 20:50 . 2010-07-25 20:50 -------- d-----w- c:\program files\trend micro
2010-07-18 19:39 . 2010-07-25 20:36 -------- d-----w- c:\documents and settings\Administrator
2010-07-18 19:24 . 2010-07-18 19:24 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-18 19:24 . 2010-07-18 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-18 19:03 . 2010-07-18 19:03 -------- d-----w- c:\program files\Alwil Software
2010-07-18 19:03 . 2010-07-18 19:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-02 03:32 . 2010-07-02 03:32 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-26 00:24 . 2009-10-26 21:06 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-07-25 20:47 . 2009-10-19 20:01 0 ----a-w- c:\windows\win32k.sys
2010-07-25 15:52 . 2010-07-25 15:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2010-07-24 20:47 . 2001-08-23 12:00 14336 ----a-w- c:\windows\system32\svchost.exe
2010-07-24 20:37 . 2010-07-24 18:36 -------- d-----w- c:\program files\Steam
2010-07-18 20:47 . 2008-04-10 01:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-18 20:35 . 2010-07-18 20:35 -------- d-----w- c:\program files\ERUNT
2010-07-18 20:13 . 2008-04-23 19:21 -------- d-----w- c:\program files\LimeWire
2010-07-18 20:12 . 2008-04-10 01:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-18 20:11 . 2010-07-18 20:11 525824 ----a-w- C:\dds.com
2010-07-18 20:11 . 2010-07-18 20:11 525824 ----a-w- C:\vgaevafaefae.com.scr
2010-07-18 19:02 . 2009-05-04 04:19 -------- d-----w- c:\program files\Panda Security
2010-07-18 19:00 . 2009-05-04 01:29 -------- d-----w- c:\program files\Sophos
2010-07-18 18:56 . 2008-04-23 19:26 -------- d-----w- c:\documents and settings\Cory\Application Data\LimeWire
2010-05-30 00:16 . 2009-09-17 20:36 -------- d-----w- c:\documents and settings\Cory\Application Data\Apple Computer
2010-05-30 00:13 . 2009-09-17 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-05-06 10:41 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2001-08-23 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2008-03-12 10:42 . 2008-04-10 01:36 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-03-12 10:42 . 2008-04-10 01:36 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-03-12 10:42 . 2008-04-10 01:36 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-03-12 10:42 . 2008-04-10 01:36 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-03-12 10:42 . 2008-04-10 01:36 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-04-27 07:55 . 2009-01-27 07:55 99328 --sha-w- c:\windows\system32\duyesedi.dll.vir
2009-03-24 04:42 . 2009-03-24 04:42 2713 --sh--w- c:\windows\system32\gehazoze.exe
2009-04-20 15:06 . 2009-01-20 15:06 109568 --sha-w- c:\windows\system32\pihuwali.dll.vir
2009-03-21 22:34 . 2009-03-21 22:34 2713 --sh--w- c:\windows\system32\tizomovu.exe
2009-01-26 19:54 . 2009-01-26 19:54 67072 --sha-w- c:\windows\system32\wahewozi.dll.vir
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-10 68856]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 16844800]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"nwiz"="nwiz.exe" [2008-09-18 1657376]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-04 136600]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-05-04 1851128]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]

c:\documents and settings\Cory\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicDownloader\\RelicDownloader.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [5/4/2009 12:19 AM 28544]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [3/19/2009 12:40 PM 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [3/19/2009 12:40 PM 24336]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/9/2008 11:02 PM 24652]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\43.tmp --> c:\windows\system32\43.tmp [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/5/2009 12:44 AM 721904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.27.0.cab
FF - ProfilePath - c:\documents and settings\Cory\Application Data\Mozilla\Firefox\Profiles\uh958jmt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKCU-Run-xjoipuna - c:\documents and settings\Cory\Local Settings\Application Data\sjnmikhmx\mmemyirtssd.exe
HKCU-Run-afvxjeub - c:\documents and settings\Cory\Local Settings\Application Data\hwomitvvo\mdweoxetssd.exe
HKLM-Run-xjoipuna - c:\documents and settings\Cory\Local Settings\Application Data\sjnmikhmx\mmemyirtssd.exe
HKLM-Run-afvxjeub - c:\documents and settings\Cory\Local Settings\Application Data\hwomitvvo\mdweoxetssd.exe
HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil9f.exe
AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\program files\NOS\bin\getPlus_Helper.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-25 20:24
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\43.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1078081533-789336058-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b2,ef,31,0b,e3,ce,c7,f8,1d,14,4d,5e,e7,ae,a0,aa,e0,21,dd,92,62,6d,d7,
e2,f5,69,e5,0c,5b,9a,95,b5,8d,41,f7,95,80,2d,e1,c9,a2,41,c4,33,a2,1e,fb,aa,\
"??"=hex:47,88,b9,f6,c0,11,83,a9,b6,3f,09,2b,31,0b,2b,6f

[HKEY_USERS\S-1-5-21-1078081533-789336058-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:e1,3e,66,bb,b9,4d,85,db,bf,b4,86,60,c0,9d,55,b1,ce,96,75,69,b5,
d1,9e,ca,dc,31,82,20,d1,02,d2,ee,a5,0f,f1,d3,0e,f9,23,50,ed,fd,18,1a,43,d6,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(828)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(3968)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\windows\system32\nview.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-07-25 20:29:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-26 00:29

Pre-Run: 47,026,417,664 bytes free
Post-Run: 47,498,272,768 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 2B78625EDCC46674A6A49F3E14EB26B0

-----------------------------------------------------------
DDS Report;
-----------------------------------------------------------

DDS (Ver_10-03-17.01) - NTFSx86
Run by Cory at 20:33:22.28 on Sun 07/25/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3058 [GMT -4:00]

AV: COMODO Antivirus *On-access scanning disabled* (Outdated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Cory\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\cory\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241404943835
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.27.0.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cory\applic~1\mozilla\firefox\profiles\uh958jmt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-5-4 28544]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-3-19 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-3-19 24336]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-3-19 700152]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-4-9 24652]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\43.tmp --> c:\windows\system32\43.tmp [?]

=============== Created Last 30 ================

2010-07-25 22:53:17 0 d-sha-r- C:\cmdcons
2010-07-25 22:49:55 98816 ----a-w- c:\windows\sed.exe
2010-07-25 22:49:55 77312 ----a-w- c:\windows\MBR.exe
2010-07-25 22:49:55 256512 ----a-w- c:\windows\PEV.exe
2010-07-25 22:49:55 161792 ----a-w- c:\windows\SWREG.exe
2010-07-25 20:50:51 0 d-----w- c:\program files\trend micro
2010-07-24 18:36:58 0 d-----w- c:\program files\Steam
2010-07-18 20:11:31 525824 ----a-w- C:\dds.com
2010-07-18 20:11:05 525824 ----a-w- C:\vgaevafaefae.com.scr
2010-07-18 19:24:57 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-18 19:03:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

==================== Find3M ====================

2010-07-24 20:47:42 14336 ----a-w- c:\windows\system32\svchost.exe
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2009-04-27 07:55:15 99328 --sha-w- c:\windows\system32\duyesedi.dll.vir
2009-03-24 04:42:20 2713 --sh--w- c:\windows\system32\gehazoze.exe
2009-04-20 15:06:29 109568 --sha-w- c:\windows\system32\pihuwali.dll.vir
2009-03-21 22:34:55 2713 --sh--w- c:\windows\system32\tizomovu.exe
2009-01-26 19:54:33 67072 --sha-w- c:\windows\system32\wahewozi.dll.vir
2008-10-23 17:32:24 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102320081024\index.dat

============= FINISH: 20:33:37.54 ===============

Attach is Attached. If you want me to post it I can do that also.

Just wanted to put this out there that this is a huge help, thank you very muchly. I know we're not done yet, but still. Thank you.

Blade81 · Jul 26, 2010

Hi again,

Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:

Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer

Open notepad and copy/paste the text in the quotebox below into it:

Code:

Folder::
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
c:\program files\LimeWire
c:\documents and settings\Cory\Application Data\LimeWire
File::
c:\windows\system32\duyesedi.dll.vir
c:\windows\system32\gehazoze.exe
c:\windows\system32\pihuwali.dll.vir
c:\windows\system32\tizomovu.exe
c:\windows\system32\wahewozi.dll.vir
DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Uninstall old Adobe Reader versions and get the latest one with updates (9.3 and updates 9.3.2 & 9.3.3) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 21.
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.

Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Redfefnir · Jul 27, 2010

Blade,

Alrighty, I ran into a small problem off the bat, I cannot open Spybot S&D, and as such I could not just 'disable' teatimer, used all of the previous methods, which did not work. instead I made the decision to exit Teatimer for the time being. Hope it didn't interfere with anything.

First up, KAS.txt, followed by a fresh DDS, followed by Combofix

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, July 26, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, July 26, 2010 18:17:39
Records in database: 4199938
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
H:\

Scan statistics:
Objects scanned: 100364
Threats found: 13
Infected objects found: 167
Suspicious objects found: 0
Scan duration: 01:10:05

File name / Threat / Threats count
C:\Documents and Settings\Cory\Application Data\Sun\Java\Deployment\cache\6.0\58\4faee1fa-570ee0c4 Infected: Trojan-Downloader.Java.Agent.ea 1
C:\Documents and Settings\Cory\My Documents\LimeWire\Saved\Golden Earring - Radar love.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\Cory\My Documents\LimeWire\Saved\im my own grandpa ray stevens.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\Cory\My Documents\LimeWire\Saved\in da club intstrumental.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\Cory\My Documents\LimeWire\Saved\Kris Kristofferson - Vietnam Blues.wma Infected: Trojan-Downloader.WMA.GetCodec.a 1
C:\ErdUndoCache\rp250\A0017307.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\ErdUndoCache\rp250\A0017308.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\ErdUndoCache\rp250\A0017309.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\ErdUndoCache\rp250\A0017310.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\ErdUndoCache\rp250\A0017311.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\ErdUndoCache\rp250\A0017312.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\ErdUndoCache\rp250\A0017313.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\ErdUndoCache\rp250\A0017314.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\ErdUndoCache\rp250\A0017315.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\ErdUndoCache\rp258\A0018599.dll Infected: Hoax.Win32.Renos.vawl 1
C:\ErdUndoCache\rp258\A0018614.dll Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\ErdUndoCache\rp258\A0018615.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\ErdUndoCache\rp260\A0018652.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\ErdUndoCache\rp267\A0019661.dll Infected: Trojan.Win32.Monder.bzea 1
C:\ErdUndoCache\rp267\A0019662.dll Infected: Trojan.Win32.Monder.bzea 1
C:\ErdUndoCache\rp267\A0019663.dll Infected: Trojan.Win32.Monder.bzea 1
C:\ErdUndoCache\rp270\A0019714.dll Infected: Packed.Win32.Krap.p 1
C:\ErdUndoCache\rp270\A0019715.dll Infected: Packed.Win32.Krap.p 1
C:\ErdUndoCache\rp270\A0019717.dll Infected: Packed.Win32.Krap.p 1
C:\ErdUndoCache\rp272\A0019768.dll Infected: Packed.Win32.Krap.p 1
C:\ErdUndoCache\rp272\A0019769.dll Infected: Packed.Win32.Krap.p 1
C:\ErdUndoCache\rp272\A0019770.dll Infected: Packed.Win32.Krap.p 1
C:\ErdUndoCache\rp272\A0019806.dll Infected: Packed.Win32.Krap.p 1
C:\ErdUndoCache\rp272\A0019815.dll Infected: Packed.Win32.Krap.p 1
C:\ErdUndoCache\rp272\A0019819.dll Infected: Packed.Win32.Krap.p 1
C:\ErdUndoCache\rp272\A0019820.dll Infected: Packed.Win32.Krap.p 1
C:\Qoobox\32788R22FWJFW\pci.sys Infected: Rootkit.Win32.TDSS.ap 1
C:\Qoobox\Quarantine\C\Documents and Settings\Cory\Local Settings\Application Data\hwomitvvo\mdweoxetssd.exe.vir Infected: Trojan.Win32.FraudPack.ayhk 1
C:\Qoobox\Quarantine\C\Documents and Settings\Cory\Local Settings\Application Data\sjnmikhmx\mmemyirtssd.exe.vir Infected: Trojan.Win32.FraudPack.ayhk 1
C:\Qoobox\Quarantine\C\Documents and Settings\Cory\Local Settings\Application Data\Windows Server\txgafo.dll.vir Infected: Trojan-Dropper.Win32.Drooptroop.cpt 1
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Local Settings\Application Data\Windows Server\txgafo.dll.vir Infected: Trojan-Dropper.Win32.Drooptroop.cpt 1
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Local Settings\Application Data\Windows Server\txgafo.dll.vir.vir Infected: Trojan-Dropper.Win32.Drooptroop.cpt 1
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\Windows Server\txgafo.dll.vir Infected: Trojan-Dropper.Win32.Drooptroop.cpt 1
C:\Qoobox\Quarantine\C\WINDOWS\msa.exe.vir Infected: Packed.Win32.Krap.ag 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\bavovayo.exe.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\bedihidu.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\bozuneyi.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\diduvohe.dll.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\dukazewe.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\felerevo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\fuwoduke.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hamaveho.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hobolaku.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hogumana.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hojesoma.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\huvehibi.exe.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\huyavodi.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jakiyohe.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\josoguyi.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\juruzuhu.exe.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kanagule.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kipiheba.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kufubabe.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kupuweyo.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\lijuhidi.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\malusasu.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\merunime.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\metuyuli.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\movezisa.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\neyuvena.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nijufagi.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nivunaso.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nohevawo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nuyafeku.exe.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\petavepo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pihuwali.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pinofivu.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pofegohu.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pumohigu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ravebavi.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rolozafo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rusuwilo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\salizuya.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sudinasu.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tadebava.exe.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tesavohi.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.edj 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vakumene.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vehuyafa.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vevesadi.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vofobuyi.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vozafiwu.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wewidilu.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wonizaki.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wugoyufo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yonoguja.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yumaluso.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yunukino.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yuwefayi.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\zareheli.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\zerakede.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\zinubiji.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\[4]-Submit_2010-07-26_18.01.34.zip Infected: Packed.Win32.Krap.p 3
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0000877.dll Infected: Trojan-Dropper.Win32.Drooptroop.cpt 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002011.dll Infected: Trojan-Dropper.Win32.Drooptroop.cpt 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002040.exe Infected: Trojan.Win32.FraudPack.ayhk 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002041.exe Infected: Trojan.Win32.FraudPack.ayhk 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002042.dll Infected: Trojan-Dropper.Win32.Drooptroop.cpt 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002043.dll Infected: Trojan-Dropper.Win32.Drooptroop.cpt 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002045.exe Infected: Packed.Win32.Krap.ag 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002049.exe Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002050.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002051.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002052.dll Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002053.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002054.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002055.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002056.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002057.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002058.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002059.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002060.exe Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002061.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002064.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002065.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002066.exe Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002067.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002068.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002069.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002070.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002071.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002073.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002074.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002075.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002077.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002078.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002079.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002080.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002081.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002082.exe Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002090.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002091.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002092.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002093.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002094.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002095.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002096.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002097.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002098.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002099.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002100.exe Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002101.exe Infected: Trojan-Downloader.Win32.FraudLoad.edj 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002103.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002104.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002105.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002106.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002107.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002108.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002109.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002110.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002111.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002112.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002113.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002114.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002115.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002116.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002117.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002136.dll Infected: Trojan-Dropper.Win32.Drooptroop.cpt 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP10\A0002137.dll Infected: Trojan-Dropper.Win32.Drooptroop.cpt 1
C:\System Volume Information\_restore{121510F7-0A63-4FF1-9220-0466527DAD05}\RP4\A0000561.dll Infected: Trojan-Dropper.Win32.Drooptroop.cpt 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4DYF89QV\d[1].htm Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1

Selected area has been scanned.

--------------------------------------------------
DDS.txt
--------------------------------------------------

DDS (Ver_10-03-17.01) - NTFSx86
Run by Cory at 21:42:48.82 on Mon 07/26/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2807 [GMT -4:00]

AV: COMODO Antivirus *On-access scanning disabled* (Outdated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Cory\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\cory\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241404943835
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.27.0.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cory\applic~1\mozilla\firefox\profiles\uh958jmt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-3-19 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-3-19 24336]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-3-19 700152]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-4-9 24652]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\43.tmp --> c:\windows\system32\43.tmp [?]

=============== Created Last 30 ================

2010-07-26 22:30:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-07-26 22:30:10 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-26 01:57:06 0 d-----w- c:\windows\Logs
2010-07-26 01:17:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo Downloader
2010-07-25 22:53:17 0 d-sha-r- C:\cmdcons
2010-07-25 22:49:55 98816 ----a-w- c:\windows\sed.exe
2010-07-25 22:49:55 77312 ----a-w- c:\windows\MBR.exe
2010-07-25 22:49:55 256512 ----a-w- c:\windows\PEV.exe
2010-07-25 22:49:55 161792 ----a-w- c:\windows\SWREG.exe
2010-07-25 20:50:51 0 d-----w- c:\program files\trend micro
2010-07-24 18:36:58 0 d-----w- c:\program files\Steam
2010-07-18 20:11:31 525824 ----a-w- C:\dds.com
2010-07-18 20:11:05 525824 ----a-w- C:\vgaevafaefae.com.scr
2010-07-18 19:24:57 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-18 19:03:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

==================== Find3M ====================

2010-07-24 20:47:42 14336 ----a-w- c:\windows\system32\svchost.exe
2010-06-02 08:55:30 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-06-02 08:55:30 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-06-02 08:55:30 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-05-26 15:41:02 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-05-26 15:41:02 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-05-26 15:41:02 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-05-26 15:41:02 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-05-26 15:41:02 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2008-10-23 17:32:24 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102320081024\index.dat

============= FINISH: 21:43:06.84 ===============

Combofix is in the next post.

Redfefnir · Jul 27, 2010

ComboFix 10-07-24.06 - Cory 07/26/2010 18:01:42.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3117 [GMT -4:00]
Running from: c:\documents and settings\Cory\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Cory\Desktop\CFScript.txt
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

FILE ::
"c:\windows\system32\duyesedi.dll.vir"
"c:\windows\system32\gehazoze.exe"
"c:\windows\system32\pihuwali.dll.vir"
"c:\windows\system32\tizomovu.exe"
"c:\windows\system32\wahewozi.dll.vir"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Cory\Application Data\LimeWire
c:\documents and settings\Cory\Application Data\LimeWire\.AppSpecialShare\Batman Begins.wmv.torrent.bak
c:\documents and settings\Cory\Application Data\LimeWire\.AppSpecialShare\BB4E - BATMAN RETURNS.torrent.bak
c:\documents and settings\Cory\Application Data\LimeWire\browser\xul-v2.0b2.4-do-not-remove
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\AccessibleMarshal.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\chrome\branding.jar
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\chrome\branding.manifest
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\chrome\classic.jar
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\chrome\classic.manifest
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\chrome\comm.jar
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\chrome\comm.manifest
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\chrome\en-US.jar
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\chrome\en-US.manifest
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\chrome\limewire.jar
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\chrome\limewire.manifest
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\chrome\pippki.jar
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\chrome\pippki.manifest
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\chrome\toolkit.jar
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\chrome\toolkit.manifest
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\accessibility-msaa.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\accessibility.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\alerts.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\appshell.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\appshell_modal.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\appshell_modal.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\appstartup.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\auth.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\autocomplete.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\autoconfig.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\autoconfig.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\caps.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\chardet.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\chrome.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\commandhandler.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\commandlines.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\composer.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\content_base.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\content_html.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\content_htmldoc.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\content_xmldoc.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\content_xslt.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\content_xtf.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\contentprefs.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\cookie.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\directory.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\docshell_base.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_base.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_canvas.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_core.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_css.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_events.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_html.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_json.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_loadsave.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_offline.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_range.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_sidebar.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_storage.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_stylesheets.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_svg.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_traversal.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_views.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_xbl.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_xpath.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\dom_xul.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\downloads.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\editor.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\embed_base.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\extensions.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\exthandler.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\exthelper.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\fastfind.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\FeedProcessor.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\feeds.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\find.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\gfx.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\htmlparser.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\imgicon.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\imglib2.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\inspector.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\intl.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\jar.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\jsconsole-clhandler.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\jsdservice.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\layout_base.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\layout_printing.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\layout_xul.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\layout_xul_tree.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\locale.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\loginmgr.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\lwbrk.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\mimetype.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\mozbrwsr.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\mozfind.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\necko.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\necko_about.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\necko_cache.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\necko_cookie.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\necko_dns.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\necko_file.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\necko_ftp.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\necko_http.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\necko_res.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\necko_socket.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\necko_strconv.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\necko_viewsource.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsAddonRepository.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsBadCertHandler.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsBlocklistService.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsContentDispatchChooser.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsContentPrefService.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsDefaultCLH.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsDictionary.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsDownloadManagerUI.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsExtensionManager.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsHandlerService.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsHelperAppDlg.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsLivemarkService.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsLoginInfo.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsLoginManager.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsLoginManagerPrompter.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsPostUpdateWin.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsProgressDialog.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsProxyAutoConfig.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsResetPref.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsTaggingService.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsTryToClose.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsUpdateService.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsURLFormatter.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsWebHandlerApp.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsXmlRpcClient.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\nsXULAppInstall.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\oji.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\parentalcontrols.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\pipboot.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\pipboot.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\pipnss.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\pipnss.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\pippki.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\pippki.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\places.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\plugin.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\pluginGlue.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\pref.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\prefetch.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\profile.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\proxyObject.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\rdf.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\satchel.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\saxparser.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\shistory.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\spellchecker.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\storage-Legacy.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\storage.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\toolkitprofile.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\transformiix.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\txEXSLTRegExFunctions.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\txmgr.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\txtsvc.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\uconv.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\unicharutil.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\universalchardet.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\update.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\uriloader.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\urlformatter.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\webBrowser_core.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\webbrowserpersist.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\webshell_idls.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\websrvcs.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\widget.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\windowds.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\windowwatcher.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xml-rpc.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xmlextras.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xpcom_base.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xpcom_components.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xpcom_ds.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xpcom_io.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xpcom_system.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xpcom_thread.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xpcom_xpti.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xpconnect.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xpinstall.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xulapp.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xulapp_setup.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xuldoc.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xultmpl.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\xulutil.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\components\zipwriter.xpt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\crashreporter.exe
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\crashreporter.ini
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\defaults\autoconfig\platform.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\defaults\autoconfig\prefcalls.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\defaults\pref\xulrunner.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\defaults\profile\chrome\userChrome-example.css
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\defaults\profile\chrome\userContent-example.css
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\defaults\profile\localstore.rdf
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userChrome-example.css
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userContent-example.css
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\localstore.rdf
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\dependentlibs.list
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\dictionaries\en-US.aff
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\dictionaries\en-US.dic
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\freebl3.chk
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\freebl3.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\greprefs\all.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\greprefs\security-prefs.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\greprefs\xpinstall.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\IA2Marshal.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\javaxpcom.jar
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\javaxpcomglue.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\js3250.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\LICENSE
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\modules\debug.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\modules\DownloadUtils.jsm
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\modules\ISO8601DateUtils.jsm
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\modules\JSON.jsm
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\modules\Microformats.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\modules\PluralForm.jsm
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\modules\utils.js
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\modules\XPCOMUtils.jsm
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\mozctl.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\mozctlx.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\MSVCP71.DLL
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\msvcr71.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\nspr4.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\nss3.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\nssckbi.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\nssdbm3.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\nssutil3.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\platform.ini
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\plc4.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\plds4.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\plugins\npnul32.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\README.txt
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\arrow.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\arrowd.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\broken-image.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\charsetalias.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\charsetData.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\contenteditable.css
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\designmode.css
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\dtd\mathml.dtd
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\dtd\xhtml11.dtd
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\EditorOverride.css
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Latin1.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Special.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Symbols.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\entityTables\htmlEntityVersions.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\entityTables\mathml20.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\entityTables\transliterate.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfont.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontStandardSymbolsL.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSTIXNonUnicode.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSTIXSize1.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSymbol.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontUnicode.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\forms.css
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\grabber.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\hiddenWindow.html
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\html.css
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\html\folder.png
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\langGroups.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\language.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\loading-image.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\mathml.css
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\quirk.css
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\svg.css
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after-active.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after-hover.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before-active.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before-hover.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after-active.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after-hover.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before-active.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before-hover.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-remove-column-active.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-remove-column-hover.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-remove-column.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-remove-row-active.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-remove-row-hover.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\table-remove-row.gif
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\ua.css
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\viewsource.css
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\res\wincharset.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\smime3.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\softokn3.chk
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\softokn3.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\sqlite3.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\ssl3.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\updater.exe
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\version.properties
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\xpcom.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\xpcshell.exe
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\xpicleanup.exe
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\xpidl.exe
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\xpt_dump.exe
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\xpt_link.exe
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\xul.dll
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\xulrunner-stub.exe
c:\documents and settings\Cory\Application Data\LimeWire\browser\xulrunner\xulrunner.exe
c:\documents and settings\Cory\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\Cory\Application Data\LimeWire\createtimes.cache
c:\documents and settings\Cory\Application Data\LimeWire\downloads.dat
c:\documents and settings\Cory\Application Data\LimeWire\fileurns.bak
c:\documents and settings\Cory\Application Data\LimeWire\fileurns.cache
c:\documents and settings\Cory\Application Data\LimeWire\filters.props
c:\documents and settings\Cory\Application Data\LimeWire\installation.props
c:\documents and settings\Cory\Application Data\LimeWire\library.dat
c:\documents and settings\Cory\Application Data\LimeWire\library5.dat
c:\documents and settings\Cory\Application Data\LimeWire\limewire.props
c:\documents and settings\Cory\Application Data\LimeWire\lock
c:\documents and settings\Cory\Application Data\LimeWire\mojito.props
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\.autoreg
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_001_
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_002_
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_003_
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_MAP_
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\Cache\280E3FA7d01
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\Cache\6E4DF74Ad01
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\Cache\7BD6A121d01
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\Cache\AE98BDEDd01
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\Cache\BAFF9A9Bd01
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\cert8.db
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\compreg.dat
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\cookies.sqlite
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\downloads.sqlite
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\extensions.cache
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\extensions.ini
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\history.dat
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\key3.db
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\permissions.sqlite
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\places.sqlite-journal
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\places.sqlite
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\pluginreg.dat
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\prefs.js
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\secmod.db
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\XPC.mfl
c:\documents and settings\Cory\Application Data\LimeWire\mozilla-profile\xpti.dat
c:\documents and settings\Cory\Application Data\LimeWire\player.props
c:\documents and settings\Cory\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\Cory\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\Cory\Application Data\LimeWire\promotion\promodb.lck
c:\documents and settings\Cory\Application Data\LimeWire\promotion\promodb.log
c:\documents and settings\Cory\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\Cory\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\Cory\Application Data\LimeWire\questions.props
c:\documents and settings\Cory\Application Data\LimeWire\responses.cache
c:\documents and settings\Cory\Application Data\LimeWire\simpp.xml
c:\documents and settings\Cory\Application Data\LimeWire\spam.dat
c:\documents and settings\Cory\Application Data\LimeWire\tables.props
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\logo.png
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\notsearching.png
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\searching.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\Cory\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\Cory\Application Data\LimeWire\ttdata.cache
c:\documents and settings\Cory\Application Data\LimeWire\ttrees.cache
c:\documents and settings\Cory\Application Data\LimeWire\ttroot.cache
c:\documents and settings\Cory\Application Data\LimeWire\version.xml
c:\documents and settings\Cory\Application Data\LimeWire\versions.props
c:\documents and settings\Cory\Application Data\LimeWire\xml\data\audio.sxml2
c:\documents and settings\Cory\Application Data\LimeWire\xml\data\audio.sxml3
c:\documents and settings\Cory\Application Data\LimeWire\xml\data\image.sxml2
c:\documents and settings\Cory\Application Data\LimeWire\xml\data\image.sxml3
c:\documents and settings\Cory\Application Data\LimeWire\xml\data\video.sxml2
c:\documents and settings\Cory\Application Data\LimeWire\xml\data\video.sxml3
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
c:\program files\LimeWire
c:\program files\LimeWire\aopalliance.pack
c:\program files\LimeWire\clink.pack
c:\program files\LimeWire\commons-codec-1.3.pack
c:\program files\LimeWire\commons-logging.pack
c:\program files\LimeWire\commons-net.pack
c:\program files\LimeWire\daap.pack
c:\program files\LimeWire\dnsjava.pack
c:\program files\LimeWire\forms.pack
c:\program files\LimeWire\foxtrot.pack
c:\program files\LimeWire\gettext-commons.pack
c:\program files\LimeWire\guice-1.0.pack
c:\program files\LimeWire\hs_err_pid1100.log
c:\program files\LimeWire\hs_err_pid2008.log
c:\program files\LimeWire\hs_err_pid2276.log
c:\program files\LimeWire\hs_err_pid2464.log
c:\program files\LimeWire\hs_err_pid3004.log
c:\program files\LimeWire\hs_err_pid3324.log
c:\program files\LimeWire\hs_err_pid3604.log
c:\program files\LimeWire\hs_err_pid3632.log
c:\program files\LimeWire\hs_err_pid3980.log
c:\program files\LimeWire\hs_err_pid4952.log
c:\program files\LimeWire\hsqldb.pack
c:\program files\LimeWire\httpclient-4.0-alpha5-20080522.192134-5.pack
c:\program files\LimeWire\httpcore-4.0-beta2-20080510.140437-10.pack
c:\program files\LimeWire\httpcore-nio-4.0-beta2-20080510.140437-10.pack
c:\program files\LimeWire\icu4j.pack
c:\program files\LimeWire\jaudiotagger.pack
c:\program files\LimeWire\jcraft.pack
c:\program files\LimeWire\jdic.pack
c:\program files\LimeWire\jdic_stub.pack
c:\program files\LimeWire\jflac.pack
c:\program files\LimeWire\jl.pack
c:\program files\LimeWire\jmdns.pack
c:\program files\LimeWire\jogg.pack
c:\program files\LimeWire\jorbis.pack
c:\program files\LimeWire\lib\avg\ATL80.dll
c:\program files\LimeWire\lib\avg\avgcorex.dll
c:\program files\LimeWire\lib\avg\avgsdk.dll
c:\program files\LimeWire\lib\avg\avgsdkcom.dll
c:\program files\LimeWire\lib\avg\avgsdkupd.dll
c:\program files\LimeWire\lib\avg\Microsoft.VC80.ATL.manifest
c:\program files\LimeWire\lib\avg\Microsoft.VC80.CRT.manifest
c:\program files\LimeWire\lib\avg\msvcr80.dll
c:\program files\LimeWire\lib\jacob-1.15-M1-lw-x86.dll
c:\program files\LimeWire\lib\jdshow.dll
c:\program files\LimeWire\lib\JMediaFoundation.dll
c:\program files\LimeWire\lib\Microsoft.VC90.CRT.manifest
c:\program files\LimeWire\lib\msvcm90.dll
c:\program files\LimeWire\lib\msvcp90.dll
c:\program files\LimeWire\lib\msvcr90.dll
c:\program files\LimeWire\lib\torrent-wrapper.dll
c:\program files\LimeWire\lib\UnpackedJars.7z
c:\program files\LimeWire\LimeWire.jar.tmp
c:\program files\LimeWire\log4j.pack
c:\program files\LimeWire\looks.pack
c:\program files\LimeWire\messages.pack
c:\program files\LimeWire\mp3spi.pack
c:\program files\LimeWire\msvcr71.dll
c:\program files\LimeWire\onion-common.pack
c:\program files\LimeWire\onion-fec.pack
c:\program files\LimeWire\ProgressTabs.pack
c:\program files\LimeWire\swt.pack
c:\program files\LimeWire\themes.pack
c:\program files\LimeWire\tritonus.pack
c:\program files\LimeWire\unpack200.exe
c:\program files\LimeWire\vorbisspi.pack
c:\windows\system32\duyesedi.dll.vir
c:\windows\system32\gehazoze.exe
c:\windows\system32\pihuwali.dll.vir
c:\windows\system32\tizomovu.exe
c:\windows\system32\wahewozi.dll.vir

.
((((((((((((((((((((((((( Files Created from 2010-06-26 to 2010-07-26 )))))))))))))))))))))))))))))))
.

2010-07-26 01:57 . 2010-07-26 01:57 -------- d-----w- c:\windows\Logs
2010-07-26 01:17 . 2010-07-26 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
2010-07-25 20:50 . 2010-07-25 20:50 -------- d-----w- C:\rsit
2010-07-25 20:50 . 2010-07-25 20:50 -------- d-----w- c:\program files\trend micro
2010-07-18 19:39 . 2010-07-25 20:36 -------- d-----w- c:\documents and settings\Administrator
2010-07-18 19:24 . 2010-07-18 19:24 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-18 19:24 . 2010-07-18 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-18 19:03 . 2010-07-18 19:03 -------- d-----w- c:\program files\Alwil Software
2010-07-18 19:03 . 2010-07-18 19:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-02 03:32 . 2010-07-02 03:32 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-26 21:58 . 2009-10-26 21:06 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-07-26 21:50 . 2008-04-10 01:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-26 21:48 . 2008-04-10 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-30 00:16 . 2009-09-17 20:36 -------- d-----w- c:\documents and settings\Cory\Application Data\Apple Computer
2010-05-30 00:13 . 2009-09-17 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-05-26 15:41 . 2010-07-26 01:58 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-05-26 15:41 . 2010-07-26 01:58 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-05-26 15:41 . 2010-07-26 01:58 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-05-26 15:41 . 2010-07-26 01:58 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-05-26 15:41 . 2010-07-26 01:58 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-05-06 10:41 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2001-08-23 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2008-03-12 10:42 . 2008-04-10 01:36 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-03-12 10:42 . 2008-04-10 01:36 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-03-12 10:42 . 2008-04-10 01:36 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-03-12 10:42 . 2008-04-10 01:36 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-03-12 10:42 . 2008-04-10 01:36 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-07-26_00.24.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-26 21:58 . 2010-07-26 21:58 16384 c:\windows\Temp\Perflib_Perfdata_638.dat
+ 2010-07-26 01:58 . 2010-06-02 08:55 74072 c:\windows\system32\XAPOFX1_5.dll
+ 2010-07-26 01:58 . 2010-02-04 14:01 74072 c:\windows\system32\XAPOFX1_4.dll
+ 2010-07-26 01:58 . 2009-09-04 21:44 69464 c:\windows\system32\XAPOFX1_3.dll
+ 2010-07-26 01:58 . 2008-10-27 14:04 70992 c:\windows\system32\XAPOFX1_2.dll
+ 2010-07-26 01:58 . 2008-07-31 14:41 68616 c:\windows\system32\XAPOFX1_1.dll
+ 2010-07-26 01:58 . 2008-05-30 18:17 65032 c:\windows\system32\XAPOFX1_0.dll
+ 2010-07-26 01:58 . 2010-02-04 14:01 22360 c:\windows\system32\X3DAudio1_7.dll
+ 2010-07-26 01:58 . 2009-03-16 18:18 22360 c:\windows\system32\X3DAudio1_6.dll
+ 2010-07-26 01:58 . 2008-10-27 14:04 23376 c:\windows\system32\X3DAudio1_5.dll
+ 2010-07-26 01:58 . 2008-05-30 18:17 25608 c:\windows\system32\X3DAudio1_4.dll
+ 2010-07-26 01:58 . 2008-03-05 20:00 25608 c:\windows\system32\X3DAudio1_3.dll
+ 2010-07-26 01:58 . 2007-10-22 07:37 17928 c:\windows\system32\X3DAudio1_2.dll
+ 2010-07-26 01:58 . 2010-07-26 01:58 12800 c:\windows\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
- 2010-03-12 17:58 . 2010-03-12 17:58 12800 c:\windows\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2010-07-26 01:58 . 2010-07-26 01:58 53248 c:\windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
- 2010-03-12 17:58 . 2010-03-12 17:58 53248 c:\windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2010-07-26 01:58 . 2010-06-02 08:55 527192 c:\windows\system32\XAudio2_7.dll
+ 2010-07-26 01:58 . 2010-02-04 14:01 528216 c:\windows\system32\XAudio2_6.dll
+ 2010-07-26 01:58 . 2009-09-04 21:44 515416 c:\windows\system32\XAudio2_5.dll
+ 2010-07-26 01:58 . 2009-03-16 18:18 517448 c:\windows\system32\XAudio2_4.dll
+ 2010-07-26 01:58 . 2008-10-27 14:04 514384 c:\windows\system32\XAudio2_3.dll
+ 2010-07-26 01:58 . 2008-07-31 14:40 509448 c:\windows\system32\XAudio2_2.dll
+ 2010-07-26 01:58 . 2008-05-30 18:19 507400 c:\windows\system32\XAudio2_1.dll
+ 2010-07-26 01:58 . 2008-03-05 20:03 479752 c:\windows\system32\XAudio2_0.dll
+ 2010-07-26 01:58 . 2010-06-02 08:55 239960 c:\windows\system32\xactengine3_7.dll
+ 2010-07-26 01:58 . 2010-02-04 14:01 238936 c:\windows\system32\xactengine3_6.dll
+ 2010-07-26 01:58 . 2009-09-04 21:44 238936 c:\windows\system32\xactengine3_5.dll
+ 2010-07-26 01:58 . 2009-03-16 18:18 235352 c:\windows\system32\xactengine3_4.dll
+ 2010-07-26 01:58 . 2008-10-27 14:04 235856 c:\windows\system32\xactengine3_3.dll
+ 2010-07-26 01:58 . 2008-07-31 14:41 238088 c:\windows\system32\xactengine3_2.dll
+ 2010-07-26 01:58 . 2008-05-30 18:18 238088 c:\windows\system32\xactengine3_1.dll
+ 2010-07-26 01:58 . 2008-03-05 20:03 238088 c:\windows\system32\xactengine3_0.dll
+ 2010-07-26 01:58 . 2007-07-20 04:57 267112 c:\windows\system32\xactengine2_9.dll
+ 2010-07-26 01:58 . 2007-06-21 00:46 266088 c:\windows\system32\xactengine2_8.dll
+ 2010-07-26 01:58 . 2007-10-22 07:39 267272 c:\windows\system32\xactengine2_10.dll
+ 2010-07-26 01:58 . 2009-09-04 21:29 235344 c:\windows\system32\d3dx11_42.dll
+ 2010-07-26 01:58 . 2009-09-04 21:29 453456 c:\windows\system32\d3dx10_42.dll
+ 2010-07-26 01:58 . 2009-03-09 19:27 453456 c:\windows\system32\d3dx10_41.dll
+ 2010-07-26 01:58 . 2008-10-15 10:22 452440 c:\windows\system32\d3dx10_40.dll
+ 2010-07-26 01:58 . 2008-07-10 15:01 467984 c:\windows\system32\d3dx10_39.dll
+ 2010-07-26 01:58 . 2008-05-30 18:11 467984 c:\windows\system32\d3dx10_38.dll
+ 2010-07-26 01:58 . 2008-02-06 03:07 462864 c:\windows\system32\d3dx10_37.dll
+ 2010-07-26 01:58 . 2007-10-02 13:56 444776 c:\windows\system32\d3dx10_36.dll
+ 2010-07-26 01:58 . 2006-03-31 15:27 578560 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2911.0\Microsoft.DirectX.Direct3DX.dll
+ 2010-07-26 21:31 . 2010-07-26 21:31 184320 c:\windows\ERDNT\AutoBackup\7-26-2010\Users\00000002\UsrClass.dat
+ 2010-07-26 21:31 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\7-26-2010\ERDNT.EXE
+ 2010-07-26 01:58 . 2010-07-26 01:58 223232 c:\windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
- 2010-03-12 17:58 . 2010-03-12 17:58 223232 c:\windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
- 2010-03-12 17:58 . 2010-03-12 17:58 178176 c:\windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2010-07-26 01:58 . 2010-07-26 01:58 178176 c:\windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2010-07-26 01:58 . 2010-07-26 01:58 364544 c:\windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
- 2010-03-12 17:58 . 2010-03-12 17:58 364544 c:\windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
+ 2010-07-26 01:58 . 2010-07-26 01:58 159232 c:\windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
- 2010-03-12 17:58 . 2010-03-12 17:58 159232 c:\windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
+ 2010-07-26 01:58 . 2010-07-26 01:58 145920 c:\windows\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
- 2010-03-12 17:58 . 2010-03-12 17:58 145920 c:\windows\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
+ 2010-07-26 01:58 . 2010-07-26 01:58 578560 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-07-26 01:58 . 2010-07-26 01:58 578560 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-23 04:46 . 2009-02-23 04:46 578560 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-07-26 01:58 . 2010-07-26 01:58 577536 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-23 04:46 . 2009-02-23 04:46 577536 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-07-26 01:58 . 2010-07-26 01:58 577536 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-23 04:46 . 2009-02-23 04:46 577536 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-07-26 01:58 . 2010-07-26 01:58 577024 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-23 04:46 . 2009-02-23 04:46 577024 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-07-26 01:58 . 2010-07-26 01:58 576000 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-23 04:46 . 2009-02-23 04:46 576000 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-07-26 01:58 . 2010-07-26 01:58 567296 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2010-03-12 17:58 . 2010-03-12 17:58 567296 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-07-26 01:57 . 2010-07-26 01:57 563712 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-23 04:46 . 2009-02-23 04:46 563712 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-07-26 01:58 . 2010-07-26 01:58 473600 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
- 2010-03-12 17:58 . 2010-03-12 17:58 473600 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2010-07-26 01:58 . 2009-09-04 21:29 1892184 c:\windows\system32\D3DX9_42.dll
+ 2010-07-26 01:58 . 2009-03-09 19:27 4178264 c:\windows\system32\D3DX9_41.dll
+ 2010-07-26 01:58 . 2008-10-15 10:22 4379984 c:\windows\system32\D3DX9_40.dll
+ 2010-07-26 01:58 . 2008-07-10 15:00 3851784 c:\windows\system32\D3DX9_39.dll
+ 2010-07-26 01:58 . 2008-05-30 18:11 3850760 c:\windows\system32\D3DX9_38.dll
+ 2010-07-26 01:58 . 2008-03-05 19:56 3786760 c:\windows\system32\D3DX9_37.dll
+ 2010-07-26 01:58 . 2007-10-12 19:14 3734536 c:\windows\system32\d3dx9_36.dll
+ 2010-07-26 01:58 . 2009-09-04 21:29 5501792 c:\windows\system32\d3dcsx_42.dll
+ 2010-07-26 01:58 . 2009-09-04 21:29 1974616 c:\windows\system32\D3DCompiler_42.dll
+ 2010-07-26 01:58 . 2009-03-09 19:27 1846632 c:\windows\system32\D3DCompiler_41.dll
+ 2010-07-26 01:58 . 2008-10-15 10:22 2036576 c:\windows\system32\D3DCompiler_40.dll
+ 2010-07-26 01:58 . 2008-07-10 15:00 1493528 c:\windows\system32\D3DCompiler_39.dll
+ 2010-07-26 01:58 . 2008-05-30 18:11 1491992 c:\windows\system32\D3DCompiler_38.dll
+ 2010-07-26 01:58 . 2008-03-05 19:56 1420824 c:\windows\system32\D3DCompiler_37.dll
+ 2010-07-26 01:58 . 2007-10-12 19:14 1374232 c:\windows\system32\D3DCompiler_36.dll
+ 2010-07-26 21:31 . 2010-07-26 21:31 6533120 c:\windows\ERDNT\AutoBackup\7-26-2010\Users\00000001\ntuser.dat
- 2009-02-23 04:46 . 2009-02-23 04:46 2846720 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-07-26 01:57 . 2010-07-26 01:57 2846720 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-23 04:46 . 2009-02-23 04:46 2676224 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-07-26 01:57 . 2010-07-26 01:57 2676224 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-05-04 00:07 . 2010-05-28 16:37 32472008 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-10 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 16844800]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"nwiz"="nwiz.exe" [2008-09-18 1657376]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-04 136600]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-05-04 1851128]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]

c:\documents and settings\Cory\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicDownloader\\RelicDownloader.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\arma 2 operation arrowhead demo\\ArmA2OA_Demo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [5/4/2009 12:19 AM 28544]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [3/19/2009 12:40 PM 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [3/19/2009 12:40 PM 24336]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/9/2008 11:02 PM 24652]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\43.tmp --> c:\windows\system32\43.tmp [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/5/2009 12:44 AM 721904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.27.0.cab
FF - ProfilePath - c:\documents and settings\Cory\Application Data\Mozilla\Firefox\Profiles\uh958jmt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-26 18:08
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\43.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1078081533-789336058-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b2,ef,31,0b,e3,ce,c7,f8,1d,14,4d,5e,e7,ae,a0,aa,e0,21,dd,92,62,6d,d7,
e2,f5,69,e5,0c,5b,9a,95,b5,8d,41,f7,95,80,2d,e1,c9,a2,41,c4,33,a2,1e,fb,aa,\
"??"=hex:47,88,b9,f6,c0,11,83,a9,b6,3f,09,2b,31,0b,2b,6f

[HKEY_USERS\S-1-5-21-1078081533-789336058-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:e1,3e,66,bb,b9,4d,85,db,bf,b4,86,60,c0,9d,55,b1,ce,96,75,69,b5,
d1,9e,ca,dc,31,82,20,d1,02,d2,ee,a5,0f,f1,d3,0e,f9,23,50,ed,fd,18,1a,43,d6,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------

Redfefnir · Jul 27, 2010

- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(824)
c:\windows\system32\guard32.dll
.
Completion time: 2010-07-26 18:10:07
ComboFix-quarantined-files.txt 2010-07-26 22:10
ComboFix2.txt 2010-07-26 00:29

Pre-Run: 44,216,897,536 bytes free
Post-Run: 44,164,698,112 bytes free

- - End Of File - - A8DF39A8CB09FA4A98FA0C252A59AD06

Blade81 · Jul 27, 2010

Hi,

Delete following files if found:
C:\Documents and Settings\Cory\Application Data\Sun\Java\Deployment\cache\6.0\58\4faee1fa-570ee0c4
C:\Documents and Settings\Cory\My Documents\LimeWire\Saved\Golden Earring - Radar love.mp3
C:\Documents and Settings\Cory\My Documents\LimeWire\Saved\im my own grandpa ray stevens.mp3
C:\Documents and Settings\Cory\My Documents\LimeWire\Saved\in da club intstrumental.mp3
C:\Documents and Settings\Cory\My Documents\LimeWire\Saved\Kris Kristofferson - Vietnam Blues.wma
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4DYF89QV\d[1].htm

Please reinstall Spybot to make it work again. Let me know how it goes.

Something Blocking/killing Spybot, and others

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

New member

Security Expert: Emeritus