Wierd Malware/virus

Status
Not open for further replies.
S

sbutnaru

New member
I'm not sure which this is but its makign all my searches go to a new window and being redirected through a site called jump.com. I'm also unable to install Spybot for soem reason it is unable to log on to the safer networkign website.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:33:49 PM, on 31/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AirPort\APAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\Stefan\Local Settings\Temporary Internet Files\Content.IE5\8CZF887W\spybotsd162[1].exe
C:\DOCUME~1\Stefan\LOCALS~1\Temp\is-SKRK4.tmp\spybotsd162[1].tmp
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Tpoyetozuxahow] rundll32.exe "C:\WINDOWS\akucesofihutafuz.dll",e
O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\AirPort\APAgent.exe"
O4 - HKLM\..\Run: [Pvunumiw] rundll32.exe "C:\WINDOWS\Rxezoyowuyazami.dll",e
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\Stefan\LOCALS~1\Temp\~tmpa.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1230803270651
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{11A9B682-FC84-479C-B083-7A3093F803E1}: NameServer = 85.255.112.212,85.255.112.169
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.212,85.255.112.169
O17 - HKLM\System\CS2\Services\Tcpip\..\{11A9B682-FC84-479C-B083-7A3093F803E1}: NameServer = 85.255.112.212,85.255.112.169
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.212,85.255.112.169
O23 - Service: Apple Mobile Device (apple mobile device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service (bonjour service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service (ipod service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7508 bytes
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Pinned (sticky) to the top of this forum, and posted above are the directions, make sure you have read and followed them.

http://whois.domaintools.com/85.255.112.212
85.255.112.212 <<< you are hacked by criminals from the Ukraine and you also have a downloader onboard:
http://www.systemlookup.com/Startup/18865.html

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.

2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Thanks
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:45 PM, on 02/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\AirPort\APAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Tpoyetozuxahow] rundll32.exe "C:\WINDOWS\akucesofihutafuz.dll",e
O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\AirPort\APAgent.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1230803270651
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device (apple mobile device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service (bonjour service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service (ipod service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6293 bytes







ComboFix 09-04-01.01 - Stefan 2009-04-02 20:02:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3007.2275 [GMT -4:00]
Running from: c:\documents and settings\Stefan\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-3-7-74-100014181-100031199-100018488-5025.com
c:\windows\itujigulukacega.dll
c:\windows\system32\drivers\gaopdxtuwkmoyxfqgmuboeyxgkijntkqltabot.sys
c:\windows\system32\gaopdxawqrnlsmlqmahommoijwlrwyqcufnult.dll
c:\windows\system32\gaopdxcounter
c:\windows\system32\msxml71.dll
c:\windows\system32\TDSSblal.dat
c:\windows\system32\TDSSxnpb.dll
d:\recycler\S-3-4-14-100022521-100011899-100014595-9983.com
d:\recycler\S-3-7-74-100014181-100031199-100018488-5025.com
d:\recycler\S-6-8-60-100011094-100023616-100001965-3252.com
e:\recycler\S-3-4-14-100022521-100011899-100014595-9983.com
e:\recycler\S-3-7-74-100014181-100031199-100018488-5025.com
e:\recycler\S-6-8-60-100011094-100023616-100001965-3252.com
f:\recycler\S-3-4-14-100022521-100011899-100014595-9983.com
f:\recycler\S-3-7-74-100014181-100031199-100018488-5025.com
f:\recycler\S-6-8-60-100011094-100023616-100001965-3252.com

.
((((((((((((((((((((((((( Files Created from 2009-03-03 to 2009-04-03 )))))))))))))))))))))))))))))))
.

2009-04-01 14:21 . 2009-04-01 14:22 <DIR> d-------- c:\program files\SpywareBlaster
2009-04-01 14:21 . 2009-04-01 14:27 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-31 17:33 . 2009-03-31 17:33 <DIR> d-------- c:\program files\Trend Micro
2009-03-29 18:19 . 2009-03-29 18:19 <DIR> d-------- c:\program files\SSH Communications Security
2009-03-29 18:19 . 2009-03-29 18:37 <DIR> d-------- c:\documents and settings\Stefan\Application Data\SSH
2009-03-27 22:51 . 2009-03-27 22:51 <DIR> d-------- c:\documents and settings\Dbutnaru
2009-03-27 22:51 . 2008-04-13 20:12 221,184 --a------ c:\windows\system32\wmpns.dll
2009-03-25 01:13 . 2009-03-25 14:28 227 --a------ c:\windows\ACTIVEJP.INI
2009-03-18 23:31 . 2009-03-25 01:15 43,520 --a------ c:\windows\system32\CmdLineExt03.dll
2009-03-18 23:25 . 2002-12-12 00:14 1,294,336 --a--c--- c:\windows\system32\dllcache\dsound3d.dll
2009-03-13 16:51 . 2009-03-13 16:51 <DIR> d-------- c:\windows\Sun
2009-03-07 02:18 . 2009-03-07 02:53 4,194,322 --a------ C:\memory_map.tga
2009-03-07 01:27 . 2009-03-07 01:27 <DIR> d-------- c:\documents and settings\Stefan\Application Data\The Creative Assembly
2009-03-07 00:49 . 2009-03-07 00:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-03-07 00:46 . 2009-03-07 00:46 <DIR> d-------- c:\documents and settings\Stefan\Application Data\DAEMON Tools Pro
2009-03-07 00:20 . 2009-03-07 00:58 <DIR> d-------- c:\program files\DAEMON Tools Pro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-02 23:59 --------- d-----w c:\program files\Symantec AntiVirus
2009-03-31 21:03 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE
2009-03-31 20:59 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-31 20:59 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-31 02:51 --------- d-----w c:\documents and settings\Stefan\Application Data\LimeWire
2009-03-29 22:19 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-15 05:22 --------- d-----w c:\documents and settings\Stefan\Application Data\Apple Computer
2009-03-05 04:50 --------- d-----w c:\program files\Steam
2009-02-22 03:06 278,984 ----a-w c:\windows\system32\drivers\atksgt.sys
2009-02-22 03:05 25,416 ----a-w c:\windows\system32\drivers\lirsgt.sys
2009-02-21 17:58 --------- d-----w c:\program files\Windows Live
2009-02-21 17:57 --------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-02-19 03:21 --------- d-----w c:\program files\Atari
2009-02-19 03:20 --------- d-----w c:\program files\Common Files\InstallShield
2009-02-19 03:13 --------- d-----w c:\program files\Alcohol Soft
2009-02-12 03:07 --------- d-----w c:\program files\Miracle C
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 01:42 --------- d-----w c:\documents and settings\All Users\Application Data\media center programs
2009-02-07 00:39 --------- d-----w c:\documents and settings\All Users\Application Data\Funcom
2009-02-07 00:03 307,576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-06 23:52 49,504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-05 01:44 --------- d-----w c:\program files\Teamspeak2_RC2
2009-02-05 01:44 --------- d-----w c:\documents and settings\Stefan\Application Data\teamspeak2
2009-02-04 00:38 --------- d-----w c:\program files\Playnet
2009-02-04 00:38 --------- d-----w c:\program files\Netscape
2009-01-28 18:41 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-24 04:08 14,336 ----a-w c:\windows\system32\svchost.exe
2009-01-09 08:21 133,632 ----a-w c:\windows\akucesofihutafuz.dll
2009-01-04 08:09 348,160 ----a-w c:\windows\system32\msvcr71.dll
2006-06-23 06:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-07 125368]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-04 185872]
"Tpoyetozuxahow"="c:\windows\akucesofihutafuz.dll" [2009-01-09 133632]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2008-05-20 737280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-28 136600]
"nwiz"="nwiz.exe" [2008-09-18 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati8tlxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"e:\\Battleground Europe\\WW2_sse2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\europa universalis iii - complete\\eu3game.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Atari\\Codename Panzers Cold War - SP Demo\\Home\\Game\\CPCW_SP_Demo.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"e:\\Program Files\\World of Warcraft\\Launcher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-27 101936]
S0 ati8tlxx;ati8tlxx;c:\windows\system32\Drivers\ati8tlxx.sys --> c:\windows\system32\Drivers\ati8tlxx.sys [?]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-01-28 33752]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2007-10-07 116664]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44e93dfe-008d-11de-bc00-001a9202224e}]
\Shell\AutoRun\command - I:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{45edc1e5-d79c-11dd-ad43-806d6172696f}]
\Shell\AutoRun\command - H:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71f43476-de25-11dd-bbf4-001a9202224e}]
\Shell\AutoRun\command - I:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bdeb4a62-df72-11dd-bbf5-001a9202224e}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe
\Shell\Explore\command - system.exe
\Shell\Open\command - system.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DAEMON Tools Pro Agent - c:\program files\DAEMON Tools Pro\DTProAgent.exe
HKLM-Run-Pvunumiw - c:\windows\Rxezoyowuyazami.dll
SafeBoot-ati5umxx.sys
SafeBoot-ati6owxx.sys
SafeBoot-ati8gfxx.sys


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-02 20:03:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-436374069-602609370-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-04-02 20:04:18
ComboFix-quarantined-files.txt 2009-04-03 00:04:16

Pre-Run: 105,445,146,624 bytes free
Post-Run: 105,936,379,904 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

184 --- E O F --- 2009-03-15 07:01:59




Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Age of Conan - Hyborian Adventures
AirPort
Apple Mobile Device Support
Apple Software Update
Battleground Europe: WWIIOL
Blitzkrieg 2
Bonjour
Choice Guard
Codename: Panzers Cold War - SP Demo
COWON Media Center - jetAudio Basic
Disciples 2 Gold Gallean
Disciples II Rise of the Elves
Doomsday
Europa Universalis III - Complete
EVE-ONLINE (remove only)
Fallout 3
getPlus(R) for Adobe
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
iTunes
Java(TM) 6 Update 11
LiveUpdate 3.2 (Symantec Corporation)
MechCommander
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Games for Windows - LIVE
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft MechCommander 2
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Miracle C
MSVCRT
MSXML 6.0 Parser (KB925673)
NVIDIA Drivers
PlayGATE Setup
QuickTime
RealPlayer
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Segoe UI
SoundMAX
SpywareBlaster 4.1
SSH Secure Shell
Star Wars(R) Knights of the Old Republic(R) II: The Sith Lords(TM)
Steam
Symantec AntiVirus
TeamSpeak 2 RC2
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Ventrilo Client
Windows Communication Foundation
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Service Pack 3
WinRAR archiver
World of Warcraft
 
Follow the directions carefully and in the numbered order.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open notepad and copy/paste the text in the codebox below into it:

Code: 
File::
C:\WINDOWS\akucesofihutafuz.dll

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44e93dfe-008d-11de-bc00-001a9202224e}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{45edc1e5-d79c-11dd-ad43-806d6172696f}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71f43476-de25-11dd-bbf4-001a9202224e}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bdeb4a62-df72-11dd-bbf5-001a9202224e}]

Folder::
c:\documents and settings\Stefan\Application Data\LimeWire

Save this as CFScript

CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(may be gone)
O4 - HKLM\..\Run: [Tpoyetozuxahow] rundll32.exe "C:\WINDOWS\akucesofihutafuz.dll",e

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Right click Start > Explore and navigate to these files/folders and delete them if there.

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

How is the computer running?

Thanks


This can be done as time permits, but it is important, and may be why you are infected.
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/security/bulletins/apsb09-01.html

Java(TM) 6 Update 11 <<< needs an update:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php
 
ComboFix 09-04-01.01 - Stefan 2009-04-02 20:34:29.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3007.2313 [GMT -4:00]
Running from: c:\documents and settings\Stefan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Stefan\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\akucesofihutafuz.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Stefan\Application Data\LimeWire
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xul-v2.0b2.4-do-not-remove
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\AccessibleMarshal.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\chrome\branding.jar
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\chrome\branding.manifest
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\chrome\classic.jar
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\chrome\classic.manifest
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\chrome\comm.jar
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\chrome\comm.manifest
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\chrome\en-US.jar
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\chrome\en-US.manifest
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\chrome\limewire.jar
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\chrome\limewire.manifest
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\chrome\pippki.jar
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\chrome\pippki.manifest
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\chrome\toolkit.jar
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\chrome\toolkit.manifest
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\accessibility-msaa.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\accessibility.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\alerts.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\appshell.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\appshell_modal.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\appshell_modal.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\appstartup.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\auth.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\autocomplete.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\autoconfig.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\autoconfig.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\caps.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\chardet.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\chrome.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\commandhandler.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\commandlines.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\composer.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\content_base.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\content_html.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\content_htmldoc.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\content_xmldoc.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\content_xslt.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\content_xtf.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\contentprefs.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\cookie.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\directory.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\docshell_base.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\dom.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\dom_base.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\dom_canvas.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\dom_core.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\dom_css.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\dom_events.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\dom_html.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\dom_json.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\dom_loadsave.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\dom_offline.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\dom_range.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\dom_sidebar.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\dom_storage.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\dom_stylesheets.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\dom_svg.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\dom_traversal.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\dom_views.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\dom_xbl.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\dom_xpath.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\dom_xul.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\downloads.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\editor.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\embed_base.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\extensions.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\exthandler.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\exthelper.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\fastfind.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\FeedProcessor.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\feeds.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\find.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\gfx.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\htmlparser.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\imgicon.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\imglib2.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\inspector.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\intl.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\jar.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\jsconsole-clhandler.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\jsdservice.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\layout_base.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\layout_printing.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\layout_xul.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\layout_xul_tree.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\locale.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\loginmgr.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\lwbrk.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\mimetype.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\mozbrwsr.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\mozfind.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\necko.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\necko_about.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\necko_cache.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\necko_cookie.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\necko_dns.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\necko_file.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\necko_ftp.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\necko_http.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\necko_res.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\necko_socket.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\necko_strconv.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\necko_viewsource.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\nsAddonRepository.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\nsBadCertHandler.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\nsBlocklistService.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\nsContentDispatchChooser.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\nsContentPrefService.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\nsDefaultCLH.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\nsDictionary.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\nsDownloadManagerUI.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\nsExtensionManager.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\nsHandlerService.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\nsHelperAppDlg.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\nsLivemarkService.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\nsLoginInfo.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\nsLoginManager.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\nsLoginManagerPrompter.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\nsPostUpdateWin.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\nsProgressDialog.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\nsProxyAutoConfig.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\nsResetPref.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\nsTaggingService.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\nsTryToClose.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\nsUpdateService.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\nsURLFormatter.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\nsWebHandlerApp.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\nsXmlRpcClient.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\nsXULAppInstall.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\oji.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\parentalcontrols.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\pipboot.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\pipboot.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\pipnss.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\pipnss.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\pippki.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\pippki.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\places.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\plugin.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\pluginGlue.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\pref.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\prefetch.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\profile.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\proxyObject.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\rdf.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\satchel.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\saxparser.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\shistory.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\spellchecker.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\storage-Legacy.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\storage.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\toolkitprofile.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\transformiix.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\txEXSLTRegExFunctions.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\txmgr.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\txtsvc.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\uconv.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\unicharutil.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\universalchardet.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\update.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\uriloader.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\urlformatter.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\webBrowser_core.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\webbrowserpersist.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\webshell_idls.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\websrvcs.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\widget.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\windowds.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\windowwatcher.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\xml-rpc.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\xmlextras.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\xpcom_base.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\xpcom_components.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\xpcom_ds.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\xpcom_io.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\xpcom_system.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\xpcom_thread.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\xpcom_xpti.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\xpconnect.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\xpinstall.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\xulapp.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\xulapp_setup.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\xuldoc.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\xultmpl.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\xulutil.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\components\zipwriter.xpt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\crashreporter.exe
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\crashreporter.ini
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\defaults\autoconfig\platform.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\defaults\autoconfig\prefcalls.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\defaults\pref\xulrunner.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\defaults\profile\chrome\userChrome-example.css
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\defaults\profile\chrome\userContent-example.css
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\defaults\profile\localstore.rdf
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userChrome-example.css
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userContent-example.css
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\localstore.rdf
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\dependentlibs.list
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\dictionaries\en-US.aff
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\dictionaries\en-US.dic
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\freebl3.chk
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\freebl3.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\greprefs\all.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\greprefs\security-prefs.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\greprefs\xpinstall.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\IA2Marshal.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\javaxpcom.jar
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\javaxpcomglue.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\js3250.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\LICENSE
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\modules\debug.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\modules\DownloadUtils.jsm
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\modules\ISO8601DateUtils.jsm
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\modules\JSON.jsm
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\modules\Microformats.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\modules\PluralForm.jsm
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\modules\utils.js
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\modules\XPCOMUtils.jsm
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\mozctl.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\mozctlx.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\MSVCP71.DLL
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\msvcr71.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\nspr4.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\nss3.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\nssckbi.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\nssdbm3.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\nssutil3.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\platform.ini
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\plc4.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\plds4.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\plugins\npnul32.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\README.txt
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\arrow.gif
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\arrowd.gif
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\broken-image.gif
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\charsetalias.properties
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\charsetData.properties
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\contenteditable.css
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\designmode.css
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\dtd\mathml.dtd
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\dtd\xhtml11.dtd
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\EditorOverride.css
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Latin1.properties
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Special.properties
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Symbols.properties
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\entityTables\htmlEntityVersions.properties
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\entityTables\mathml20.properties
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\entityTables\transliterate.properties
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfont.properties
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontStandardSymbolsL.properties
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSTIXNonUnicode.properties
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSTIXSize1.properties
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSymbol.properties
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontUnicode.properties
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\forms.css
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\grabber.gif
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\hiddenWindow.html
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\html.css
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\html\folder.png
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\langGroups.properties
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\language.properties
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\loading-image.gif
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\mathml.css
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\quirk.css
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\svg.css
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after-active.gif
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after-hover.gif
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after.gif
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before-active.gif
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before-hover.gif
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before.gif
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after-active.gif
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after-hover.gif
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after.gif
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before-active.gif
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before-hover.gif
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before.gif
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\table-remove-column-active.gif
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\table-remove-column-hover.gif
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\table-remove-column.gif
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\table-remove-row-active.gif
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\table-remove-row-hover.gif
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\table-remove-row.gif
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\ua.css
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\viewsource.css
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\res\wincharset.properties
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\smime3.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\softokn3.chk
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\softokn3.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\sqlite3.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\ssl3.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\updater.exe
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\version.properties
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\xpcom.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\xpcshell.exe
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\xpicleanup.exe
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\xpidl.exe
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\xpt_dump.exe
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\xpt_link.exe
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\xul.dll
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\xulrunner-stub.exe
c:\documents and settings\Stefan\Application Data\LimeWire\browser\xulrunner\xulrunner.exe
c:\documents and settings\Stefan\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\Stefan\Application Data\LimeWire\downloads.dat
c:\documents and settings\Stefan\Application Data\LimeWire\fileurns.bak
c:\documents and settings\Stefan\Application Data\LimeWire\fileurns.cache
c:\documents and settings\Stefan\Application Data\LimeWire\gnutella.net
c:\documents and settings\Stefan\Application Data\LimeWire\installation.props
c:\documents and settings\Stefan\Application Data\LimeWire\library.dat
c:\documents and settings\Stefan\Application Data\LimeWire\library5.dat
c:\documents and settings\Stefan\Application Data\LimeWire\limewire.props
c:\documents and settings\Stefan\Application Data\LimeWire\mojito.props
c:\documents and settings\Stefan\Application Data\LimeWire\mozilla-profile\.autoreg
c:\documents and settings\Stefan\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_001_
c:\documents and settings\Stefan\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_002_
c:\documents and settings\Stefan\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_003_
c:\documents and settings\Stefan\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_MAP_
c:\documents and settings\Stefan\Application Data\LimeWire\mozilla-profile\Cache\3816C1E5d01
c:\documents and settings\Stefan\Application Data\LimeWire\mozilla-profile\Cache\7BD6A121d01
c:\documents and settings\Stefan\Application Data\LimeWire\mozilla-profile\Cache\AE98BDF8d01
c:\documents and settings\Stefan\Application Data\LimeWire\mozilla-profile\Cache\BAFF9A99d01
c:\documents and settings\Stefan\Application Data\LimeWire\mozilla-profile\cert8.db
c:\documents and settings\Stefan\Application Data\LimeWire\mozilla-profile\compreg.dat
c:\documents and settings\Stefan\Application Data\LimeWire\mozilla-profile\cookies.sqlite
c:\documents and settings\Stefan\Application Data\LimeWire\mozilla-profile\downloads.sqlite
c:\documents and settings\Stefan\Application Data\LimeWire\mozilla-profile\extensions.cache
c:\documents and settings\Stefan\Application Data\LimeWire\mozilla-profile\extensions.ini
c:\documents and settings\Stefan\Application Data\LimeWire\mozilla-profile\history.dat
c:\documents and settings\Stefan\Application Data\LimeWire\mozilla-profile\key3.db
c:\documents and settings\Stefan\Application Data\LimeWire\mozilla-profile\permissions.sqlite
c:\documents and settings\Stefan\Application Data\LimeWire\mozilla-profile\places.sqlite-journal
c:\documents and settings\Stefan\Application Data\LimeWire\mozilla-profile\places.sqlite
c:\documents and settings\Stefan\Application Data\LimeWire\mozilla-profile\pluginreg.dat
c:\documents and settings\Stefan\Application Data\LimeWire\mozilla-profile\prefs.js
c:\documents and settings\Stefan\Application Data\LimeWire\mozilla-profile\secmod.db
c:\documents and settings\Stefan\Application Data\LimeWire\mozilla-profile\XPC.mfl
c:\documents and settings\Stefan\Application Data\LimeWire\mozilla-profile\xpti.dat
c:\documents and settings\Stefan\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\Stefan\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\Stefan\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\Stefan\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\Stefan\Application Data\LimeWire\questions.props
c:\documents and settings\Stefan\Application Data\LimeWire\responses.cache
c:\documents and settings\Stefan\Application Data\LimeWire\simpp.xml
c:\documents and settings\Stefan\Application Data\LimeWire\spam.dat
c:\documents and settings\Stefan\Application Data\LimeWire\tables.props
c:\documents and settings\Stefan\Application Data\LimeWire\ttrees.cache
c:\documents and settings\Stefan\Application Data\LimeWire\ttroot.cache
c:\documents and settings\Stefan\Application Data\LimeWire\version.xml
c:\documents and settings\Stefan\Application Data\LimeWire\versions.props
c:\windows\akucesofihutafuz.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-03 to 2009-04-03 )))))))))))))))))))))))))))))))
.

2009-04-01 14:21 . 2009-04-01 14:22 <DIR> d-------- c:\program files\SpywareBlaster
2009-04-01 14:21 . 2009-04-01 14:27 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-31 17:33 . 2009-03-31 17:33 <DIR> d-------- c:\program files\Trend Micro
2009-03-29 18:19 . 2009-03-29 18:19 <DIR> d-------- c:\program files\SSH Communications Security
2009-03-29 18:19 . 2009-03-29 18:37 <DIR> d-------- c:\documents and settings\Stefan\Application Data\SSH
2009-03-27 22:51 . 2009-03-27 22:51 <DIR> d-------- c:\documents and settings\Dbutnaru
2009-03-27 22:51 . 2008-04-13 20:12 221,184 --a------ c:\windows\system32\wmpns.dll
2009-03-25 01:13 . 2009-03-25 14:28 227 --a------ c:\windows\ACTIVEJP.INI
2009-03-18 23:31 . 2009-03-25 01:15 43,520 --a------ c:\windows\system32\CmdLineExt03.dll
2009-03-18 23:25 . 2002-12-12 00:14 1,294,336 --a--c--- c:\windows\system32\dllcache\dsound3d.dll
2009-03-13 16:51 . 2009-03-13 16:51 <DIR> d-------- c:\windows\Sun
2009-03-07 02:18 . 2009-03-07 02:53 4,194,322 --a------ C:\memory_map.tga
2009-03-07 01:27 . 2009-03-07 01:27 <DIR> d-------- c:\documents and settings\Stefan\Application Data\The Creative Assembly
2009-03-07 00:49 . 2009-03-07 00:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-03-07 00:46 . 2009-03-07 00:46 <DIR> d-------- c:\documents and settings\Stefan\Application Data\DAEMON Tools Pro
2009-03-07 00:20 . 2009-03-07 00:58 <DIR> d-------- c:\program files\DAEMON Tools Pro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-03 00:33 --------- d-----w c:\program files\Symantec AntiVirus
2009-03-31 21:03 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE
2009-03-31 20:59 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-31 20:59 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-29 22:19 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-15 05:22 --------- d-----w c:\documents and settings\Stefan\Application Data\Apple Computer
2009-03-05 04:50 --------- d-----w c:\program files\Steam
2009-02-22 03:06 278,984 ----a-w c:\windows\system32\drivers\atksgt.sys
2009-02-22 03:05 25,416 ----a-w c:\windows\system32\drivers\lirsgt.sys
2009-02-21 17:58 --------- d-----w c:\program files\Windows Live
2009-02-21 17:57 --------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-02-19 03:21 --------- d-----w c:\program files\Atari
2009-02-19 03:20 --------- d-----w c:\program files\Common Files\InstallShield
2009-02-19 03:13 --------- d-----w c:\program files\Alcohol Soft
2009-02-12 03:07 --------- d-----w c:\program files\Miracle C
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 01:42 --------- d-----w c:\documents and settings\All Users\Application Data\media center programs
2009-02-07 00:39 --------- d-----w c:\documents and settings\All Users\Application Data\Funcom
2009-02-07 00:03 307,576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-06 23:52 49,504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-05 01:44 --------- d-----w c:\program files\Teamspeak2_RC2
2009-02-05 01:44 --------- d-----w c:\documents and settings\Stefan\Application Data\teamspeak2
2009-02-04 00:38 --------- d-----w c:\program files\Playnet
2009-02-04 00:38 --------- d-----w c:\program files\Netscape
2009-01-28 18:41 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-24 04:08 14,336 ----a-w c:\windows\system32\svchost.exe
2009-01-04 08:09 348,160 ----a-w c:\windows\system32\msvcr71.dll
2006-06-23 06:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-07 125368]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-04 185872]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2008-05-20 737280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-28 136600]
"nwiz"="nwiz.exe" [2008-09-18 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati8tlxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"e:\\Battleground Europe\\WW2_sse2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\europa universalis iii - complete\\eu3game.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Atari\\Codename Panzers Cold War - SP Demo\\Home\\Game\\CPCW_SP_Demo.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"e:\\Program Files\\World of Warcraft\\Launcher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-27 101936]
S0 ati8tlxx;ati8tlxx;c:\windows\system32\Drivers\ati8tlxx.sys --> c:\windows\system32\Drivers\ati8tlxx.sys [?]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-01-28 33752]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2007-10-07 116664]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Tpoyetozuxahow - c:\windows\akucesofihutafuz.dll


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-02 20:35:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-436374069-602609370-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-04-02 20:36:54
ComboFix-quarantined-files.txt 2009-04-03 00:36:52
ComboFix2.txt 2009-04-03 00:04:19

Pre-Run: 105,929,879,552 bytes free
Post-Run: 105,900,384,256 bytes free

500 --- E O F --- 2009-03-15 07:01:59



Malwarebytes' Anti-Malware 1.35
Database version: 1935
Windows 5.1.2600 Service Pack 3

02/04/2009 9:26:56 PM
mbam-log-2009-04-02 (21-26-52).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 237154
Time elapsed: 45 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3ba4271e-5c1e-48e2-b432-d8bf420dd31d} (Rogue.DeusCleaner) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.212,85.255.112.169 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{11a9b682-fc84-479c-b083-7a3093f803e1}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.212,85.255.112.169 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{DA8997FA-1A83-409E-BA0D-9AE160D3F658}\RP24\A0004241.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{DA8997FA-1A83-409E-BA0D-9AE160D3F658}\RP35\A0004746.exe (Trojan.Downloader) -> No action taken.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:07 PM, on 02/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AirPort\APAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\AirPort\APAgent.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1230803270651
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device (apple mobile device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service (bonjour service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service (ipod service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6508 bytes
 
No action taken <<< ??? The instructions say
* Be sure that everything is checked, and click Remove Selected.
Click to expand...
Update MBAM and run it again, this time follow the directions and post the scan results.
How is the computer running?
Click to expand...
Put that in RED to make sure you saw it, means I need some feedback from you.
 
Malwarebytes' Anti-Malware 1.35
Database version: 1938
Windows 5.1.2600 Service Pack 3

03/04/2009 5:56:02 PM
mbam-log-2009-04-03 (17-56-01).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 238657
Time elapsed: 43 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I'm assumng the log said that due to having to reboot the computer.

The computer is runniong much better now Im not havung any of the problems I had before.

Thanks for all your help.
 
Let's try to wrap up like this.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

CF_Cleanup.png


Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.


(optional, your call since it was clean the last scan)
Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, update it and run it once a month or so)

Update Symantec AntiVirus and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.
http://www.symantec.com/enterprise/support/index.jsp

If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
http://www.microsoft.com/windows/ie/community/columns/protection.mspx
Improve the safety of your browsing and e-mail activities
http://www.microsoft.com/protect/computer/advanced/browsing.mspx
 
Status
Not open for further replies.
Back
Top