Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Rootkit/keylogger

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Rootkit/keylogger

Unread postby LPriola » January 3rd, 2010, 1:43 pm

I have recently had an issue with a possible keylogger. The software behind this was able to retrieve my email account and password, along with another website's password. I've ran most mainstream checks already, but nothing has turned up yet. Reformatting is not really an option for my situation, along with my determination to find the source of this malware. I have been using thunderbird for my email accounts, but only 1 became effected by it. I have been using thunderbird for close to a year without any issues. Any assistance or insight would be greatly appreciated.

hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:08 PM, on 1/3/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\System32\wsqmcons.exe
C:\Program Files\windows defender\MSASCui.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Larry\Downloads\HiJackThis.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/f ... wflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JRHSUR - Sysinternals - http://www.sysinternals.com - C:\Users\Larry\AppData\Local\Temp\JRHSUR.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
O23 - Service: WFHP - Sysinternals - http://www.sysinternals.com - C:\Users\Larry\AppData\Local\Temp\WFHP.exe

--
End of file - 7119 bytes

Uninstall list:
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
32 Bit HP CIO Components Installer
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 9
Adobe Stock Photos 1.0
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros Communications Inc.(R) AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
AVG Free 9.0
Avi to Mpeg 2.5
Call of Duty(R) 4 - Modern Warfare(TM)
CDDRV_Installer
Curse Client
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DotA Allstars Launcher
Drum Controller Standard Tuning Kit
EasyCleaner
Fraps (remove only)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Deskjet All-In-One Software 9.0
InterVideo DeviceService
iPod for Windows 2006-06-28
iTunes
Java(TM) 6 Update 15
KhalInstallWrapper
LimeWire 5.3.6
Logitech GamePanel Software 2.02
Logitech SetPoint
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Mozilla Firefox (3.5.6)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
neroxml
NVIDIA Drivers
PowerDVD
QuickTime
RealPlayer
Sony DVD Architect 3.0c
Sony Media Manager 2.0
Sony Vegas 6.0c
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
Trillian
Trojan Remover 6.8.1
Ulead DVD MovieFactory 6
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Ventrilo Client
VIA Platform Device Manager
Vuze
Warcraft III
WC3Banlist
Winamp
WinPcap 3.1
WinRAR archiver
World of Warcraft
LPriola
Active Member
 
Posts: 7
Joined: January 3rd, 2010, 1:32 pm
Advertisement
Register to Remove

Re: Rootkit/keylogger

Unread postby MWR 3 day Mod » January 7th, 2010, 1:50 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Rootkit/keylogger

Unread postby jmw3 » January 8th, 2010, 1:03 pm

Hello & Welcome to Malware Removal

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this ensure Notify me when a reply is postedis ticked on the POST A REPLY page.

In the meantime please note the following:
  • Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.
  • Any recommendations made are for your computer problems only and should NOT be used on any other computer.
  • Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
    1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
    2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
  • If you get stuck or are unsure of something please ask for a further explanation, do not guess.
  • It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.
Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Thanks

MRU P2P Policy
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

LimeWire 5.3.6 | Vuse

I'd like you to read the MRU policy for P2P Programs.
Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) & any other P2P programs.

DDS
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
Link 1
Link 2
  • Double-Click on dds.scr and a command window will appear. This is normal
  • Shortly after two logs will appear, DDS.txt & Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply
To post in next reply:
Contents of DDS log
Contents of Attach.txt
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Rootkit/keylogger

Unread postby LPriola » January 8th, 2010, 9:29 pm

DDS (Ver_09-12-01.01) - NTFSx86
Run by Larry at 20:21:51.34 on Fri 01/08/2010
Internet Explorer: 8.0.6001.18865 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3070.1039 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Microsoft LifeChat\LifeChat.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\World of Warcraft\WoW.exe
C:\Windows\Explorer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\explorer.exe
c:\Program Files\Microsoft Security Essentials\MpCmdRun.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Larry\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [HDAudDeck] c:\program files\via\viaudioi\vdeck\VDeck.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
mRun: [LifeChat] "c:\program files\microsoft lifechat\LifeChat.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/f ... wflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
AppInit_DLLs: c:\windows\system32\avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\larry\appdata\roaming\mozilla\firefox\profiles\4m6tlgh3.default\
FF - prefs.js: browser.startup.homepage - cnn.com
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\users\larry\appdata\roaming\mozilla\firefox\profiles\4m6tlgh3.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-25 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-25 28424]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-30 360584]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-1-2 285392]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-11-30 1153368]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-6-18 42480]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2008-10-25 250880]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-1-2 21504]
S3 JRHSUR;JRHSUR;c:\users\larry\appdata\local\temp\jrhsur.exe --> c:\users\larry\appdata\local\temp\JRHSUR.exe [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
S3 PORTMON;PORTMON;c:\users\larry\downloads\sysinternalssuite(2)\PORTMSYS.SYS [2010-1-5 28656]
S3 RDID1009;EDIROL UM-1;c:\windows\system32\drivers\Rdwm1009.sys [2008-10-31 56832]
S3 UZJBTLAINQG;UZJBTLAINQG;c:\users\larry\appdata\local\temp\uzjbtlainqg.exe --> c:\users\larry\appdata\local\temp\UZJBTLAINQG.exe [?]
S3 WFHP;WFHP;c:\users\larry\appdata\local\temp\wfhp.exe --> c:\users\larry\appdata\local\temp\WFHP.exe [?]
S3 XRF;XRF;c:\users\larry\appdata\local\temp\xrf.exe --> c:\users\larry\appdata\local\temp\XRF.exe [?]

=============== Created Last 30 ================

2010-01-06 04:19:58 0 d-----w- c:\program files\Microsoft Security Essentials
2010-01-05 21:04:03 0 d-----w- C:\Dredd
2010-01-05 09:08:29 0 d-sh--w- C:\$RECYCLE.BIN
2010-01-05 08:59:22 98816 ----a-w- c:\windows\sed.exe
2010-01-05 08:59:22 77312 ----a-w- c:\windows\MBR.exe
2010-01-05 08:59:22 261632 ----a-w- c:\windows\PEV.exe
2010-01-05 08:59:22 161792 ----a-w- c:\windows\SWREG.exe
2010-01-05 08:58:58 0 d-----w- C:\ComboFix
2010-01-05 08:46:31 0 d-----w- c:\users\larry\appdata\roaming\Wireshark
2010-01-05 07:12:09 0 d-----w- c:\program files\Wireshark
2010-01-05 05:59:13 291933382 ----a-w- c:\windows\MEMORY.DMP
2010-01-05 05:35:34 0 d-----w- c:\program files\Windows Portable Devices
2010-01-05 05:35:07 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-01-05 05:23:26 65456891 ----a-w- c:\windows\system32\EIKUMYGCW
2010-01-05 05:19:29 0 d-----w- c:\program files\Debugging Tools for Windows (x86)
2010-01-05 05:08:37 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-01-05 05:08:37 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-01-05 05:08:37 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-01-05 05:06:35 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2010-01-05 05:05:06 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-01-05 05:05:01 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-01-05 05:05:01 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-01-04 07:10:23 1060864 ----a-w- c:\windows\system32\MFC71.dll
2010-01-04 06:39:33 0 d-----w- c:\windows\system32\eu-ES
2010-01-04 06:39:33 0 d-----w- c:\windows\system32\ca-ES
2010-01-04 06:39:32 0 d-----w- c:\windows\system32\vi-VN
2010-01-04 06:38:11 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-01-04 06:09:05 0 d-----w- c:\windows\system32\EventProviders
2010-01-04 05:10:00 18904 ----a-w- c:\windows\system32\StructuredQuerySchemaTrivial.bin
2010-01-04 05:09:58 11967524 ----a-w- c:\windows\system32\korwbrkr.lex
2010-01-04 03:38:51 220536 ----a-w- C:\sigcheck.exe
2010-01-04 02:46:59 67584 ----a-w- c:\windows\system32\slwmi.dll
2010-01-04 02:45:59 247808 ----a-w- c:\windows\system32\drvstore.dll
2010-01-03 17:47:59 0 d-sh--w- c:\windows\system32\%APPDATA%
2010-01-03 07:33:08 0 d-----w- c:\program files\ToniArts
2010-01-03 07:20:45 195456 ------w- c:\windows\system32\MpSigStub.exe
2010-01-03 06:47:44 0 d-----w- C:\PerfLogs
2010-01-03 05:33:34 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-03 05:08:11 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-01-03 05:08:10 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-01-03 05:08:10 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-01-03 04:51:20 65536 ----a-w- c:\windows\ocsetup_cbs_install_NetFx3.dpx
2010-01-03 04:51:20 47382528 ----a-w- c:\windows\ocsetup_install_NetFx3.etl
2010-01-03 04:51:20 196608 ----a-w- c:\windows\ocsetup_cbs_install_NetFx3.perf
2010-01-03 04:43:22 41984 ----a-w- c:\windows\system32\netfxperf.dll
2010-01-03 04:35:10 705536 ----a-w- c:\windows\system32\imagesp1.dll
2010-01-03 04:35:06 116736 ----a-w- c:\windows\system32\sstpsvc.dll
2010-01-03 04:35:05 175104 ----a-w- c:\windows\system32\winrscmd.dll
2010-01-03 04:33:53 339456 ----a-w- c:\windows\system32\appmgr.dll
2010-01-03 04:32:59 87552 ----a-w- c:\windows\system32\msoert2.dll
2010-01-03 04:31:32 102400 ----a-w- c:\windows\system32\wbem\mofinstall.dll
2010-01-03 04:31:31 357888 ----a-w- c:\windows\system32\wbemcomn.dll
2010-01-03 04:31:30 129536 ----a-w- c:\windows\system32\sqmapi.dll
2010-01-03 04:31:29 139264 ----a-w- c:\windows\system32\SmiInstaller.dll
2010-01-03 04:31:07 35328 ----a-w- c:\windows\system32\mspatcha.dll
2010-01-03 04:31:07 305152 ----a-w- c:\windows\system32\msdelta.dll
2010-01-03 04:31:07 258560 ----a-w- c:\windows\system32\dpx.dll
2010-01-03 04:28:01 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-01-03 04:28:00 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-03 04:27:59 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-03 04:27:59 57667 ----a-w- c:\windows\system32\ieuinit.inf
2010-01-03 04:27:59 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-01-03 04:27:59 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-03 04:27:58 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-01-03 04:13:03 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-03 04:13:03 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-01-03 04:13:03 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-01-03 04:13:03 23552 ----a-w- c:\windows\system32\lpk.dll
2010-01-03 04:13:03 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-03 04:13:03 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-01-03 04:11:56 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2010-01-03 04:11:55 43520 ----a-w- c:\windows\system32\msdxm.tlb
2010-01-03 04:11:55 18432 ----a-w- c:\windows\system32\amcompat.tlb
2010-01-03 04:11:32 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-01-03 04:11:32 1696768 ----a-w- c:\windows\system32\gameux.dll
2010-01-03 04:11:30 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-01-03 04:11:18 98816 ----a-w- c:\windows\system32\mfps.dll
2010-01-03 04:11:18 53248 ----a-w- c:\windows\system32\rrinstaller.exe
2010-01-03 04:11:18 2868224 ----a-w- c:\windows\system32\mf.dll
2010-01-03 04:11:18 24576 ----a-w- c:\windows\system32\mfpmp.exe
2010-01-03 04:11:18 2048 ----a-w- c:\windows\system32\mferror.dll
2010-01-03 04:10:59 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-01-03 04:10:44 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2010-01-03 04:10:44 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2010-01-03 04:10:44 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-01-03 04:10:44 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2010-01-03 04:10:44 19968 ----a-w- c:\windows\system32\ARP.EXE
2010-01-03 04:10:44 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2010-01-03 04:10:44 17920 ----a-w- c:\windows\system32\netevent.dll
2010-01-03 04:10:44 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2010-01-03 04:10:44 105984 ----a-w- c:\windows\system32\netiohlp.dll
2010-01-03 04:10:44 10240 ----a-w- c:\windows\system32\finger.exe
2010-01-03 04:08:59 623616 ----a-w- c:\windows\system32\localspl.dll
2010-01-03 04:08:34 2036736 ----a-w- c:\windows\system32\win32k.sys
2010-01-03 04:08:27 71680 ----a-w- c:\windows\system32\atl.dll
2010-01-03 04:07:53 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-01-03 04:07:53 31232 ----a-w- c:\windows\system32\msvidc32.dll
2010-01-03 04:07:53 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-01-03 04:07:48 160256 ----a-w- c:\windows\system32\wkssvc.dll
2010-01-03 04:07:37 60928 ----a-w- c:\windows\system32\msasn1.dll
2010-01-03 04:07:32 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2010-01-03 04:07:05 355328 ----a-w- c:\windows\system32\WSDApi.dll
2010-01-03 03:58:02 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-01-03 03:55:28 0 d-----w- C:\Download
2010-01-03 03:55:26 243712 ----a-w- c:\windows\system32\rastls.dll
2010-01-03 03:53:50 310784 ----a-w- c:\windows\system32\unregmp2.exe
2010-01-03 03:53:48 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-01-03 03:53:47 7680 ----a-w- c:\windows\system32\spwmp.dll
2010-01-03 03:53:47 4096 ----a-w- c:\windows\system32\msdxm.ocx
2010-01-03 03:53:47 4096 ----a-w- c:\windows\system32\dxmasf.dll
2010-01-03 03:51:51 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2010-01-03 03:49:21 61440 ----a-w- c:\windows\system32\WD
2010-01-03 03:38:17 0 d-----w- c:\windows\system32\appmgmt
2010-01-03 03:24:20 1820 ----a-w- c:\windows\system32\rasctrnm.h
2010-01-03 03:23:16 12880 ----a-w- c:\windows\system32\wbem\wlan.mof
2010-01-03 03:18:49 37888 ----a-w- c:\windows\system32\printcom.dll
2010-01-03 03:18:19 0 d-----w- c:\program files\MSXML 4.0
2010-01-03 02:57:23 2421760 ----a-w- c:\windows\system32\wucltux.dll
2010-01-03 02:56:32 87552 ----a-w- c:\windows\system32\wudriver.dll
2010-01-03 02:56:10 171608 ----a-w- c:\windows\system32\wuwebv.dll
2010-01-03 02:55:58 33792 ----a-w- c:\windows\system32\wuapp.exe
2010-01-03 01:01:19 0 d-----w- c:\program files\Trojan Remover
2010-01-02 16:37:36 0 d-----w- C:\$AVG
2010-01-02 16:36:44 0 d-----w- c:\programdata\AVG Security Toolbar
2010-01-02 16:35:59 0 d-----w- c:\programdata\avg9
2010-01-02 16:27:02 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-01-02 16:27:02 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-01-02 16:27:02 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-01-02 16:27:02 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-01-02 16:27:02 153088 ----a-w- c:\windows\system32\unrar3.dll
2010-01-02 16:26:52 0 d-----w- c:\users\larry\appdata\roaming\Simply Super Software
2010-01-02 16:26:52 0 d-----w- c:\programdata\Simply Super Software
2010-01-02 16:24:04 0 d-----w- c:\users\larry\appdata\roaming\Malwarebytes
2010-01-02 16:24:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-02 16:23:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-02 16:23:58 0 d-----w- c:\programdata\Malwarebytes
2010-01-02 16:23:58 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-01-08 01:21:29 86016 ----a-w- c:\windows\inf\infstor.dat
2010-01-08 01:21:29 51200 ----a-w- c:\windows\inf\infpub.dat
2010-01-08 01:21:28 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-01-05 05:35:27 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-04 06:24:39 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-01-03 06:58:27 174 --sha-w- c:\program files\desktop.ini
2010-01-03 06:36:23 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-01-03 06:36:21 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-01-02 16:37:01 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-02 16:37:01 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-02 16:36:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-21 09:30:06 86016 ----a-w- c:\windows\system32\frapsvid.dll
2009-10-20 18:20:06 96784 ----a-w- c:\windows\system32\Packet.dll
2009-10-20 18:19:54 281104 ----a-w- c:\windows\system32\wpcap.dll
2009-10-20 18:19:30 53299 ----a-w- c:\windows\system32\pthreadVC.dll
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 20:23:45.08 ===============
You do not have the required permissions to view the files attached to this post.
LPriola
Active Member
 
Posts: 7
Joined: January 3rd, 2010, 1:32 pm

Re: Rootkit/keylogger

Unread postby jmw3 » January 9th, 2010, 12:13 am

Hi

If I could ask you not to attach logs. Please copy/paste the contents of any logs requested directly into your posts.
Cheers

Multiple Anti-virus Programs
You are operating your computer with multiple Anti-virus programs running in memory at once:
AVG Free 9.0 | Microsoft Security Essentials
Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash. Please remove one of them NOW.

This is in the list of Installed Programs from the Attach log you provided:
Advertising Center
Though not in the Uninstall List. Any idea what that is? Something you installed yourself?

Disable Spybot's TeaTimer 1.5 & 1.6
  • If you have version 1.5, right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol)
  • Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless
  • Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy
  • Click on Mode > Advanced Mode. When it prompts you, click Yes
  • On the left hand side, click on Tools
  • Check this box if it is not yet ticked: Resident
  • You will notice that Resident is now added under Tools. Click on Resident
  • Uncheck this box: Resident "TeaTimer" (Protection of over-all system settings) active
  • Exit Spybot Search & Destroy
  • Restart your computer for the changes to take effect
Leave TeaTimer disabled until we're done here.

DeFogger
Download DeFogger by jpshortstuff from here & save it to your desktop.
  • Right click DeFogger then choose Run as Administrator to run the tool
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A Finished! message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
Do not re-enable these drivers until otherwise instructed.

Gmer
Download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

To post in next reply:
Gmer log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Rootkit/keylogger

Unread postby LPriola » January 9th, 2010, 8:56 pm

No idea what 'Advertising Center' is. Surely nothing I would install on my own accord.

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2010-01-09 19:27:04
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Larry\AppData\Local\Temp\uwlyypod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
LPriola
Active Member
 
Posts: 7
Joined: January 3rd, 2010, 1:32 pm

Re: Rootkit/keylogger

Unread postby jmw3 » January 9th, 2010, 10:09 pm

Hi
No idea what 'Advertising Center' is. Surely nothing I would install on my own accord.

OK, no worries.

Remove Programs
Click Start > Control Panel > Programs and Features
Remove these programs by clicking Uninstall

Advertising Center

If some programs listed are not present, please do not panic

Research suggests sometimes this can be a brute to uninstall or not even show in the Program and Features list. If that's the case try this:

Windows Installer Cleanup Utility
Download the Windows Installer Cleanup Utility from here & save it to your Desktop.
  • Right-click on msicuu2.exe then choose Run as Administrator to install the utility
  • Click Start >> All Programs >> Windows Install Clean Up
  • Once the program is open select:

    Advertising Center

  • Any other entry relating to software applications no longer installed
  • Click Remove, then click OK
  • Reboot your computer
ComboFix
Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):
Link 1
Link 2

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Right-click on ComboFix.exe then choose Run as Administrator & follow the prompts
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


To post in next reply:
ComboFix log
Update on how the computer is running
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Rootkit/keylogger

Unread postby LPriola » January 10th, 2010, 1:24 am

I haven't had any proof or activity that there is active malware on my machine, however I believe it may still be dormant and in hiding still. I'm a big fan of EasyClean (ToniArts) and removed a large amount of invalid registry keys. As far as computer stability goes, I've been seeing a few 'freezes' here and there. When I start my world of warcraft application, and attempt to log in, it freezes immediately on that screen. The sound buffer is still running, but something's causing a graphical glitch or something, possibly another program interfering with the outgoing packets. Otherwise, system responds normally from boot to shut down. I have been disabling my AVG anti virus and adopting Microsoft's to be me resident guard dog.

ComboFix 10-01-04.01 - Larry 01/09/2010 23:54:38.2.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3070.2110 [GMT -5:00]
Running from: c:\users\Larry\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-12-10 to 2010-01-10 )))))))))))))))))))))))))))))))
.

2010-01-05 08:46 . 2010-01-05 18:06 -------- d-----w- c:\users\Larry\AppData\Roaming\Wireshark
2010-01-05 07:12 . 2010-01-05 07:13 -------- d-----w- c:\program files\Wireshark
2010-01-05 05:35 . 2010-01-05 05:35 -------- d-----w- c:\program files\Windows Portable Devices
2010-01-05 05:19 . 2010-01-05 05:44 -------- d-----w- c:\program files\Debugging Tools for Windows (x86)
2010-01-05 05:08 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-01-05 05:08 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-01-05 05:08 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-01-05 05:06 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2010-01-05 05:06 . 2009-10-01 01:02 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2010-01-05 05:06 . 2009-10-01 01:01 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2010-01-05 05:06 . 2009-10-01 01:01 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2010-01-05 05:06 . 2009-10-01 01:02 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2010-01-05 05:06 . 2009-10-01 01:02 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2010-01-05 05:06 . 2009-10-01 01:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2010-01-05 05:06 . 2009-10-01 01:01 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2010-01-05 05:06 . 2009-10-01 01:01 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2010-01-05 05:06 . 2009-10-01 01:01 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2010-01-05 05:06 . 2009-10-01 01:01 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2010-01-05 05:06 . 2009-10-01 01:01 350208 ----a-w- c:\windows\system32\WPDSp.dll
2010-01-05 05:05 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-01-05 05:05 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-01-05 05:05 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-01-04 07:10 . 2003-03-18 21:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2010-01-04 07:10 . 2010-01-04 07:10 -------- d-----w- c:\program files\Alwil Software
2010-01-04 06:39 . 2010-01-04 06:40 -------- d-----w- c:\windows\system32\ca-ES
2010-01-04 06:39 . 2010-01-04 06:40 -------- d-----w- c:\windows\system32\eu-ES
2010-01-04 06:39 . 2010-01-04 06:40 -------- d-----w- c:\windows\system32\vi-VN
2010-01-04 06:09 . 2010-01-04 06:09 -------- d-----w- c:\windows\system32\EventProviders
2010-01-04 05:10 . 2008-05-27 04:59 18904 ----a-w- c:\windows\system32\StructuredQuerySchemaTrivial.bin
2010-01-04 04:47 . 2010-01-04 04:47 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2010-01-04 03:38 . 2009-12-01 15:53 220536 ----a-w- C:\sigcheck.exe
2010-01-04 02:46 . 2009-04-11 06:28 1077248 ----a-w- c:\windows\system32\vssapi.dll
2010-01-04 02:45 . 2009-04-11 06:28 247808 ----a-w- c:\windows\system32\drvstore.dll
2010-01-03 17:48 . 2010-01-03 17:48 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-03 17:47 . 2010-01-03 17:47 -------- d-sh--w- c:\windows\system32\%APPDATA%
2010-01-03 13:12 . 2010-01-02 16:36 3776280 ----a-w- c:\programdata\avg9\update\backup\setup.exe
2010-01-03 13:12 . 2010-01-02 16:36 4043032 ----a-w- c:\programdata\avg9\update\backup\avgui.exe
2010-01-03 13:12 . 2010-01-02 16:36 2033432 ----a-w- c:\programdata\avg9\update\backup\avgtray.exe
2010-01-03 13:12 . 2010-01-02 16:36 3967256 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-01-03 13:12 . 2010-01-02 16:36 2352920 ----a-w- c:\programdata\avg9\update\backup\avgresf.dll
2010-01-03 13:12 . 2010-01-02 16:36 916248 ----a-w- c:\programdata\avg9\update\backup\avgcfgx.dll
2010-01-03 07:33 . 2010-01-03 07:33 -------- d-----w- c:\program files\ToniArts
2010-01-03 07:20 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2010-01-03 06:47 . 2010-01-03 06:47 -------- d-----w- C:\PerfLogs
2010-01-03 05:33 . 2009-10-29 09:17 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-03 05:08 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-01-03 05:08 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-01-03 05:08 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-01-03 04:43 . 2008-07-27 18:00 41984 ----a-w- c:\windows\system32\netfxperf.dll
2010-01-03 04:35 . 2008-01-19 07:29 705536 ----a-w- c:\windows\system32\imagesp1.dll
2010-01-03 04:35 . 2008-01-19 07:36 116736 ----a-w- c:\windows\system32\sstpsvc.dll
2010-01-03 04:35 . 2008-01-19 07:36 175104 ----a-w- c:\windows\system32\winrscmd.dll
2010-01-03 04:33 . 2008-01-19 07:37 1642496 ----a-w- c:\windows\system32\WMPEncEn.dll
2010-01-03 04:32 . 2008-01-19 07:36 80896 ----a-w- c:\windows\system32\wbem\WMIPICMP.dll
2010-01-03 04:31 . 2008-01-19 07:34 102400 ----a-w- c:\windows\system32\wbem\mofinstall.dll
2010-01-03 04:31 . 2008-01-19 07:36 357888 ----a-w- c:\windows\system32\wbemcomn.dll
2010-01-03 04:31 . 2008-01-19 07:36 129536 ----a-w- c:\windows\system32\sqmapi.dll
2010-01-03 04:31 . 2008-01-19 07:36 139264 ----a-w- c:\windows\system32\SmiInstaller.dll
2010-01-03 04:31 . 2008-01-19 07:35 35328 ----a-w- c:\windows\system32\mspatcha.dll
2010-01-03 04:31 . 2008-01-19 07:34 305152 ----a-w- c:\windows\system32\msdelta.dll
2010-01-03 04:31 . 2008-01-19 07:34 258560 ----a-w- c:\windows\system32\dpx.dll
2010-01-03 04:28 . 2009-11-21 06:34 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-03 04:27 . 2009-11-21 06:40 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-03 04:27 . 2009-11-21 06:34 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-03 04:27 . 2009-11-21 04:59 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-01-03 04:13 . 2009-06-15 14:53 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-03 04:13 . 2009-06-15 14:52 23552 ----a-w- c:\windows\system32\lpk.dll
2010-01-03 04:13 . 2009-06-15 14:52 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-03 04:13 . 2009-06-15 14:51 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-01-03 04:13 . 2009-06-15 12:42 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-01-03 04:13 . 2009-04-11 06:28 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-01-03 04:11 . 2009-07-15 12:39 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2010-01-03 04:11 . 2009-08-29 00:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-01-03 04:11 . 2009-04-11 06:28 1696768 ----a-w- c:\windows\system32\gameux.dll
2010-01-03 04:11 . 2009-08-29 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-01-03 04:11 . 2009-06-10 11:41 2868224 ----a-w- c:\windows\system32\mf.dll
2010-01-03 04:11 . 2009-04-11 06:28 98816 ----a-w- c:\windows\system32\mfps.dll
2010-01-03 04:11 . 2009-04-11 06:27 53248 ----a-w- c:\windows\system32\rrinstaller.exe
2010-01-03 04:11 . 2009-04-11 06:27 24576 ----a-w- c:\windows\system32\mfpmp.exe
2010-01-03 04:11 . 2009-04-11 04:54 2048 ----a-w- c:\windows\system32\mferror.dll
2010-01-03 04:10 . 2009-08-14 16:27 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-01-03 04:10 . 2009-08-14 15:53 17920 ----a-w- c:\windows\system32\netevent.dll
2010-01-03 04:10 . 2009-08-14 13:49 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2010-01-03 04:10 . 2009-08-14 13:49 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2010-01-03 04:10 . 2009-08-14 13:49 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2010-01-03 04:10 . 2009-08-14 13:49 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2010-01-03 04:10 . 2009-08-14 13:49 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2010-01-03 04:10 . 2009-08-14 13:49 19968 ----a-w- c:\windows\system32\ARP.EXE
2010-01-03 04:10 . 2009-08-14 13:49 10240 ----a-w- c:\windows\system32\finger.exe
2010-01-03 04:10 . 2009-08-14 13:48 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-01-03 04:10 . 2009-08-14 13:48 105984 ----a-w- c:\windows\system32\netiohlp.dll
2010-01-03 04:08 . 2009-04-23 12:14 623616 ----a-w- c:\windows\system32\localspl.dll
2010-01-03 04:08 . 2009-08-14 13:27 2036736 ----a-w- c:\windows\system32\win32k.sys
2010-01-03 04:08 . 2009-07-17 13:54 71680 ----a-w- c:\windows\system32\atl.dll
2010-01-03 04:07 . 2009-06-10 11:38 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-01-03 04:07 . 2008-01-19 07:35 31232 ----a-w- c:\windows\system32\msvidc32.dll
2010-01-03 04:07 . 2008-01-19 07:35 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-01-03 04:07 . 2009-06-10 11:42 160256 ----a-w- c:\windows\system32\wkssvc.dll
2010-01-03 04:07 . 2009-09-04 11:41 60928 ----a-w- c:\windows\system32\msasn1.dll
2010-01-03 04:07 . 2009-04-23 12:15 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2010-01-03 04:07 . 2009-08-10 12:35 355328 ----a-w- c:\windows\system32\WSDApi.dll
2010-01-03 03:58 . 2009-09-14 09:29 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-01-03 03:55 . 2010-01-03 03:55 -------- d-----w- C:\Download
2010-01-03 03:55 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
2010-01-03 03:53 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2010-01-03 03:53 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-01-03 03:53 . 2009-07-15 12:39 4096 ----a-w- c:\windows\system32\dxmasf.dll
2010-01-03 03:53 . 2009-07-15 12:39 7680 ----a-w- c:\windows\system32\spwmp.dll
2010-01-03 03:51 . 2009-05-08 12:53 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2010-01-03 03:18 . 2010-01-03 03:18 37888 ----a-w- c:\windows\system32\printcom.dll
2010-01-03 03:18 . 2010-01-03 03:18 -------- d-----w- c:\program files\MSXML 4.0
2010-01-03 02:57 . 2010-01-03 02:57 53472 ----a-w- c:\windows\system32\wuauclt.exe
2010-01-03 02:57 . 2010-01-03 02:57 44768 ----a-w- c:\windows\system32\wups2.dll
2010-01-03 02:57 . 2010-01-03 02:57 2421760 ----a-w- c:\windows\system32\wucltux.dll
2010-01-03 02:57 . 2010-01-03 02:57 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2010-01-03 02:56 . 2010-01-03 02:56 87552 ----a-w- c:\windows\system32\wudriver.dll
2010-01-03 02:56 . 2010-01-03 02:56 575704 ----a-w- c:\windows\system32\wuapi.dll
2010-01-03 02:56 . 2010-01-03 02:56 35552 ----a-w- c:\windows\system32\wups.dll
2010-01-03 02:56 . 2010-01-03 02:56 171608 ----a-w- c:\windows\system32\wuwebv.dll
2010-01-03 02:55 . 2010-01-03 02:55 33792 ----a-w- c:\windows\system32\wuapp.exe
2010-01-03 01:01 . 2010-01-03 01:01 -------- d-----w- c:\program files\Trojan Remover
2010-01-03 01:00 . 2009-11-25 18:01 1230080 ----a-w- c:\programdata\AVG Security Toolbar\IEToolbar.dll
2010-01-02 20:52 . 2010-01-02 20:52 -------- d-----w- c:\users\Larry\AppData\Local\AVG Security Toolbar
2010-01-02 16:37 . 2010-01-02 20:49 -------- d-----w- C:\$AVG
2010-01-02 16:36 . 2010-01-03 01:00 -------- d-----w- c:\programdata\AVG Security Toolbar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-10 04:51 . 2008-10-29 16:04 -------- d-----w- c:\users\Larry\AppData\Roaming\U3
2010-01-10 02:29 . 2010-01-10 02:29 3584 ----a-r- c:\users\Larry\AppData\Roaming\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-01-10 02:29 . 2010-01-10 02:29 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-01-10 02:28 . 2010-01-10 02:28 -------- d-----w- c:\program files\MSECACHE
2010-01-08 01:20 . 2010-01-08 01:20 -------- d-----w- c:\program files\Microsoft LifeChat
2010-01-06 04:20 . 2010-01-06 04:19 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-01-05 07:13 . 2009-06-16 04:20 -------- d-----w- c:\program files\WinPcap
2010-01-05 06:10 . 2009-03-04 16:08 -------- d-----w- c:\program files\Common Files\Apple
2010-01-05 05:35 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-05 05:35 . 2010-01-05 05:35 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-01-04 16:53 . 2008-10-25 05:47 112800 ----a-w- c:\users\Larry\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-04 08:12 . 2008-11-12 01:02 -------- d-----w- c:\programdata\Microsoft Help
2010-01-04 08:08 . 2008-11-12 01:06 -------- d-----w- c:\program files\Microsoft Works
2010-01-04 06:40 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-01-04 06:40 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-01-04 06:40 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-01-04 06:40 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-01-04 06:40 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-04 06:40 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-01-04 06:40 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-01-04 06:38 . 2010-01-04 06:38 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-01-04 05:50 . 2008-10-27 05:38 -------- d-----w- c:\program files\Vuze
2010-01-03 07:33 . 2008-10-25 05:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-03 06:36 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-01-03 06:36 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-01-03 03:37 . 2009-05-14 03:07 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-01-02 16:37 . 2008-10-25 14:33 -------- d-----w- c:\program files\AVG
2010-01-02 16:37 . 2009-01-31 03:18 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-02 16:37 . 2008-10-25 14:33 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-02 16:37 . 2008-10-25 14:33 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-02 16:36 . 2008-10-25 14:33 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-02 15:41 . 2009-11-30 20:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-21 19:54 . 2008-12-21 06:34 -------- d-----w- c:\users\Larry\AppData\Roaming\LimeWire
2009-12-18 01:20 . 2008-10-27 05:39 -------- d-----w- c:\users\Larry\AppData\Roaming\Azureus
2009-11-30 20:51 . 2009-11-30 20:16 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-27 23:44 . 2009-11-27 23:44 -------- d-----w- c:\users\Guest\AppData\Roaming\Logitech
2009-11-27 23:44 . 2009-11-27 23:44 112800 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-23 02:00 . 2009-11-23 02:00 439816 ----a-w- c:\users\Larry\AppData\Roaming\Real\Update\setup3.09\setup.exe
2009-11-21 09:30 . 2009-11-21 09:30 86016 ----a-w- c:\windows\system32\frapsvid.dll
2009-11-21 00:51 . 2009-09-30 22:05 -------- d-----w- c:\program files\iPod
2009-10-20 18:20 . 2009-10-20 18:20 96784 ----a-w- c:\windows\system32\Packet.dll
2009-10-20 18:19 . 2009-10-20 18:19 281104 ----a-w- c:\windows\system32\wpcap.dll
2009-10-20 18:19 . 2009-10-20 18:19 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2009-10-20 18:19 . 2009-10-20 18:19 53299 ----a-w- c:\windows\system32\pthreadVC.dll
2009-10-19 19:08 . 2008-11-23 17:10 175 ----a-w- c:\users\Larry\AppData\Roaming\Azureus\restart.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"HDAudDeck"="c:\program files\VIA\VIAudioi\VDeck\VDeck.exe" [2008-03-25 14131200]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-25 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-25 92704]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 2051096]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 2095640]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-03 2033432]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-12-30 1389904]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-10-18 1070984]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]
"LifeChat"="c:\program files\Microsoft LifeChat\LifeChat.exe" [2008-08-21 267296]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-10-25 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^Larry^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\Larry\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 06:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2007-04-04 19:41 970752 ----a-w- c:\program files\Common Files\Adobe\Updater\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 20:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-11-01 00:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 09:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-12-21 03:12 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-07-01 16:37 37888 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):e2,d6,77,21,09,8d,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3759937382-3024296757-1267975415-1000]
"EnableNotificationsRef"=dword:00000001

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [10/25/2008 9:33 AM 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [1/30/2009 10:18 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [1/2/2010 11:36 AM 285392]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [11/30/2009 3:16 PM 1153368]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\System32\drivers\MpNWMon.sys [6/18/2009 6:48 PM 42480]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\System32\drivers\viahduaa.sys [10/25/2008 12:52 AM 250880]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [1/2/2010 11:33 PM 21504]
S3 JRHSUR;JRHSUR;c:\users\Larry\AppData\Local\Temp\JRHSUR.exe --> c:\users\Larry\AppData\Local\Temp\JRHSUR.exe [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\System32\drivers\npf.sys [10/20/2009 1:19 PM 50704]
S3 PORTMON;PORTMON;c:\users\Larry\Downloads\SysinternalsSuite(2)\PORTMSYS.SYS [1/5/2010 2:46 AM 28656]
S3 RDID1009;EDIROL UM-1;c:\windows\System32\drivers\Rdwm1009.sys [10/31/2008 12:18 PM 56832]
S3 UZJBTLAINQG;UZJBTLAINQG;c:\users\Larry\AppData\Local\Temp\UZJBTLAINQG.exe --> c:\users\Larry\AppData\Local\Temp\UZJBTLAINQG.exe [?]
S3 WFHP;WFHP;c:\users\Larry\AppData\Local\Temp\WFHP.exe --> c:\users\Larry\AppData\Local\Temp\WFHP.exe [?]
S3 XRF;XRF;c:\users\Larry\AppData\Local\Temp\XRF.exe --> c:\users\Larry\AppData\Local\Temp\XRF.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - uwlyypod

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Larry\AppData\Roaming\Mozilla\Firefox\Profiles\4m6tlgh3.default\
FF - prefs.js: browser.startup.homepage - cnn.com
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\users\Larry\AppData\Roaming\Mozilla\Firefox\Profiles\4m6tlgh3.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-10 00:00
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\VDeck\VDeck.exe????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3952)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
.
Completion time: 2010-01-10 00:02:03
ComboFix-quarantined-files.txt 2010-01-10 05:02
ComboFix2.txt 2010-01-05 09:08

Pre-Run: 175,387,049,984 bytes free
Post-Run: 175,342,911,488 bytes free

- - End Of File - - 4639E5960C1E19AFE869BDD1228996E6
LPriola
Active Member
 
Posts: 7
Joined: January 3rd, 2010, 1:32 pm

Re: Rootkit/keylogger

Unread postby jmw3 » January 10th, 2010, 2:11 am

Hi

I have been disabling my AVG anti virus and adopting Microsoft's to be me resident guard dog.
If you are not using AVG, then you should uninstall it. Even though disabled it will still reside in memory & hook into the kernel. I would not at all be surprised if this is the cause of some your problems. Having two AVs running in memory at once will cause conflicts.

TFC (Temp File Cleaner)
Download TFC (Temp File Cleaner) by Old Timer Here & save it to your desktop.
  • Save any unsaved work. TFC Cleaner will close all open application windows
  • Double-click TFC.exe to run the program, your desktop will temporarily disappear
  • If prompted, click Yes to reboot
Note: Save your work.. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take any longer than a couple of minutes & may only take a few seconds. Only if needed will you be prompted to reboot.

CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all
File::
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\drivers\npf.sys
c:\windows\system32\pthreadVC.dll
Folder::
c:\program files\Vuze
c:\users\Larry\AppData\Roaming\LimeWire
c:\users\Larry\AppData\Roaming\Azureus
Driver::
NPF 

Save this as CFScript.txt, in the same location as ComboFix.exe

Image

Refering to the picture above, drag CFScript into ComboFix.exe
If prompted by ComboFix to update, please do so
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 17.
  • Download the latest version of Java Runtime Environment (JRE) 6 Here
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 17. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the Download button to the right
  • Select the Windows platform from the dropdown menu
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
  • Click on the link to download Windows Offline Installation & save the file to your desktop
  • Close any programs you may have running - especially your web browser
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions
  • Reboot your computer once all Java components are removed
  • Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel
Kaspersky Online Scan
Right click on your favourite web browser (Internet Explorer, Firefox, etc) and select Run As Administrator to run it
Go to Kaspersky website and perform an online antivirus scan
  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan
  • Once the scan is complete, it will display the results. Click on View Scan Report
  • You will see a list of infected items there. Click on Save Report As...
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply
Pictured tutorial if required.

To post in next reply:
ComboFix log
Kaspersky Online Scan log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Rootkit/keylogger

Unread postby LPriola » January 10th, 2010, 1:08 pm

All of these files combofix "deletes" are really just sent to a quarantine folder. Should I be deleting this manually? 186mb of files is quite alarming to be left over from the uninstalls.


ComboFix 10-01-04.01 - Larry 01/10/2010 2:15.3.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3070.2087 [GMT -5:00]
Running from: c:\users\Larry\Desktop\ComboFix.exe
Command switches used :: c:\users\Larry\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\drivers\npf.sys"
"c:\windows\system32\Packet.dll"
"c:\windows\system32\pthreadVC.dll"
"c:\windows\system32\wpcap.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Vuze
c:\program files\Vuze\plugins\azemp\azemp_2.0.30.jar
c:\program files\Vuze\plugins\azemp\azemp_2.0.30.zip
c:\program files\Vuze\plugins\azemp\azemp_2.0.32.jar
c:\program files\Vuze\plugins\azemp\azemp_2.0.32.zip
c:\program files\Vuze\plugins\azemp\azemp_2.0.34.jar
c:\program files\Vuze\plugins\azemp\azemp_2.0.34.zip
c:\program files\Vuze\plugins\azemp\azemp_2.1.02.jar
c:\program files\Vuze\plugins\azemp\azemp_2.1.02.zip
c:\program files\Vuze\plugins\azemp\azemp_2.1.06.jar
c:\program files\Vuze\plugins\azemp\azemp_2.1.06.zip
c:\program files\Vuze\plugins\azemp\azmplay.exe.bak
c:\program files\Vuze\plugins\azemp\cp1250-a.raw.bak
c:\program files\Vuze\plugins\azemp\cp1250-b.raw.bak
c:\program files\Vuze\plugins\azemp\font.desc.bak
c:\program files\Vuze\plugins\azemp\osd-mplayer-a.raw.bak
c:\program files\Vuze\plugins\azemp\osd-mplayer-b.raw.bak
c:\program files\Vuze\plugins\azemp\plugin.properties.bak
c:\program files\Vuze\plugins\azemp\plugin.properties_2.0.30
c:\program files\Vuze\plugins\azemp\plugin.properties_2.0.32
c:\program files\Vuze\plugins\azemp\plugin.properties_2.0.34
c:\program files\Vuze\plugins\azemp\plugin.properties_2.1.02
c:\program files\Vuze\plugins\azemp\plugin.properties_2.1.06
c:\program files\Vuze\plugins\azupdater\azupdater_1.8.10.zip
c:\program files\Vuze\plugins\azupdater\azupdater_1.8.12.zip
c:\program files\Vuze\plugins\azupdater\azupdaterpatcher_1.8.10.jar
c:\program files\Vuze\plugins\azupdater\azupdaterpatcher_1.8.12.jar
c:\program files\Vuze\plugins\azupdater\Azureus2_4.2.0.4_P4.pat
c:\program files\Vuze\plugins\azupdater\Azureus2_4.2.0.8_P4.pat
c:\program files\Vuze\plugins\azupdater\plugin.properties.bak
c:\program files\Vuze\plugins\azupdater\plugin.properties_1.8.10
c:\program files\Vuze\plugins\azupdater\plugin.properties_1.8.12
c:\program files\Vuze\plugins\azupdater\Updater.jar.bak
c:\program files\Vuze\plugins\azupnpav\azupnpav_0.2.17.jar
c:\program files\Vuze\plugins\azupnpav\azupnpav_0.2.17.zip
c:\program files\Vuze\plugins\azupnpav\azupnpav_0.2.21.jar
c:\program files\Vuze\plugins\azupnpav\azupnpav_0.2.21.zip
c:\program files\Vuze\plugins\azupnpav\azupnpav_0.2.5.jar
c:\program files\Vuze\plugins\azupnpav\azupnpav_0.2.5.zip
c:\program files\Vuze\plugins\azupnpav\plugin.properties.bak
c:\program files\Vuze\plugins\azupnpav\plugin.properties_0.2.17
c:\program files\Vuze\plugins\azupnpav\plugin.properties_0.2.21
c:\program files\Vuze\plugins\azupnpav\plugin.properties_0.2.5
c:\users\Larry\AppData\Roaming\Azureus
c:\users\Larry\AppData\Roaming\Azureus\.certs
c:\users\Larry\AppData\Roaming\Azureus\.keystore
c:\users\Larry\AppData\Roaming\Azureus\.lock
c:\users\Larry\AppData\Roaming\Azureus\active\074FEE420629FE6927AE2A3392BB818DA31A1709.dat
c:\users\Larry\AppData\Roaming\Azureus\active\074FEE420629FE6927AE2A3392BB818DA31A1709.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\09F1C183046C06B6442BA5BCA987E5B740D08800.dat
c:\users\Larry\AppData\Roaming\Azureus\active\09F1C183046C06B6442BA5BCA987E5B740D08800.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\0C58F4C37D13FC76CB404EE07B24BF9A2BC6517A.dat
c:\users\Larry\AppData\Roaming\Azureus\active\0C58F4C37D13FC76CB404EE07B24BF9A2BC6517A.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\0F31A3A9F088AB8AB6AE9FD1609775929738AF9D.dat
c:\users\Larry\AppData\Roaming\Azureus\active\0F31A3A9F088AB8AB6AE9FD1609775929738AF9D.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\14EC977A4FDCB1B29B90A4455D6E7F8410C23166.dat
c:\users\Larry\AppData\Roaming\Azureus\active\14EC977A4FDCB1B29B90A4455D6E7F8410C23166.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\224432F9FA3A5952120D73A33119BDF24D1B1046.dat
c:\users\Larry\AppData\Roaming\Azureus\active\224432F9FA3A5952120D73A33119BDF24D1B1046.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\2F5088E35429C67CCC7AB7D88E6C41DFC239DC77.dat
c:\users\Larry\AppData\Roaming\Azureus\active\2F5088E35429C67CCC7AB7D88E6C41DFC239DC77.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\31658461C4E124DF7F5C6CC6DEDA55F93A017846.dat
c:\users\Larry\AppData\Roaming\Azureus\active\31658461C4E124DF7F5C6CC6DEDA55F93A017846.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\37B4593FDFF80B806FFA68BF9DDE07C178904A15.dat
c:\users\Larry\AppData\Roaming\Azureus\active\37B4593FDFF80B806FFA68BF9DDE07C178904A15.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\45848337222038B707AE5F72525FA22028160B5E.dat
c:\users\Larry\AppData\Roaming\Azureus\active\45848337222038B707AE5F72525FA22028160B5E.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\470FA3ED8D0892F2F4C2310AE5336D26DC11BACC.dat
c:\users\Larry\AppData\Roaming\Azureus\active\470FA3ED8D0892F2F4C2310AE5336D26DC11BACC.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\4EDD703B434241A5649A23240ECDFF4121085AD2.dat
c:\users\Larry\AppData\Roaming\Azureus\active\4EDD703B434241A5649A23240ECDFF4121085AD2.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\5A8CE5E9E9E81D8A8652798FCAEE8A79F9F26382.dat
c:\users\Larry\AppData\Roaming\Azureus\active\5A8CE5E9E9E81D8A8652798FCAEE8A79F9F26382.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\61CFE790BD87E8AD23C130E5CA044FFEC9ED1672.dat
c:\users\Larry\AppData\Roaming\Azureus\active\61CFE790BD87E8AD23C130E5CA044FFEC9ED1672.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\64157672F5482A7FB3F767D2EFC3B3B40AF9F2B8.dat
c:\users\Larry\AppData\Roaming\Azureus\active\64157672F5482A7FB3F767D2EFC3B3B40AF9F2B8.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\67C9E06A5FFEC1A8B8F2D0FAD3A0886138CA82C4.dat
c:\users\Larry\AppData\Roaming\Azureus\active\67C9E06A5FFEC1A8B8F2D0FAD3A0886138CA82C4.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\6D13C4E4A06F3A9D8D87A583166E0D4A8F9B5DCD.dat
c:\users\Larry\AppData\Roaming\Azureus\active\6D13C4E4A06F3A9D8D87A583166E0D4A8F9B5DCD.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\7332EB04D69D939CCF14CD5F1FDEAD2C14252164.dat
c:\users\Larry\AppData\Roaming\Azureus\active\7332EB04D69D939CCF14CD5F1FDEAD2C14252164.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\7AB38FD9EC9F49FD67C9C3FDE5B75CC68EE25980.dat
c:\users\Larry\AppData\Roaming\Azureus\active\7AB38FD9EC9F49FD67C9C3FDE5B75CC68EE25980.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\820168F287B6EC4907C46E0EEA4DA5C35AE4CE33.dat
c:\users\Larry\AppData\Roaming\Azureus\active\820168F287B6EC4907C46E0EEA4DA5C35AE4CE33.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\828FC2638117D84D750091F4CAC8D266FDACB787.dat
c:\users\Larry\AppData\Roaming\Azureus\active\828FC2638117D84D750091F4CAC8D266FDACB787.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\832E6FA61F72F34D53CC7DE24CA3A99C5BD9802B.dat
c:\users\Larry\AppData\Roaming\Azureus\active\832E6FA61F72F34D53CC7DE24CA3A99C5BD9802B.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\844E1FAAE211DAAD402AC02625B9FD44887C09DC.dat
c:\users\Larry\AppData\Roaming\Azureus\active\844E1FAAE211DAAD402AC02625B9FD44887C09DC.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\9551D0429C35F767D28716A86F432636986E8F9D.dat
c:\users\Larry\AppData\Roaming\Azureus\active\9551D0429C35F767D28716A86F432636986E8F9D.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\99B8314B0B1835F4F606DC29D0D5CB68AE45AB92.dat
c:\users\Larry\AppData\Roaming\Azureus\active\99B8314B0B1835F4F606DC29D0D5CB68AE45AB92.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\A040CF6968ADED89272DB23A56B241FE6211E78D.dat
c:\users\Larry\AppData\Roaming\Azureus\active\A040CF6968ADED89272DB23A56B241FE6211E78D.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\A126B09CAFEE7E206E4E48C881847CE01E6783CB.dat
c:\users\Larry\AppData\Roaming\Azureus\active\A126B09CAFEE7E206E4E48C881847CE01E6783CB.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\A214E45389A62506E761953F0FE8472929E5147A.dat
c:\users\Larry\AppData\Roaming\Azureus\active\A214E45389A62506E761953F0FE8472929E5147A.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\AA12E25D956C2FD74709E21161B0702BE853C3C7.dat
c:\users\Larry\AppData\Roaming\Azureus\active\AA12E25D956C2FD74709E21161B0702BE853C3C7.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\AC0231414AF5CBE27E0B367E766FC21D2986CC5D.dat
c:\users\Larry\AppData\Roaming\Azureus\active\AC0231414AF5CBE27E0B367E766FC21D2986CC5D.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\B99B658DBE8743DBBD21257F93E4535B8092AA51.dat
c:\users\Larry\AppData\Roaming\Azureus\active\B99B658DBE8743DBBD21257F93E4535B8092AA51.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\BA4FEC9605CD3E862931520E835BD426CAA582D0.dat
c:\users\Larry\AppData\Roaming\Azureus\active\BA4FEC9605CD3E862931520E835BD426CAA582D0.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\BC381280E34D8EF1192D5CE4BFD0705256E2F686.dat
c:\users\Larry\AppData\Roaming\Azureus\active\BC381280E34D8EF1192D5CE4BFD0705256E2F686.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\C22947375D555DD4F9B91605BEAC0626F1617B86.dat
c:\users\Larry\AppData\Roaming\Azureus\active\C22947375D555DD4F9B91605BEAC0626F1617B86.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\C62AB462BE9A93985B39F509BFCDB8E76A9DEF3C.dat
c:\users\Larry\AppData\Roaming\Azureus\active\C62AB462BE9A93985B39F509BFCDB8E76A9DEF3C.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\cache.dat
c:\users\Larry\AppData\Roaming\Azureus\active\CBA44A111C01DF2170FFE7AE72A9607D75693589.dat
c:\users\Larry\AppData\Roaming\Azureus\active\CBA44A111C01DF2170FFE7AE72A9607D75693589.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\CF9F6C1A1E24FF6F9E756FA72621D2CFD97F2778.dat
c:\users\Larry\AppData\Roaming\Azureus\active\CF9F6C1A1E24FF6F9E756FA72621D2CFD97F2778.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\D83BCE73EC085D1468FF361A6D7AC63E7905AF65.dat
c:\users\Larry\AppData\Roaming\Azureus\active\D83BCE73EC085D1468FF361A6D7AC63E7905AF65.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\DF984040D08981D924137629C77BC02710D2D103.dat
c:\users\Larry\AppData\Roaming\Azureus\active\DF984040D08981D924137629C77BC02710D2D103.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\E383A970AC76DB298FBE966B42AE31A011175F82.dat
c:\users\Larry\AppData\Roaming\Azureus\active\E383A970AC76DB298FBE966B42AE31A011175F82.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\E61CF79098C3BD4DAD75D33136F720C149386170.dat
c:\users\Larry\AppData\Roaming\Azureus\active\E61CF79098C3BD4DAD75D33136F720C149386170.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\active\F8EC24D1D6E5FBF839D56F49A3526B793DFE3160.dat
c:\users\Larry\AppData\Roaming\Azureus\active\F8EC24D1D6E5FBF839D56F49A3526B793DFE3160.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\azureus.config
c:\users\Larry\AppData\Roaming\Azureus\azureus.config.bak
c:\users\Larry\AppData\Roaming\Azureus\azureus.statistics
c:\users\Larry\AppData\Roaming\Azureus\azureus.statistics.bak
c:\users\Larry\AppData\Roaming\Azureus\banips.config
c:\users\Larry\AppData\Roaming\Azureus\banips.config.bak
c:\users\Larry\AppData\Roaming\Azureus\cache\1191085919.ico
c:\users\Larry\AppData\Roaming\Azureus\cnetworks.config
c:\users\Larry\AppData\Roaming\Azureus\devices.config
c:\users\Larry\AppData\Roaming\Azureus\devices.config.bak
c:\users\Larry\AppData\Roaming\Azureus\dht\addresses.dat
c:\users\Larry\AppData\Roaming\Azureus\dht\contacts.dat
c:\users\Larry\AppData\Roaming\Azureus\dht\diverse.dat
c:\users\Larry\AppData\Roaming\Azureus\dht\general.dat
c:\users\Larry\AppData\Roaming\Azureus\dht\net3\addresses.dat
c:\users\Larry\AppData\Roaming\Azureus\dht\net3\contacts.dat
c:\users\Larry\AppData\Roaming\Azureus\dht\net3\diverse.dat
c:\users\Larry\AppData\Roaming\Azureus\dht\net3\version.dat
c:\users\Larry\AppData\Roaming\Azureus\dht\version.dat
c:\users\Larry\AppData\Roaming\Azureus\downloads.config
c:\users\Larry\AppData\Roaming\Azureus\downloads.config.bak
c:\users\Larry\AppData\Roaming\Azureus\friends.config
c:\users\Larry\AppData\Roaming\Azureus\friends.config.bak
c:\users\Larry\AppData\Roaming\Azureus\ipfilter.cache
c:\users\Larry\AppData\Roaming\Azureus\logs\alerts_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\AutoSpeedSearchHistory_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\AutoSpeedSearchHistory_2.log
c:\users\Larry\AppData\Roaming\Azureus\logs\clientid_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\CNetworks_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\debug_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\debug_2.log
c:\users\Larry\AppData\Roaming\Azureus\logs\Devices_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\Friends_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\Friends_2.log
c:\users\Larry\AppData\Roaming\Azureus\logs\MetaSearch_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\MetaSearch_Engine_3.txt
c:\users\Larry\AppData\Roaming\Azureus\logs\MetaSearch_Engine_4.txt
c:\users\Larry\AppData\Roaming\Azureus\logs\MetaSearch_Engine_5.txt
c:\users\Larry\AppData\Roaming\Azureus\logs\NetStatus_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_alerts_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_AutoSpeedSearchHistory_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_AutoSpeedSearchHistory_2.log
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_clientid_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_CNetworks_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_debug_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_debug_2.log
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_Devices_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_Friends_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_Friends_2.log
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_MetaSearch_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_MetaSearch_Engine_3.txt
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_MetaSearch_Engine_4.txt
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_MetaSearch_Engine_5.txt
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_NetStatus_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_seltrace_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_seltrace_2.log
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_Subscriptions_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_Subscriptions_2.log
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_thread_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_thread_2.log
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_v3.ads_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_v3.CMsgr_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_v3.emp_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_v3.Friends_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_v3.Friends_2.log
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_v3.MD_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_v3.PMsgr_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_v3.PMsgr_2.log
c:\users\Larry\AppData\Roaming\Azureus\logs\save\1260939906169_v3.Stream_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\seltrace_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\seltrace_2.log
c:\users\Larry\AppData\Roaming\Azureus\logs\Subscriptions_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\Subscriptions_2.log
c:\users\Larry\AppData\Roaming\Azureus\logs\thread_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\thread_2.log
c:\users\Larry\AppData\Roaming\Azureus\logs\v3.ads_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\v3.CMsgr_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\v3.emp_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\v3.Friends_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\v3.Friends_2.log
c:\users\Larry\AppData\Roaming\Azureus\logs\v3.MD_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\v3.PMsgr_1.log
c:\users\Larry\AppData\Roaming\Azureus\logs\v3.PMsgr_2.log
c:\users\Larry\AppData\Roaming\Azureus\logs\v3.Stream_1.log
c:\users\Larry\AppData\Roaming\Azureus\media\azpd\7DWCJUOW4X57QOOVN5E2GUTLPE674MLA.azpd
c:\users\Larry\AppData\Roaming\Azureus\media\azpd\OMZOWBGWTWJZZTYUZVPR7XVNFQKCKILE.azpd
c:\users\Larry\AppData\Roaming\Azureus\metasearch.config
c:\users\Larry\AppData\Roaming\Azureus\metasearch.config.bak
c:\users\Larry\AppData\Roaming\Azureus\net\pm_22318.dat
c:\users\Larry\AppData\Roaming\Azureus\net\pm_default.dat
c:\users\Larry\AppData\Roaming\Azureus\plugins\azupnpav\cd.dat
c:\users\Larry\AppData\Roaming\Azureus\rcm.config
c:\users\Larry\AppData\Roaming\Azureus\rcm.config.bak
c:\users\Larry\AppData\Roaming\Azureus\restart.bat
c:\users\Larry\AppData\Roaming\Azureus\sidebarauto.config
c:\users\Larry\AppData\Roaming\Azureus\sidebarauto.config.bak
c:\users\Larry\AppData\Roaming\Azureus\subs\07ABDD32A54D704B48FE.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\0C09B63E9E28FA953B75.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\0D5B9E480215019B4AC4.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\14CA0FE29B2A388B5BCF.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\177BEAD0090D3FD31234.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\195B34705C48B8CB8F34.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\1A070CEE493845F89B8B.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\1BAF7BCFBFF6391B49E2.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\1EA4B13F930293A12E03.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\21B6F154E1FA75E4DF0A.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\41B5BA8E964DADE2D58B.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\447229A3A371779E8871.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\4F5A8FF2E7AF9D36103E.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\4F5D92DCB17E8F9148BB.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\5318EA0BF31F86C58EEC.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\581765478D3517627C73.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\5A217F011BAB9B2DEB56.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\601A11E4EA1ABE9CEA38.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\624910A3A637947DE3C8.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\7076DB20A5F225DDB82C.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\75073EF5A9EA448FA71D.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\798DD807A93EF72C8C89.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\7DE13DB53BE37CE417A3.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\8177A3B58DA3EE902869.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\87E23B1872099785E348.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\8DE6E5753F5ADF094F49.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\9167E16C9B7944056AC7.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\95B34C1A1F40931D0972.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\9EDB83DD6C0E3248906A.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\A1D26F82A30D6241E9B9.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\A57341AB2AA7A98D5F19.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\AD8051E73A76B5270EC8.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\B0836032AB80C7B917F9.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\B117B4D5EF69D9B0D8F2.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\C9EBC80E3E1D103634DB.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\D44784B7433BB66BE6CB.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\D5348093F096A3C76C75.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\D54DC9E9937BB20EDBD0.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\E01DCA8F4B6A7A5A27D8.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\E67D8443DF3B6D5C02B4.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\E95373D67F879D52B60D.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\F14DB936646DBBA8A53E.vuze
c:\users\Larry\AppData\Roaming\Azureus\subs\F6EB481F42D7A6D98C5A.vuze
c:\users\Larry\AppData\Roaming\Azureus\subscriptions.config
c:\users\Larry\AppData\Roaming\Azureus\subscriptions.config.bak
c:\users\Larry\AppData\Roaming\Azureus\tables.config
c:\users\Larry\AppData\Roaming\Azureus\tables.config.bak
c:\users\Larry\AppData\Roaming\Azureus\timingstats.dat
c:\users\Larry\AppData\Roaming\Azureus\tmp\AZU5529.tmp
c:\users\Larry\AppData\Roaming\Azureus\tmp\AZU5530.tmp
c:\users\Larry\AppData\Roaming\Azureus\tmp\AZU5531.tmp
c:\users\Larry\AppData\Roaming\Azureus\tmp\AZU5532.tmp
c:\users\Larry\AppData\Roaming\Azureus\tmp\AZU5533.tmp
c:\users\Larry\AppData\Roaming\Azureus\tmp\AZU5534.tmp
c:\users\Larry\AppData\Roaming\Azureus\tmp\AZU5535.tmp
c:\users\Larry\AppData\Roaming\Azureus\tmp\AZU5536.tmp
c:\users\Larry\AppData\Roaming\Azureus\tmp\AZU5537.tmp
c:\users\Larry\AppData\Roaming\Azureus\tmp\AZU5547.tmp
c:\users\Larry\AppData\Roaming\Azureus\tmp\AZU5548.tmp\Vuze_4.3.0.6a_win32.exe
c:\users\Larry\AppData\Roaming\Azureus\tmp\AZU5552.tmp
c:\users\Larry\AppData\Roaming\Azureus\tmp\AZU5553.tmp
c:\users\Larry\AppData\Roaming\Azureus\tmp\AZU5554.tmp
c:\users\Larry\AppData\Roaming\Azureus\tracker.config
c:\users\Larry\AppData\Roaming\Azureus\tracker.config.bak
c:\users\Larry\AppData\Roaming\Azureus\unsentdata.config
c:\users\Larry\AppData\Roaming\Azureus\unsentdata.config.bak
c:\users\Larry\AppData\Roaming\Azureus\update.log
c:\users\Larry\AppData\Roaming\Azureus\update.properties
c:\users\Larry\AppData\Roaming\Azureus\v3.Friends.dat
c:\users\Larry\AppData\Roaming\Azureus\v3.Friends.dat.bak
c:\users\Larry\AppData\Roaming\Azureus\VuzeActivities.config
c:\users\Larry\AppData\Roaming\Azureus\VuzeActivities.config.bak
c:\users\Larry\AppData\Roaming\LimeWire
c:\users\Larry\AppData\Roaming\LimeWire\browser\xul-v2.0b2.4-do-not-remove
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\AccessibleMarshal.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\chrome\branding.jar
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\chrome\branding.manifest
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\chrome\classic.jar
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\chrome\classic.manifest
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\chrome\comm.jar
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\chrome\comm.manifest
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\chrome\en-US.jar
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\chrome\en-US.manifest
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\chrome\limewire.jar
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\chrome\limewire.manifest
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\chrome\pippki.jar
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\chrome\pippki.manifest
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\chrome\toolkit.jar
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\chrome\toolkit.manifest
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\accessibility-msaa.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\accessibility.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\alerts.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\appshell.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\appshell_modal.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\appshell_modal.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\appstartup.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\auth.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\autocomplete.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\autoconfig.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\autoconfig.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\caps.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\chardet.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\chrome.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\commandhandler.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\commandlines.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\composer.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\content_base.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\content_html.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\content_htmldoc.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\content_xmldoc.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\content_xslt.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\content_xtf.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\contentprefs.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\cookie.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\directory.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\docshell_base.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\dom.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_base.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_canvas.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_core.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_css.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_events.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_html.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_json.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_loadsave.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_offline.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_range.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_sidebar.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_storage.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_stylesheets.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_svg.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_traversal.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_views.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_xbl.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_xpath.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_xul.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\downloads.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\editor.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\embed_base.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\extensions.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\exthandler.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\exthelper.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\fastfind.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\FeedProcessor.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\feeds.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\find.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\gfx.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\htmlparser.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\imgicon.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\imglib2.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\inspector.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\intl.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\jar.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\jsconsole-clhandler.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\jsdservice.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\layout_base.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\layout_printing.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\layout_xul.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\layout_xul_tree.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\locale.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\loginmgr.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\lwbrk.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\mimetype.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\mozbrwsr.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\mozfind.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\necko.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_about.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_cache.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_cookie.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_dns.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_file.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_ftp.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_http.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_res.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_socket.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_strconv.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_viewsource.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\nsAddonRepository.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\nsBadCertHandler.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\nsBlocklistService.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\nsContentDispatchChooser.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\nsContentPrefService.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\nsDefaultCLH.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\nsDictionary.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\nsDownloadManagerUI.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\nsExtensionManager.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\nsHandlerService.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\nsHelperAppDlg.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\nsLivemarkService.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\nsLoginInfo.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\nsLoginManager.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\nsLoginManagerPrompter.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\nsPostUpdateWin.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\nsProgressDialog.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\nsProxyAutoConfig.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\nsResetPref.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\nsTaggingService.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\nsTryToClose.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\nsUpdateService.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\nsURLFormatter.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\nsWebHandlerApp.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\nsXmlRpcClient.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\nsXULAppInstall.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\oji.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\parentalcontrols.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\pipboot.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\pipboot.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\pipnss.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\pipnss.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\pippki.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\pippki.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\places.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\plugin.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\pluginGlue.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\pref.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\prefetch.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\profile.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\proxyObject.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\rdf.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\satchel.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\saxparser.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\shistory.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\spellchecker.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\storage-Legacy.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\storage.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\toolkitprofile.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\transformiix.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\txEXSLTRegExFunctions.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\txmgr.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\txtsvc.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\uconv.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\unicharutil.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\universalchardet.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\update.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\uriloader.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\urlformatter.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\webBrowser_core.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\webbrowserpersist.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\webshell_idls.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\websrvcs.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\widget.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\windowds.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\windowwatcher.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\xml-rpc.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\xmlextras.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\xpcom_base.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\xpcom_components.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\xpcom_ds.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\xpcom_io.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\xpcom_system.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\xpcom_thread.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\xpcom_xpti.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\xpconnect.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\xpinstall.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\xulapp.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\xulapp_setup.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\xuldoc.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\xultmpl.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\xulutil.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\components\zipwriter.xpt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\crashreporter.exe
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\crashreporter.ini
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\defaults\autoconfig\platform.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\defaults\autoconfig\prefcalls.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\defaults\pref\xulrunner.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\defaults\profile\chrome\userChrome-example.css
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\defaults\profile\chrome\userContent-example.css
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\defaults\profile\localstore.rdf
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userChrome-example.css
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userContent-example.css
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\defaults\profile\US\localstore.rdf
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\dependentlibs.list
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\dictionaries\en-US.aff
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\dictionaries\en-US.dic
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\freebl3.chk
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\freebl3.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\greprefs\all.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\greprefs\security-prefs.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\greprefs\xpinstall.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\IA2Marshal.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\javaxpcom.jar
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\javaxpcomglue.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\js3250.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\LICENSE
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\modules\debug.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\modules\DownloadUtils.jsm
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\modules\ISO8601DateUtils.jsm
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\modules\JSON.jsm
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\modules\Microformats.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\modules\PluralForm.jsm
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\modules\utils.js
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\modules\XPCOMUtils.jsm
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\mozctl.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\mozctlx.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\MSVCP71.DLL
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\msvcr71.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\nspr4.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\nss3.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\nssckbi.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\nssdbm3.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\nssutil3.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\platform.ini
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\plc4.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\plds4.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\plugins\npnul32.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\README.txt
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\arrow.gif
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\arrowd.gif
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\broken-image.gif
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\charsetalias.properties
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\charsetData.properties
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\contenteditable.css
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\designmode.css
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\dtd\mathml.dtd
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\dtd\xhtml11.dtd
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\EditorOverride.css
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\entityTables\html40Latin1.properties
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\entityTables\html40Special.properties
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\entityTables\html40Symbols.properties
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\entityTables\htmlEntityVersions.properties
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\entityTables\mathml20.properties
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\entityTables\transliterate.properties
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\fonts\mathfont.properties
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\fonts\mathfontStandardSymbolsL.properties
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\fonts\mathfontSTIXNonUnicode.properties
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\fonts\mathfontSTIXSize1.properties
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\fonts\mathfontSymbol.properties
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\fonts\mathfontUnicode.properties
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\forms.css
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\grabber.gif
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\hiddenWindow.html
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\html.css
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\html\folder.png
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\langGroups.properties
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\language.properties
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\loading-image.gif
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\mathml.css
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\quirk.css
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\svg.css
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-column-after-active.gif
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-column-after-hover.gif
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-column-after.gif
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-column-before-active.gif
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-column-before-hover.gif
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-column-before.gif
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-row-after-active.gif
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-row-after-hover.gif
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-row-after.gif
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-row-before-active.gif
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-row-before-hover.gif
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-row-before.gif
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\table-remove-column-active.gif
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\table-remove-column-hover.gif
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\table-remove-column.gif
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\table-remove-row-active.gif
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\table-remove-row-hover.gif
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\table-remove-row.gif
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\ua.css
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\viewsource.css
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\res\wincharset.properties
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\smime3.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\softokn3.chk
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\softokn3.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\sqlite3.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\ssl3.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\updater.exe
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\version.properties
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\xpcom.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\xpcshell.exe
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\xpicleanup.exe
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\xpidl.exe
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\xpt_dump.exe
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\xpt_link.exe
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\xul.dll
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\xulrunner-stub.exe
c:\users\Larry\AppData\Roaming\LimeWire\browser\xulrunner\xulrunner.exe
c:\users\Larry\AppData\Roaming\LimeWire\certificate\limewire.keystore
c:\users\Larry\AppData\Roaming\LimeWire\createtimes.cache
c:\users\Larry\AppData\Roaming\LimeWire\downloads.dat
c:\users\Larry\AppData\Roaming\LimeWire\fileurns.cache
c:\users\Larry\AppData\Roaming\LimeWire\filters.props
c:\users\Larry\AppData\Roaming\LimeWire\gnutella.net
c:\users\Larry\AppData\Roaming\LimeWire\installation.props
c:\users\Larry\AppData\Roaming\LimeWire\library.dat
c:\users\Larry\AppData\Roaming\LimeWire\library5.dat
c:\users\Larry\AppData\Roaming\LimeWire\limewire.props
c:\users\Larry\AppData\Roaming\LimeWire\lock
c:\users\Larry\AppData\Roaming\LimeWire\mojito.props
c:\users\Larry\AppData\Roaming\LimeWire\mozilla-profile\.autoreg
c:\users\Larry\AppData\Roaming\LimeWire\mozilla-profile\Cache\_CACHE_001_
c:\users\Larry\AppData\Roaming\LimeWire\mozilla-profile\Cache\_CACHE_002_
c:\users\Larry\AppData\Roaming\LimeWire\mozilla-profile\Cache\_CACHE_003_
c:\users\Larry\AppData\Roaming\LimeWire\mozilla-profile\Cache\_CACHE_MAP_
c:\users\Larry\AppData\Roaming\LimeWire\mozilla-profile\Cache\369C6F94d01
c:\users\Larry\AppData\Roaming\LimeWire\mozilla-profile\Cache\4C9319BBd01
c:\users\Larry\AppData\Roaming\LimeWire\mozilla-profile\Cache\5537D1BAd01
c:\users\Larry\AppData\Roaming\LimeWire\mozilla-profile\Cache\7BCC79A5d01
c:\users\Larry\AppData\Roaming\LimeWire\mozilla-profile\Cache\AE98BDF4d01
c:\users\Larry\AppData\Roaming\LimeWire\mozilla-profile\Cache\BAFF9ABCd01
c:\users\Larry\AppData\Roaming\LimeWire\mozilla-profile\Cache\C9DF1160d01
c:\users\Larry\AppData\Roaming\LimeWire\mozilla-profile\Cache\CEC59CF8d01
c:\users\Larry\AppData\Roaming\LimeWire\mozilla-profile\cert8.db
c:\users\Larry\AppData\Roaming\LimeWire\mozilla-profile\compreg.dat
c:\users\Larry\AppData\Roaming\LimeWire\mozilla-profile\cookies.sqlite
c:\users\Larry\AppData\Roaming\LimeWire\mozilla-profile\downloads.sqlite
c:\users\Larry\AppData\Roaming\LimeWire\mozilla-profile\extensions.cache
c:\users\Larry\AppData\Roaming\LimeWire\mozilla-profile\extensions.ini
c:\users\Larry\AppData\Roaming\LimeWire\mozilla-profile\history.dat
c:\users\Larry\AppData\Roaming\LimeWire\mozilla-profile\key3.db
c:\users\Larry\AppData\Roaming\LimeWire\mozilla-profile\permissions.sqlite
c:\users\Larry\AppData\Roaming\LimeWire\mozilla-profile\places.sqlite-journal
c:\users\Larry\AppData\Roaming\LimeWire\mozilla-profile\places.sqlite
c:\users\Larry\AppData\Roaming\LimeWire\mozilla-profile\pluginreg.dat
c:\users\Larry\AppData\Roaming\LimeWire\mozilla-profile\prefs.js
c:\users\Larry\AppData\Roaming\LimeWire\mozilla-profile\secmod.db
c:\users\Larry\AppData\Roaming\LimeWire\mozilla-profile\XPC.mfl
c:\users\Larry\AppData\Roaming\LimeWire\mozilla-profile\xpti.dat
c:\users\Larry\AppData\Roaming\LimeWire\player.props
c:\users\Larry\AppData\Roaming\LimeWire\promotion\promodb.backup
c:\users\Larry\AppData\Roaming\LimeWire\promotion\promodb.data
c:\users\Larry\AppData\Roaming\LimeWire\promotion\promodb.properties
c:\users\Larry\AppData\Roaming\LimeWire\promotion\promodb.script
c:\users\Larry\AppData\Roaming\LimeWire\questions.props
c:\users\Larry\AppData\Roaming\LimeWire\responses.cache
c:\users\Larry\AppData\Roaming\LimeWire\simpp.xml
c:\users\Larry\AppData\Roaming\LimeWire\spam.dat
c:\users\Larry\AppData\Roaming\LimeWire\tables.props
c:\users\Larry\AppData\Roaming\LimeWire\themes\windows_theme.lwtp
c:\users\Larry\AppData\Roaming\LimeWire\themes\windows_theme\01_star.gif
c:\users\Larry\AppData\Roaming\LimeWire\themes\windows_theme\02_star.gif
c:\users\Larry\AppData\Roaming\LimeWire\themes\windows_theme\03_star.gif
c:\users\Larry\AppData\Roaming\LimeWire\themes\windows_theme\04_star.gif
c:\users\Larry\AppData\Roaming\LimeWire\themes\windows_theme\05_star.gif
c:\users\Larry\AppData\Roaming\LimeWire\themes\windows_theme\chat.gif
c:\users\Larry\AppData\Roaming\LimeWire\themes\windows_theme\forward_dn.gif
c:\users\Larry\AppData\Roaming\LimeWire\themes\windows_theme\forward_up.gif
c:\users\Larry\AppData\Roaming\LimeWire\themes\windows_theme\kill.gif
c:\users\Larry\AppData\Roaming\LimeWire\themes\windows_theme\kill_on.gif
c:\users\Larry\AppData\Roaming\LimeWire\themes\windows_theme\pause_dn.gif
c:\users\Larry\AppData\Roaming\LimeWire\themes\windows_theme\pause_up.gif
c:\users\Larry\AppData\Roaming\LimeWire\themes\windows_theme\play_dn.gif
c:\users\Larry\AppData\Roaming\LimeWire\themes\windows_theme\play_up.gif
c:\users\Larry\AppData\Roaming\LimeWire\themes\windows_theme\question.gif
c:\users\Larry\AppData\Roaming\LimeWire\themes\windows_theme\rewind_dn.gif
c:\users\Larry\AppData\Roaming\LimeWire\themes\windows_theme\rewind_up.gif
c:\users\Larry\AppData\Roaming\LimeWire\themes\windows_theme\stop_dn.gif
c:\users\Larry\AppData\Roaming\LimeWire\themes\windows_theme\stop_up.gif
c:\users\Larry\AppData\Roaming\LimeWire\themes\windows_theme\theme.txt
c:\users\Larry\AppData\Roaming\LimeWire\themes\windows_theme\version.txt
c:\users\Larry\AppData\Roaming\LimeWire\themes\windows_theme\warning.gif
c:\users\Larry\AppData\Roaming\LimeWire\ttdata.cache
c:\users\Larry\AppData\Roaming\LimeWire\ttrees.cache
c:\users\Larry\AppData\Roaming\LimeWire\ttroot.cache
c:\users\Larry\AppData\Roaming\LimeWire\version.xml
c:\users\Larry\AppData\Roaming\LimeWire\versions.props
c:\users\Larry\AppData\Roaming\LimeWire\xml\data\audio.sxml2
c:\users\Larry\AppData\Roaming\LimeWire\xml\data\audio.sxml3
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-12-10 to 2010-01-10 )))))))))))))))))))))))))))))))
.

2010-01-10 07:21 . 2010-01-10 07:24 -------- d-----w- c:\users\Larry\AppData\Local\temp
2010-01-10 07:21 . 2010-01-10 07:21 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-10 07:21 . 2010-01-10 07:21 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-01-10 07:21 . 2010-01-10 07:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-10 02:29 . 2010-01-10 02:29 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-01-10 02:28 . 2010-01-10 02:28 -------- d-----w- c:\program files\MSECACHE
2010-01-08 01:20 . 2010-01-08 01:20 -------- d-----w- c:\program files\Microsoft LifeChat
2010-01-06 04:19 . 2010-01-06 04:20 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-01-05 21:04 . 2010-01-05 21:10 -------- d-----w- C:\Dredd
2010-01-05 08:46 . 2010-01-05 18:06 -------- d-----w- c:\users\Larry\AppData\Roaming\Wireshark
2010-01-05 07:12 . 2010-01-05 07:13 -------- d-----w- c:\program files\Wireshark
2010-01-05 05:35 . 2010-01-05 05:35 -------- d-----w- c:\program files\Windows Portable Devices
2010-01-05 05:19 . 2010-01-05 05:44 -------- d-----w- c:\program files\Debugging Tools for Windows (x86)
2010-01-05 05:08 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-01-05 05:08 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-01-05 05:08 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-01-05 05:06 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2010-01-05 05:06 . 2009-10-01 01:02 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2010-01-05 05:06 . 2009-10-01 01:01 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2010-01-05 05:06 . 2009-10-01 01:01 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2010-01-05 05:06 . 2009-10-01 01:02 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2010-01-05 05:06 . 2009-10-01 01:02 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2010-01-05 05:06 . 2009-10-01 01:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2010-01-05 05:06 . 2009-10-01 01:01 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2010-01-05 05:06 . 2009-10-01 01:01 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2010-01-05 05:06 . 2009-10-01 01:01 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2010-01-05 05:06 . 2009-10-01 01:01 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2010-01-05 05:06 . 2009-10-01 01:01 350208 ----a-w- c:\windows\system32\WPDSp.dll
2010-01-05 05:05 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-01-05 05:05 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-01-05 05:05 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-01-04 07:10 . 2003-03-18 21:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2010-01-04 07:10 . 2010-01-04 07:10 -------- d-----w- c:\program files\Alwil Software
2010-01-04 06:39 . 2010-01-04 06:40 -------- d-----w- c:\windows\system32\ca-ES
2010-01-04 06:39 . 2010-01-04 06:40 -------- d-----w- c:\windows\system32\eu-ES
2010-01-04 06:39 . 2010-01-04 06:40 -------- d-----w- c:\windows\system32\vi-VN
2010-01-04 06:09 . 2010-01-04 06:09 -------- d-----w- c:\windows\system32\EventProviders
2010-01-04 05:10 . 2008-05-27 04:59 18904 ----a-w- c:\windows\system32\StructuredQuerySchemaTrivial.bin
2010-01-04 04:47 . 2010-01-04 04:47 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2010-01-04 03:38 . 2009-12-01 15:53 220536 ----a-w- C:\sigcheck.exe
2010-01-04 02:46 . 2009-04-11 06:28 1077248 ----a-w- c:\windows\system32\vssapi.dll
2010-01-04 02:45 . 2009-04-11 06:28 247808 ----a-w- c:\windows\system32\drvstore.dll
2010-01-03 17:48 . 2010-01-03 17:48 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-03 17:47 . 2010-01-03 17:47 -------- d-sh--w- c:\windows\system32\%APPDATA%
2010-01-03 07:33 . 2010-01-03 07:33 -------- d-----w- c:\program files\ToniArts
2010-01-03 07:20 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2010-01-03 06:47 . 2010-01-03 06:47 -------- d-----w- C:\PerfLogs
2010-01-03 05:33 . 2009-10-29 09:17 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-03 05:08 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-01-03 05:08 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-01-03 05:08 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-01-03 04:43 . 2008-07-27 18:00 41984 ----a-w- c:\windows\system32\netfxperf.dll
2010-01-03 04:35 . 2008-01-19 07:29 705536 ----a-w- c:\windows\system32\imagesp1.dll
2010-01-03 04:35 . 2008-01-19 07:36 116736 ----a-w- c:\windows\system32\sstpsvc.dll
2010-01-03 04:35 . 2008-01-19 07:36 175104 ----a-w- c:\windows\system32\winrscmd.dll
2010-01-03 04:33 . 2008-01-19 07:37 1642496 ----a-w- c:\windows\system32\WMPEncEn.dll
2010-01-03 04:32 . 2008-01-19 07:36 80896 ----a-w- c:\windows\system32\wbem\WMIPICMP.dll
2010-01-03 04:31 . 2008-01-19 07:34 102400 ----a-w- c:\windows\system32\wbem\mofinstall.dll
2010-01-03 04:31 . 2008-01-19 07:36 357888 ----a-w- c:\windows\system32\wbemcomn.dll
2010-01-03 04:31 . 2008-01-19 07:36 129536 ----a-w- c:\windows\system32\sqmapi.dll
2010-01-03 04:31 . 2008-01-19 07:36 139264 ----a-w- c:\windows\system32\SmiInstaller.dll
2010-01-03 04:31 . 2008-01-19 07:35 35328 ----a-w- c:\windows\system32\mspatcha.dll
2010-01-03 04:31 . 2008-01-19 07:34 305152 ----a-w- c:\windows\system32\msdelta.dll
2010-01-03 04:31 . 2008-01-19 07:34 258560 ----a-w- c:\windows\system32\dpx.dll
2010-01-03 04:28 . 2009-11-21 06:34 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-03 04:27 . 2009-11-21 06:40 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-03 04:27 . 2009-11-21 06:34 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-03 04:27 . 2009-11-21 04:59 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-01-03 04:13 . 2009-06-15 14:53 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-03 04:13 . 2009-06-15 14:52 23552 ----a-w- c:\windows\system32\lpk.dll
2010-01-03 04:13 . 2009-06-15 14:52 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-03 04:13 . 2009-06-15 14:51 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-01-03 04:13 . 2009-06-15 12:42 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-01-03 04:13 . 2009-04-11 06:28 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-01-03 04:11 . 2009-07-15 12:39 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2010-01-03 04:11 . 2009-08-29 00:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-01-03 04:11 . 2009-04-11 06:28 1696768 ----a-w- c:\windows\system32\gameux.dll
2010-01-03 04:11 . 2009-08-29 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-01-03 04:11 . 2009-06-10 11:41 2868224 ----a-w- c:\windows\system32\mf.dll
2010-01-03 04:11 . 2009-04-11 06:28 98816 ----a-w- c:\windows\system32\mfps.dll
2010-01-03 04:11 . 2009-04-11 06:27 53248 ----a-w- c:\windows\system32\rrinstaller.exe
2010-01-03 04:11 . 2009-04-11 06:27 24576 ----a-w- c:\windows\system32\mfpmp.exe
2010-01-03 04:11 . 2009-04-11 04:54 2048 ----a-w- c:\windows\system32\mferror.dll
2010-01-03 04:10 . 2009-08-14 16:27 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-01-03 04:10 . 2009-08-14 15:53 17920 ----a-w- c:\windows\system32\netevent.dll
2010-01-03 04:10 . 2009-08-14 13:49 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2010-01-03 04:10 . 2009-08-14 13:49 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2010-01-03 04:10 . 2009-08-14 13:49 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2010-01-03 04:10 . 2009-08-14 13:49 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2010-01-03 04:10 . 2009-08-14 13:49 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2010-01-03 04:10 . 2009-08-14 13:49 19968 ----a-w- c:\windows\system32\ARP.EXE
2010-01-03 04:10 . 2009-08-14 13:49 10240 ----a-w- c:\windows\system32\finger.exe
2010-01-03 04:10 . 2009-08-14 13:48 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-01-03 04:10 . 2009-08-14 13:48 105984 ----a-w- c:\windows\system32\netiohlp.dll
2010-01-03 04:08 . 2009-04-23 12:14 623616 ----a-w- c:\windows\system32\localspl.dll
2010-01-03 04:08 . 2009-08-14 13:27 2036736 ----a-w- c:\windows\system32\win32k.sys
2010-01-03 04:08 . 2009-07-17 13:54 71680 ----a-w- c:\windows\system32\atl.dll
2010-01-03 04:07 . 2009-06-10 11:38 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-01-03 04:07 . 2008-01-19 07:35 31232 ----a-w- c:\windows\system32\msvidc32.dll
2010-01-03 04:07 . 2008-01-19 07:35 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-01-03 04:07 . 2009-06-10 11:42 160256 ----a-w- c:\windows\system32\wkssvc.dll
2010-01-03 04:07 . 2009-09-04 11:41 60928 ----a-w- c:\windows\system32\msasn1.dll
2010-01-03 04:07 . 2009-04-23 12:15 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2010-01-03 04:07 . 2009-08-10 12:35 355328 ----a-w- c:\windows\system32\WSDApi.dll
2010-01-03 03:58 . 2009-09-14 09:29 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-01-03 03:55 . 2010-01-03 03:55 -------- d-----w- C:\Download
2010-01-03 03:55 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
2010-01-03 03:53 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2010-01-03 03:53 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-01-03 03:53 . 2009-07-15 12:39 4096 ----a-w- c:\windows\system32\dxmasf.dll
2010-01-03 03:53 . 2009-07-15 12:39 7680 ----a-w- c:\windows\system32\spwmp.dll
2010-01-03 03:51 . 2009-05-08 12:53 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2010-01-03 03:18 . 2010-01-03 03:18 37888 ----a-w- c:\windows\system32\printcom.dll
2010-01-03 03:18 . 2010-01-03 03:18 -------- d-----w- c:\program files\MSXML 4.0
2010-01-03 02:57 . 2010-01-03 02:57 53472 ----a-w- c:\windows\system32\wuauclt.exe
2010-01-03 02:57 . 2010-01-03 02:57 44768 ----a-w- c:\windows\system32\wups2.dll
2010-01-03 02:57 . 2010-01-03 02:57 2421760 ----a-w- c:\windows\system32\wucltux.dll
2010-01-03 02:57 . 2010-01-03 02:57 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2010-01-03 02:56 . 2010-01-03 02:56 87552 ----a-w- c:\windows\system32\wudriver.dll
2010-01-03 02:56 . 2010-01-03 02:56 575704 ----a-w- c:\windows\system32\wuapi.dll
2010-01-03 02:56 . 2010-01-03 02:56 35552 ----a-w- c:\windows\system32\wups.dll
2010-01-03 02:56 . 2010-01-03 02:56 171608 ----a-w- c:\windows\system32\wuwebv.dll
2010-01-03 02:55 . 2010-01-03 02:55 33792 ----a-w- c:\windows\system32\wuapp.exe
2010-01-03 01:01 . 2010-01-03 01:01 -------- d-----w- c:\program files\Trojan Remover
2010-01-02 16:37 . 2010-01-10 06:25 -------- d-----w- C:\$AVG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-10 04:51 . 2008-10-29 16:04 -------- d-----w- c:\users\Larry\AppData\Roaming\U3
2010-01-10 02:29 . 2010-01-10 02:29 3584 ----a-r- c:\users\Larry\AppData\Roaming\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-01-05 07:13 . 2009-06-16 04:20 -------- d-----w- c:\program files\WinPcap
2010-01-05 06:10 . 2009-03-04 16:08 -------- d-----w- c:\program files\Common Files\Apple
2010-01-05 05:35 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-05 05:35 . 2010-01-05 05:35 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-01-04 16:53 . 2008-10-25 05:47 112800 ----a-w- c:\users\Larry\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-04 08:12 . 2008-11-12 01:02 -------- d-----w- c:\programdata\Microsoft Help
2010-01-04 08:08 . 2008-11-12 01:06 -------- d-----w- c:\program files\Microsoft Works
2010-01-04 06:40 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-01-04 06:40 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-01-04 06:40 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-01-04 06:40 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-01-04 06:40 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-04 06:40 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-01-04 06:40 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-01-04 06:38 . 2010-01-04 06:38 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-01-03 07:33 . 2008-10-25 05:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-03 06:36 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-01-03 06:36 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-01-03 03:37 . 2009-05-14 03:07 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-01-02 16:37 . 2008-10-25 14:33 -------- d-----w- c:\program files\AVG
2010-01-02 15:41 . 2009-11-30 20:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-30 20:51 . 2009-11-30 20:16 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-27 23:44 . 2009-11-27 23:44 -------- d-----w- c:\users\Guest\AppData\Roaming\Logitech
2009-11-27 23:44 . 2009-11-27 23:44 112800 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-23 02:00 . 2009-11-23 02:00 439816 ----a-w- c:\users\Larry\AppData\Roaming\Real\Update\setup3.09\setup.exe
2009-11-21 09:30 . 2009-11-21 09:30 86016 ----a-w- c:\windows\system32\frapsvid.dll
2009-11-21 00:51 . 2009-09-30 22:05 -------- d-----w- c:\program files\iPod
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"HDAudDeck"="c:\program files\VIA\VIAudioi\VDeck\VDeck.exe" [2008-03-25 14131200]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-25 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-25 92704]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 2051096]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 2095640]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-12-30 1389904]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-10-18 1070984]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]
"LifeChat"="c:\program files\Microsoft LifeChat\LifeChat.exe" [2008-08-21 267296]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-10-25 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^Larry^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\Larry\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 06:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2007-04-04 19:41 970752 ----a-w- c:\program files\Common Files\Adobe\Updater\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 20:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-11-01 00:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 09:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-12-21 03:12 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-07-01 16:37 37888 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):e2,d6,77,21,09,8d,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3759937382-3024296757-1267975415-1000]
"EnableNotificationsRef"=dword:00000001

R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [11/30/2009 3:16 PM 1153368]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\System32\drivers\MpNWMon.sys [6/18/2009 6:48 PM 42480]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\System32\drivers\viahduaa.sys [10/25/2008 12:52 AM 250880]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [1/2/2010 11:33 PM 21504]
S3 JRHSUR;JRHSUR;c:\users\Larry\AppData\Local\Temp\JRHSUR.exe --> c:\users\Larry\AppData\Local\Temp\JRHSUR.exe [?]
S3 PORTMON;PORTMON;c:\users\Larry\Downloads\SysinternalsSuite(2)\PORTMSYS.SYS [1/5/2010 2:46 AM 28656]
S3 RDID1009;EDIROL UM-1;c:\windows\System32\drivers\Rdwm1009.sys [10/31/2008 12:18 PM 56832]
S3 UZJBTLAINQG;UZJBTLAINQG;c:\users\Larry\AppData\Local\Temp\UZJBTLAINQG.exe --> c:\users\Larry\AppData\Local\Temp\UZJBTLAINQG.exe [?]
S3 WFHP;WFHP;c:\users\Larry\AppData\Local\Temp\WFHP.exe --> c:\users\Larry\AppData\Local\Temp\WFHP.exe [?]
S3 XRF;XRF;c:\users\Larry\AppData\Local\Temp\XRF.exe --> c:\users\Larry\AppData\Local\Temp\XRF.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Larry\AppData\Roaming\Mozilla\Firefox\Profiles\4m6tlgh3.default\
FF - prefs.js: browser.startup.homepage - cnn.com
FF - plugin: c:\users\Larry\AppData\Roaming\Mozilla\Firefox\Profiles\4m6tlgh3.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\VDeck\VDeck.exe????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\AUDIODG.EXE
c:\windows\system32\WUDFHost.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wbem\unsecapp.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2010-01-10 02:29:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-10 07:29
ComboFix2.txt 2010-01-10 05:02
ComboFix3.txt 2010-01-05 09:08

Pre-Run: 173,420,523,520 bytes free
Post-Run: 173,052,710,912 bytes free

- - End Of File - - 4B56EEAA68AC15FF56D25E2500EEE775



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, January 10, 2010
Operating system: Microsoft Windows Vista Business Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, January 10, 2010 06:35:05
Records in database: 3296091
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Objects scanned: 163608
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 02:47:08

No threats found. Scanned area is clean.

Selected area has been scanned.
LPriola
Active Member
 
Posts: 7
Joined: January 3rd, 2010, 1:32 pm

Re: Rootkit/keylogger

Unread postby jmw3 » January 10th, 2010, 7:18 pm

Hi

All of these files combofix "deletes" are really just sent to a quarantine folder.
That's right. They will be removed when we uninstall ComboFix.

Logs look good. How's the computer running now?
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Rootkit/keylogger

Unread postby LPriola » January 10th, 2010, 7:35 pm

I know the second I say the coast is clear something will probably happen. However, I think something involved with limewire was the cause behind all this, and removing it on every level was probably the best course of action. Although for some reason my Logitech MX518 mouse no longer responds to the tabbing button built into it. Start up seems to be much faster than before though. I do thank you very much for all this support you've given me with this matter. So how do I go about removing combofix?
LPriola
Active Member
 
Posts: 7
Joined: January 3rd, 2010, 1:32 pm

Re: Rootkit/keylogger

Unread postby jmw3 » January 10th, 2010, 10:31 pm

Hi

Sorry, I can't be much help with the mouse issue as I don't know much about that model. Might I suggest maybe uninstalling & re-installing the driver for it.
You could also try these dedicated tech sites for further help on it:
http://www.techsupportforum.com/
http://forums.whatthetech.com/forums.html
http://forums.techguy.org/

DeFogger
To re-enable your Emulation drivers, right click DeFogger then choose Run as Administrator to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A Finished! message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.
Your Emulation drivers are now re-enabled.

Clean Up
Now we need to clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
Remove ComboFix
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run then copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall
OTC
Download OTC by Old Timer here & save it to your desktop.
Double click on OTC.exe. Click on CleanUp!.
You will receive a prompt that it needs to restart the computer to remove the files. Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.
You can delete the following from your desktop:
DDS.scr
The Gmer.exe file (it will be randomly named .exe file)
DeFogger
TFC.exe
Any logs that may have been saved to your desktop

You can remove the Kaspersky Online Scanner. This can be done via Add or Remove Programs
You should also remove HijackThis. You can do this by going to C:\Users\Larry\Downloads\HiJackThis.exe
  • Double click HijackThis.exe
  • From the Main menu click Open the Misc Tools section
  • Using the scroll bar, scroll down to Uninstall HijackThis
  • Click Uninstall HijackThis & exit then click Yes at the prompt
You can re-enable SpyBot's TeaTimer now if you like.

Update Adobe Reader
Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version: Adobe Reader 9.2
You can download it from http://www.adobe.com/products/acrobat/readstep2.html
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed Uncheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Adobe 9 is a large program and if you prefer a smaller program you can get Foxit 3 instead from Foxit Software
Note: Do not install anything dealing with AskBar... presented as an installation option.

All Clean
Congratulations, good work, your system is now clean. Now that your system is safe we would like you to keep it that way.
Take the time to follow these recommendations & it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

Create a Clean System Restore Point
Create a new, clean System Restore point which you can use in case of future system problems:
Press Start->All Programs->Accessories->System Tools->System Restore
Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close
Now remove old, infected System Restore points:
Next click Start->Run and type cleanmgr in the box and click OK
Ensure the boxes for Temporary Files & Temporary Internet Files are checked. You can choose to check other boxes if you wish but they are not required.
Select the More Options tab, under System Restore click Clean up... and click Yes to the prompt
Click OK and Yes to confirm.

Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to Start > All Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates

Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is totally free but for real-time protection you will have to pay a small one-time fee.
You can find a tutorial here. Keep it updated & run it regularly.

SpywareBlaster
Download and install Javacools SpywareBlaster from here
SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.

Download and Install a HOSTS File
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.

Download BlueTack's HOSTS Manager here, using Internet Explorer (Firefox won't work):
  • A short distance down the page in the centre, click on the Download button
  • Agree to the license
  • On the next page, to the right side of where it says Download Estimates, right click on the underlined word Hosts Manager choose Save Target As and download the installer Hosts20setup.exe to your desktop
  • Double click the Installer on your desktop and let it Install the Hosts Manager
  • After the installation is complete, click on the Hosts Manager icon on your desktop. (You can delete the other Hosts Switch icon from your desktop)
  • When the Hosts Manager comes up, click the small down arrows on the right side of the bar labeled Options and Tools,
  • Click Disable DNS Service. This is important
  • In the Left Pane, click Download
  • It will load 80,000 lines or more. When it finishes, also in the left pane, click Replace, and then click Save
You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.
If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.

Web of Trust
WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
WOT has an addon available for both Firefox and Internet Explorer.

Install WinPatrol
Download it here
You can find information about how WinPatrol works here

Read some information here on how to prevent Malware.

Hopefully these steps will help keep your computer clean.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

If there are any other questions then feel free to ask or in future do not hesitate to contact us here at The Malware Removal Forums
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Rootkit/keylogger

Unread postby jmw3 » January 13th, 2010, 3:31 am

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 70 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware