Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Alureon H removal

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Alureon H removal

Unread postby magic » June 18th, 2010, 3:01 am

Ok thanks. Here is the combofix.txt:

ComboFix 10-06-17.02 - owner 17/06/2010 23:33:16.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3034.1915 [GMT 1:00]
Running from: c:\users\owner\Desktop\ComboFix.exe
Command switches used :: c:\users\owner\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

file zipped: c:\programdata\1VjM2R.dat
file zipped: c:\users\owner\AppData\Local\Fdiveqayofika.dat
file zipped: c:\users\owner\AppData\Local\Fxuresebebe.bin
file zipped: c:\windows\system32\drivers\ajumnofe.sys
file zipped: c:\windows\system32\drivers\brfpesnf.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\1VjM2R.dat
c:\programdata\Norton
c:\programdata\Norton\00000082\00000105\00000349\cltLMS1.dat
c:\programdata\Norton\00000082\00000105\00000349\cltLMS2.dat
c:\programdata\Norton\00000082\00000105\cltupgrade.dat
c:\programdata\Norton\00000082\00000105\key.txt
c:\programdata\Norton\symdata.xml
c:\programdata\RegCure
c:\programdata\RegCure\multipledetection.dat
c:\programdata\Symantec
c:\programdata\Symantec\SubEng\platformid.dat
c:\users\owner\AppData\Local\Fdiveqayofika.dat
c:\users\owner\AppData\Local\Fxuresebebe.bin
c:\users\owner\AppData\Roaming\LimeWire
c:\users\owner\AppData\Roaming\LimeWire\browser\xul-v2.0b2.4-do-not-remove
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\AccessibleMarshal.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\chrome\branding.jar
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\chrome\branding.manifest
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\chrome\classic.jar
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\chrome\classic.manifest
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\chrome\comm.jar
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\chrome\comm.manifest
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\chrome\en-US.jar
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\chrome\en-US.manifest
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\chrome\limewire.jar
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\chrome\limewire.manifest
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\chrome\pippki.jar
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\chrome\pippki.manifest
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\chrome\toolkit.jar
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\chrome\toolkit.manifest
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\accessibility-msaa.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\accessibility.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\alerts.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\appshell.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\appshell_modal.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\appshell_modal.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\appstartup.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\auth.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\autocomplete.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\autoconfig.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\autoconfig.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\caps.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\chardet.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\chrome.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\commandhandler.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\commandlines.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\composer.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\content_base.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\content_html.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\content_htmldoc.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\content_xmldoc.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\content_xslt.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\content_xtf.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\contentprefs.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\cookie.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\directory.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\docshell_base.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\dom.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_base.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_canvas.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_core.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_css.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_events.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_html.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_json.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_loadsave.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_offline.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_range.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_sidebar.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_storage.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_stylesheets.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_svg.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_traversal.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_views.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_xbl.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_xpath.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_xul.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\downloads.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\editor.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\embed_base.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\extensions.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\exthandler.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\exthelper.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\fastfind.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\FeedProcessor.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\feeds.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\find.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\gfx.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\htmlparser.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\imgicon.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\imglib2.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\inspector.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\intl.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\jar.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\jsconsole-clhandler.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\jsdservice.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\layout_base.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\layout_printing.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\layout_xul.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\layout_xul_tree.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\locale.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\loginmgr.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\lwbrk.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\mimetype.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\mozbrwsr.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\mozfind.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\necko.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_about.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_cache.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_cookie.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_dns.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_file.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_ftp.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_http.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_res.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_socket.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_strconv.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_viewsource.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\nsAddonRepository.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\nsBadCertHandler.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\nsBlocklistService.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\nsContentDispatchChooser.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\nsContentPrefService.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\nsDefaultCLH.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\nsDictionary.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\nsDownloadManagerUI.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\nsExtensionManager.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\nsHandlerService.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\nsHelperAppDlg.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\nsLivemarkService.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\nsLoginInfo.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\nsLoginManager.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\nsLoginManagerPrompter.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\nsPostUpdateWin.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\nsProgressDialog.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\nsProxyAutoConfig.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\nsResetPref.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\nsTaggingService.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\nsTryToClose.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\nsUpdateService.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\nsURLFormatter.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\nsWebHandlerApp.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\nsXmlRpcClient.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\nsXULAppInstall.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\oji.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\parentalcontrols.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\pipboot.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\pipboot.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\pipnss.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\pipnss.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\pippki.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\pippki.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\places.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\plugin.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\pluginGlue.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\pref.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\prefetch.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\profile.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\proxyObject.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\rdf.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\satchel.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\saxparser.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\shistory.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\spellchecker.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\storage-Legacy.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\storage.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\toolkitprofile.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\transformiix.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\txEXSLTRegExFunctions.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\txmgr.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\txtsvc.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\uconv.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\unicharutil.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\universalchardet.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\update.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\uriloader.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\urlformatter.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\webBrowser_core.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\webbrowserpersist.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\webshell_idls.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\websrvcs.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\widget.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\windowds.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\windowwatcher.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\xml-rpc.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\xmlextras.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\xpcom_base.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\xpcom_components.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\xpcom_ds.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\xpcom_io.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\xpcom_system.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\xpcom_thread.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\xpcom_xpti.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\xpconnect.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\xpinstall.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\xulapp.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\xulapp_setup.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\xuldoc.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\xultmpl.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\xulutil.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\components\zipwriter.xpt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\crashreporter.exe
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\crashreporter.ini
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\defaults\autoconfig\platform.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\defaults\autoconfig\prefcalls.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\defaults\pref\xulrunner.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\defaults\profile\chrome\userChrome-example.css
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\defaults\profile\chrome\userContent-example.css
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\defaults\profile\localstore.rdf
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userChrome-example.css
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userContent-example.css
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\defaults\profile\US\localstore.rdf
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\dependentlibs.list
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\dictionaries\en-US.aff
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\dictionaries\en-US.dic
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\freebl3.chk
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\freebl3.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\greprefs\all.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\greprefs\security-prefs.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\greprefs\xpinstall.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\IA2Marshal.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\javaxpcom.jar
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\javaxpcomglue.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\js3250.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\LICENSE
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\modules\debug.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\modules\DownloadUtils.jsm
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\modules\ISO8601DateUtils.jsm
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\modules\JSON.jsm
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\modules\Microformats.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\modules\PluralForm.jsm
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\modules\utils.js
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\modules\XPCOMUtils.jsm
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\mozctl.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\mozctlx.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\MSVCP71.DLL
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\msvcr71.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\nspr4.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\nss3.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\nssckbi.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\nssdbm3.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\nssutil3.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\platform.ini
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\plc4.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\plds4.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\plugins\npnul32.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\README.txt
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\arrow.gif
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\arrowd.gif
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\broken-image.gif
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\charsetalias.properties
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\charsetData.properties
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\contenteditable.css
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\designmode.css
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\dtd\mathml.dtd
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\dtd\xhtml11.dtd
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\EditorOverride.css
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\entityTables\html40Latin1.properties
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\entityTables\html40Special.properties
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\entityTables\html40Symbols.properties
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\entityTables\htmlEntityVersions.properties
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\entityTables\mathml20.properties
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\entityTables\transliterate.properties
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\fonts\mathfont.properties
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\fonts\mathfontStandardSymbolsL.properties
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\fonts\mathfontSTIXNonUnicode.properties
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\fonts\mathfontSTIXSize1.properties
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\fonts\mathfontSymbol.properties
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\fonts\mathfontUnicode.properties
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\forms.css
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\grabber.gif
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\hiddenWindow.html
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\html.css
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\html\folder.png
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\langGroups.properties
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\language.properties
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\loading-image.gif
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\mathml.css
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\quirk.css
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\svg.css
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-column-after-active.gif
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-column-after-hover.gif
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-column-after.gif
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-column-before-active.gif
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-column-before-hover.gif
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-column-before.gif
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-row-after-active.gif
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-row-after-hover.gif
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-row-after.gif
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-row-before-active.gif
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-row-before-hover.gif
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-row-before.gif
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\table-remove-column-active.gif
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\table-remove-column-hover.gif
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\table-remove-column.gif
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\table-remove-row-active.gif
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\table-remove-row-hover.gif
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\table-remove-row.gif
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\ua.css
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\viewsource.css
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\res\wincharset.properties
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\smime3.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\softokn3.chk
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\softokn3.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\sqlite3.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\ssl3.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\updater.exe
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\version.properties
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\xpcom.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\xpcshell.exe
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\xpicleanup.exe
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\xpidl.exe
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\xpt_dump.exe
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\xpt_link.exe
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\xul.dll
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\xulrunner-stub.exe
c:\users\owner\AppData\Roaming\LimeWire\browser\xulrunner\xulrunner.exe
c:\users\owner\AppData\Roaming\LimeWire\certificate\limewire.keystore
c:\users\owner\AppData\Roaming\LimeWire\createtimes.cache
c:\users\owner\AppData\Roaming\LimeWire\downloads.dat
c:\users\owner\AppData\Roaming\LimeWire\fileurns.cache
c:\users\owner\AppData\Roaming\LimeWire\gnutella.net
c:\users\owner\AppData\Roaming\LimeWire\installation.props
c:\users\owner\AppData\Roaming\LimeWire\library.dat
c:\users\owner\AppData\Roaming\LimeWire\library5.dat
c:\users\owner\AppData\Roaming\LimeWire\limewire.props
c:\users\owner\AppData\Roaming\LimeWire\lock
c:\users\owner\AppData\Roaming\LimeWire\mojito.props
c:\users\owner\AppData\Roaming\LimeWire\mozilla-profile\.autoreg
c:\users\owner\AppData\Roaming\LimeWire\mozilla-profile\Cache\_CACHE_001_
c:\users\owner\AppData\Roaming\LimeWire\mozilla-profile\Cache\_CACHE_002_
c:\users\owner\AppData\Roaming\LimeWire\mozilla-profile\Cache\_CACHE_003_
c:\users\owner\AppData\Roaming\LimeWire\mozilla-profile\Cache\_CACHE_MAP_
c:\users\owner\AppData\Roaming\LimeWire\mozilla-profile\cert8.db
c:\users\owner\AppData\Roaming\LimeWire\mozilla-profile\compreg.dat
c:\users\owner\AppData\Roaming\LimeWire\mozilla-profile\cookies.sqlite
c:\users\owner\AppData\Roaming\LimeWire\mozilla-profile\downloads.sqlite
c:\users\owner\AppData\Roaming\LimeWire\mozilla-profile\extensions.cache
c:\users\owner\AppData\Roaming\LimeWire\mozilla-profile\extensions.ini
c:\users\owner\AppData\Roaming\LimeWire\mozilla-profile\history.dat
c:\users\owner\AppData\Roaming\LimeWire\mozilla-profile\key3.db
c:\users\owner\AppData\Roaming\LimeWire\mozilla-profile\permissions.sqlite
c:\users\owner\AppData\Roaming\LimeWire\mozilla-profile\places.sqlite-journal
c:\users\owner\AppData\Roaming\LimeWire\mozilla-profile\places.sqlite
c:\users\owner\AppData\Roaming\LimeWire\mozilla-profile\pluginreg.dat
c:\users\owner\AppData\Roaming\LimeWire\mozilla-profile\prefs.js
c:\users\owner\AppData\Roaming\LimeWire\mozilla-profile\secmod.db
c:\users\owner\AppData\Roaming\LimeWire\mozilla-profile\XPC.mfl
c:\users\owner\AppData\Roaming\LimeWire\mozilla-profile\xpti.dat
c:\users\owner\AppData\Roaming\LimeWire\player.props
c:\users\owner\AppData\Roaming\LimeWire\promotion\promodb.backup
c:\users\owner\AppData\Roaming\LimeWire\promotion\promodb.data
c:\users\owner\AppData\Roaming\LimeWire\promotion\promodb.properties
c:\users\owner\AppData\Roaming\LimeWire\promotion\promodb.script
c:\users\owner\AppData\Roaming\LimeWire\questions.props
c:\users\owner\AppData\Roaming\LimeWire\responses.cache
c:\users\owner\AppData\Roaming\LimeWire\simpp.xml
c:\users\owner\AppData\Roaming\LimeWire\spam.dat
c:\users\owner\AppData\Roaming\LimeWire\tables.props
c:\users\owner\AppData\Roaming\LimeWire\ttdata.cache
c:\users\owner\AppData\Roaming\LimeWire\ttroot.cache
c:\users\owner\AppData\Roaming\LimeWire\uploads.dat\Glee.S01E02.Showmance.HDTV.XviD-FQM.[VTV].avi.fastresume
c:\users\owner\AppData\Roaming\LimeWire\uploads.dat\Glee.S01E02.Showmance.HDTV.XviD-FQM.[VTV].avi.memento
c:\users\owner\AppData\Roaming\LimeWire\version.xml
c:\users\owner\AppData\Roaming\LimeWire\versions.props
c:\users\owner\AppData\Roaming\LimeWire\xml\data\audio.sxml3
c:\users\owner\AppData\Roaming\LimeWire\xml\data\video.sxml3
c:\windows\system32\drivers\ajumnofe.sys
c:\windows\system32\drivers\brfpesnf.sys
c:\windows\system32\win.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_twxbmoeoksrmcqrn


((((((((((((((((((((((((( Files Created from 2010-05-17 to 2010-06-17 )))))))))))))))))))))))))))))))
.

2010-06-17 22:43 . 2010-06-17 22:51 -------- d-----w- c:\users\owner\AppData\Local\temp
2010-06-17 22:43 . 2010-06-17 22:43 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-17 22:43 . 2010-06-17 22:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-17 22:15 . 2010-06-17 22:16 -------- d-----w- C:\32788R22FWJFW.0.tmp
2010-06-17 08:45 . 2010-05-28 10:40 30584 ----a-w- c:\windows\system32\drivers\nnetsecl.sys
2010-06-17 08:45 . 2010-05-25 12:28 34192 ----a-w- c:\windows\system32\drivers\nnetsecl64.sys
2010-06-12 17:03 . 2010-06-12 17:03 -------- d-----w- c:\program files\trend micro
2010-06-12 17:03 . 2010-06-12 17:04 -------- d-----w- C:\rsit
2010-06-10 10:59 . 2010-06-10 10:59 -------- d-----w- c:\windows\system32\20-20 Technologies
2010-06-09 14:51 . 2010-06-09 14:51 -------- d-----w- c:\program files\Enigma Software Group
2010-06-09 14:51 . 2010-06-09 14:56 -------- d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2010-06-08 20:37 . 2010-06-08 20:37 -------- d-----w- C:\MGADiagToolOutput
2010-06-07 21:30 . 2010-06-17 18:39 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-07 21:29 . 2010-06-08 07:14 -------- d-----w- c:\programdata\Hitman Pro
2010-06-07 21:29 . 2010-06-07 21:29 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-06-07 20:40 . 2010-05-19 07:37 67664 ----a-w- c:\windows\system32\drivers\ale_nf64.sys
2010-06-07 20:40 . 2010-05-14 08:35 48272 ----a-w- c:\windows\system32\drivers\nnetsec.sys
2010-06-07 20:40 . 2010-05-10 08:13 376136 ----a-w- c:\windows\system32\drivers\tdi_nf.sys
2010-06-07 20:21 . 2010-05-19 07:36 60960 ----a-w- c:\windows\system32\drivers\ale_nf.sys
2010-06-07 20:21 . 2009-10-07 12:22 76944 ----a-w- c:\windows\system32\drivers\tdi_rd.sys
2010-06-07 20:21 . 2009-10-07 12:20 82072 ----a-w- c:\windows\system32\drivers\ndis_rd.sys
2010-06-07 20:21 . 2009-10-14 11:03 23392 ----a-w- c:\windows\system32\drivers\nvcv32mf.sys
2010-06-07 20:21 . 2009-10-11 13:06 214344 ----a-w- c:\windows\system32\nscrnsav.scr
2010-06-06 19:52 . 2010-06-07 06:59 -------- d-----w- c:\windows\system32\MpEngineStore
2010-06-05 10:23 . 2010-06-17 22:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-05 10:23 . 2010-06-05 19:18 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-06-03 07:00 . 2010-05-21 13:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-02 21:48 . 2010-06-07 20:40 -------- d-----w- c:\program files\Norman
2010-05-25 17:57 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-17 22:32 . 2010-04-28 11:01 -------- d-----w- c:\program files\QuickTime
2010-06-17 22:32 . 2010-04-20 20:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-17 22:32 . 2010-04-28 11:05 -------- d-----w- c:\program files\iTunes
2010-06-17 20:11 . 2009-12-01 22:21 -------- d-----w- c:\users\owner\AppData\Roaming\LPC
2010-06-16 14:38 . 2009-06-28 18:33 -------- d-----w- c:\users\owner\AppData\Roaming\Skype
2010-06-16 14:32 . 2009-06-28 18:37 -------- d-----w- c:\users\owner\AppData\Roaming\skypePM
2010-06-11 07:50 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-11 07:40 . 2009-05-31 19:48 -------- d-----w- c:\programdata\Microsoft Help
2010-06-09 14:51 . 2009-06-04 21:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-07 18:29 . 2008-01-21 02:24 6144 ----a-w- c:\windows\system32\drivers\RDPENCDD.sys
2010-06-07 17:45 . 2009-08-02 20:20 -------- d-----w- c:\users\owner\AppData\Roaming\CoreFTP
2010-06-07 17:45 . 2009-12-09 07:52 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-07 17:45 . 2009-08-02 19:57 -------- d-----w- c:\program files\SmartFTP Client
2010-06-07 17:45 . 2010-04-28 10:53 -------- d-----w- c:\program files\Bonjour
2010-06-07 06:52 . 2009-05-17 12:48 6756 ----a-w- c:\users\owner\AppData\Local\d3d9caps.dat
2010-06-05 19:20 . 2010-04-22 18:09 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-26 17:06 . 2010-06-10 16:12 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-10 16:12 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-23 11:00 . 2010-04-10 09:54 -------- d-----w- c:\program files\Google
2010-05-08 17:43 . 2010-05-08 14:45 -------- d-----w- c:\programdata\WinZip
2010-05-04 05:59 . 2010-06-10 16:12 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-10 16:12 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-10 16:12 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-10 16:12 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 14:13 . 2010-06-10 16:12 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 14:39 . 2010-04-20 20:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2010-04-20 20:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 11:06 . 2010-04-28 11:05 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-28 11:05 . 2010-04-28 11:05 -------- d-----w- c:\program files\iPod
2010-04-28 11:05 . 2009-06-11 06:51 -------- d-----w- c:\program files\Common Files\Apple
2010-04-23 16:52 . 2010-04-23 16:52 -------- d-----w- c:\program files\WinMerge
2010-04-22 18:10 . 2010-04-22 18:10 -------- d-----w- c:\program files\Common Files\Java
2010-04-22 18:09 . 2009-06-05 18:46 -------- d-----w- c:\program files\Java
2010-04-20 20:37 . 2010-04-20 20:37 -------- d-----w- c:\users\owner\AppData\Roaming\Malwarebytes
2010-04-20 20:37 . 2010-04-20 20:37 -------- d-----w- c:\programdata\Malwarebytes
2010-04-16 07:33 . 2010-04-16 07:33 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 07:33 . 2010-04-16 07:33 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-08 12:20 . 2010-04-08 12:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 12:20 . 2010-04-08 12:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-05 17:01 . 2010-06-10 16:12 67072 ----a-w- c:\windows\system32\asycfilt.dll
2009-05-17 13:42 . 2009-05-17 13:42 76 --sh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\windows sidebar\sidebar.exe" [2009-04-11 1233920]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-11 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-11 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-11 154136]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-11-17 3810304]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-24 142120]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Norman ZANDA"="c:\program files\Norman\Npm\Bin\ZLH.EXE" [2009-11-24 189824]
"NPCTray"="c:\program files\Norman\npc\bin\npc_tray.exe" [2010-02-22 93616]
"NOELauncher"="c:\program files\Norman\nsc\bin\noelauncher.exe" [2010-03-23 74056]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]

c:\users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech . Product Registration.lnk - c:\program files\Logitech\QuickCam\eReg.exe [2008-11-7 517384]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-7-31 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux4"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):d3,de,9a,2f,25,3a,ca,01

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 136176]
R3 NASS;Norman Anti Spam Service;c:\program files\Norman\nsc\bin\nassvc32.exe [2010-03-23 133832]
R3 nsesvc;Norman Scanner Engine Service;c:\program files\Norman\Nse\Bin\NSESVC.EXE [2009-11-23 283976]
R3 NUAA;Norman User Activity Agent;c:\program files\Norman\npc\bin\nuaa.exe [2009-10-11 99656]
R3 NvcMFlt;NvcMFlt;c:\windows\system32\DRIVERS\nvcv32mf.sys [2009-10-14 23392]
R3 nvcoas;Norman Virus Control on-access component;c:\program files\Norman\Nvc\Bin\nvcoas.exe [2010-05-21 202056]
R3 Scheduler;Norman Scheduler Service;c:\program files\Norman\Npm\Bin\scheduler.exe [2009-10-15 133272]
S1 ALE_NF;Norman Network Filter ALE driver;c:\windows\system32\drivers\ale_nf.sys [2010-05-19 60960]
S1 NGS;Norman General Security Driver;c:\program files\norman\ngs\bin\ngs.sys [2010-01-04 26744]
S1 NPROSEC;Norman Security driver;c:\program files\Norman\Ngs\Bin\nprosec.sys [2010-05-10 72392]
S2 Ndiskio;Ndiskio;c:\program files\Norman\Nse\Bin\NDISKIO.SYS [2009-10-09 22880]
S2 NNFSVC;Norman Network Filtering service;c:\program files\Norman\Ngs\Bin\Nnf.exe [2010-05-07 210640]
S2 NPFSvc32;Norman Personal Firewall Service;c:\program files\Norman\npf\bin\npfsvc32.exe [2010-06-02 286328]
S2 NPROSECSVC;Norman Security service;c:\program files\Norman\Ngs\Bin\Nprosec.exe [2010-05-07 103016]
S2 nregsec;Norman Registry Security driver;c:\program files\Norman\Ngs\Bin\nregsec.sys [2010-05-14 40384]
S2 NVOY;Norman Resource Provider;c:\program files\Norman\npm\bin\nvoy.exe [2010-03-15 98776]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\TalkTalk\bin\sprtsvc.exe [2007-10-12 202016]
S2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\Common Files\Supportsoft\bin\tgsrvc.exe [2007-08-02 148768]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2009-08-19 92008]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc [x]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 09:54]

2010-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 09:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.live.com/login.srf?wa=wsig ... &mkt=en-gb
uInternet Settings,ProxyOverride = *.local
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://bq.kp.2020.net/planner/Core/Play ... _Win32.cab
DPF: {96816368-C1E3-414D-A193-63C3CC921990} - hxxp://holidaystore-sitges.remotemanage ... Render.ocx
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr .exe
HKLM-Run-UDC Integration - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-17 23:52
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4380)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Norman\Npm\Bin\Elogsvc.exe
c:\program files\Norman\Npm\Bin\Zanda.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-06-18 00:01:27 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-17 23:01
ComboFix2.txt 2010-06-15 21:55

Pre-Run: 122,871,656,448 bytes free
Post-Run: 122,764,931,072 bytes free

- - End Of File - - 306A57CF4B57EAE1C780646BB2D39F41
Upload was successful
magic
Regular Member
 
Posts: 28
Joined: June 8th, 2010, 5:36 pm
Advertisement
Register to Remove

Re: Alureon H removal

Unread postby Airscape » June 18th, 2010, 7:38 pm

Hi magic,

How is the pc running now? are you still getting those alerts by Hitman Pro and messages from Norman?

If so it may be worhwhile reinstalling both programs to see if that solves the problem. Please do the following for now:


TFC(Temp File Cleaner)
  • Please download TFC to your desktop.
  • Save any unsaved work. TFC will close all open application windows.
  • Do not be alarmed if your desktop icons disappear/reappear.
  • Double-click TFC.exe to run the program.
  • Click the Start button in bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted.
It should not take longer than a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware and click the Update tab >> then Check for Updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post this log in your next reply.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • If asked to restart the computer to finish cleaning, please do so.
If you receive an (Error Loading) error on reboot, please reboot a second time.
It is normal for this error to occur once and does not need to be reported unless it returns on future reboots.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Kaspersky online scan
Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
        Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases

  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply along with a fresh HijackThis log.
This online tutorial will help explain how to use the aforementioned online scan.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logs/information to post in next reply:
  • MBAM log
  • Kaspersky log
  • New HijackThis log
  • How is the pc running?
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Alureon H removal

Unread postby magic » June 19th, 2010, 12:15 pm

Thanks.The PC appears to be running ok and the Norman message no longer appears and the Hitman Pro does not detect any infection. We have run the TFC and have completed the logs you required:


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4215

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

19/06/2010 10:39:55
mbam-log-2010-06-19 (10-39-55).txt

Scan type: Quick scan
Objects scanned: 134753
Time elapsed: 8 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, June 19, 2010
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, June 18, 2010 22:02:01
Records in database: 4292311
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 308378
Threats found: 4
Infected objects found: 4
Suspicious objects found: 1
Scan duration: 05:13:52


File name / Threat / Threats count
C:\Users\owner\AppData\Local\Microsoft\Outlook\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\owner\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report0b81fd0b\Report.cab Infected: Trojan.Win32.Powp.bax 1
C:\Users\owner\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report0b989fcf\Report.cab Infected: Trojan.Win32.Powp.dff 1
C:\Users\owner\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report13d7da28\Report.cab Infected: Trojan.Win32.Powp.dff 1
C:\Users\owner\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report170430a0\Report.cab Infected: Trojan.Win32.Powp.cyw 1

Selected area has been scanned.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:08:00, on 19/06/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Norman\Npm\Bin\Elogsvc.exe
C:\Program Files\Norman\Ngs\Bin\Nnf.exe
C:\Program Files\Norman\Ngs\Bin\Nprosec.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Norman\Npm\Bin\Zanda.exe
C:\Program Files\Norman\npm\bin\nvoy.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Norman\npf\bin\npfsvc32.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\TalkTalk\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\RUNDLL32.EXE
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Norman\Npm\Bin\scheduler.exe
C:\Program Files\Norman\Npm\Bin\Njeeves.exe
C:\Program Files\Norman\Npc\Bin\npc_tray.exe
C:\Program Files\Norman\npc\bin\nuaa.exe
C:\Program Files\Norman\nsc\bin\nassvc32.exe
C:\Program Files\Norman\Nse\Bin\NSESVC.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Norman\Npm\Bin\ZLH.exe
C:\Program Files\Norman\Npc\Bin\npc_tray.exe
C:\Program Files\Norman\nsc\Bin\NOELauncher.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Norman\Nvc\Bin\nvcoas.exe
C:\Program Files\Norman\Nvc\Bin\Nip.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Norman\Nvc\Bin\cclaw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Users\owner\AppData\Local\temp\jkos-owner\binaries\ScanningProcess.exe
C:\Users\owner\AppData\Local\temp\jkos-owner\binaries\ScanningProcess.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\owner\Desktop\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?wa=wsig ... &mkt=en-gb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Program Files\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [NPCTray] C:\Program Files\Norman\npc\bin\npc_tray.exe /LOAD
O4 - HKLM\..\Run: [NOELauncher] C:\Program Files\Norman\nsc\bin\noelauncher.exe /load
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\windows sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Startup: Logitech . Product Registration.lnk = C:\Program Files\Logitech\QuickCam\eReg.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://oas.support.microsoft.com/ActiveX/MSDcode.cab
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 3D Viewer) - http://bq.kp.2020.net/planner/Core/Play ... _Win32.cab
O16 - DPF: {96816368-C1E3-414D-A193-63C3CC921990} (MJPEGRender Control) - http://holidaystore-sitges.remotemanage ... Render.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Program Files\Norman\Npm\Bin\Elogsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Norman Anti Spam Service (NASS) - Norman ASA - C:\Program Files\Norman\nsc\bin\nassvc32.exe
O23 - Service: Norman Network Filtering service (NNFSVC) - Norman ASA - C:\Program Files\Norman\Ngs\Bin\Nnf.exe
O23 - Service: Norman NJeeves - Norman ASA - C:\Program Files\Norman\Npm\Bin\Njeeves.exe
O23 - Service: Norman ZANDA - Norman ASA - C:\Program Files\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Personal Firewall Service (NPFSvc32) - Norman ASA - C:\Program Files\Norman\npf\bin\npfsvc32.exe
O23 - Service: Norman Security service (NPROSECSVC) - Norman ASA - C:\Program Files\Norman\Ngs\Bin\Nprosec.exe
O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Program Files\Norman\Nse\Bin\NSESVC.EXE
O23 - Service: Norman User Activity Agent (NUAA) - Norman ASA - C:\Program Files\Norman\npc\bin\nuaa.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\Bin\nvcoas.exe
O23 - Service: Norman Resource Provider (NVOY) - Norman ASA - C:\Program Files\Norman\npm\bin\nvoy.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Norman Scheduler Service (Scheduler) - Norman ASA - C:\Program Files\Norman\Npm\Bin\scheduler.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SupportSoft Sprocket Service (TalkTalk) (sprtsvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\TalkTalk\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
O23 - Service: SupportSoft Repair Service (TalkTalk) (tgsrvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

--
End of file - 12620 bytes
magic
Regular Member
 
Posts: 28
Joined: June 8th, 2010, 5:36 pm

Re: Alureon H removal

Unread postby Airscape » June 20th, 2010, 8:21 pm

Hi, there's something we need to check, please do the following:


maxlook
First, you must verify that you can access the Vista Recovery Environment.
To do so, restart your computer and begin tapping the F8 key to enable the Advanced Start menu.
If the option 'Repair your computer' is available, select it.

If not available, you will need to insert your Vista installation dvd and restart, then press any key when prompted to boot from the cd.
At the Install Windows screen, select Repair your computer. (image below)

Image

Next, please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Environment.
Once you get to the System Recovery Options screen, first take note of the drive letter assigned to the operating system, then select Command Prompt.

Image

Type the following bolded command at the x:\sources> prompt (or x:\windows\system32>) then hit Enter.

cd /d x:\windows <--- the red x represents your operating system drive letter, as shown in the image below


Image

At the C:\Windows> prompt type the following command then hit Enter

look.bat

You will see many files copied then return to the x:\windows> prompt.
Type Exit then restart your computer and logon in normal mode.
Please run maxlook.exe again now. Note - you must run it only once!
It will produce looklog.txt on the desktop and open it.
Please post the results here.
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Alureon H removal

Unread postby magic » June 21st, 2010, 3:24 pm

Thanks for your continued help.

Below is the looklog.txt:

Run from C:\Users\owner\Desktop\maxlook.exe on 21/06/2010 at 20:22:38.41

No infected file found
magic
Regular Member
 
Posts: 28
Joined: June 8th, 2010, 5:36 pm

Re: Alureon H removal

Unread postby Airscape » June 22nd, 2010, 11:02 am

My Apologies, there's a mistake in the instructions, please do this, you may need to enable the run command:
Right click start > properties > start menu > customize > check "run command" ok > apply/ok





  • First, click Start>Run & copy/paste the following bolded text into the run box and click OK

    maxlook -cleanup

  • Now repeat the original instructions and double click maxlook.exe only once.
  • Reboot into the Recovery Environment again and at the x:\ prompt type in the following bolded text:

    cd /d c:\Windows

    (note - there is a space between cd & /d, & another space between /d & c:\Windows)
  • Press Enter.
  • You should now be at C:\Windows> prompt
  • Type in the following bolded text:

    look.bat

  • Press Enter
  • You will see 1 file copied many times then return to the x:\windows> prompt.
  • Type Exit to restart your computer then logon in normal mode.
  • Once back in Windows, go to Start > Run, & copy/paste the following then press Enter

    maxlook -sig

  • Follow the prompts, & post (or attach) the log produced, C:\looklog.txt
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Alureon H removal

Unread postby magic » June 22nd, 2010, 2:31 pm

Thanks, below is the new log:

Code: Select all
Run from C:\Users\owner\Desktop\maxlook.exe on 22/06/2010 at 19:25:02.42

--------- maxlook unsigned files ---------

c:\windows\maxdrive\RDPENCDD.sys:
	Verified:	Unsigned
	File date:	19:29 07/06/2010
	Publisher:	n/a
	Description:	n/a
	Product:	n/a
	Version:	n/a
	File version:	n/a
c:\windows\maxdrive\windrvr.sys:
	Verified:	Unsigned
	File date:	17:49 24/08/2006
	Publisher:	Jungo
	Description:	WinDriver Device Driver 4.33
	Product:	WinDriver Device Driver
	Version:	4.33
	File version:	4.33

--------- system32\drivers unsigned files ---------

c:\windows\system32\drivers\RDPENCDD.sys:
	Verified:	Unsigned
	File date:	19:29 07/06/2010
	Publisher:	n/a
	Description:	n/a
	Product:	n/a
	Version:	n/a
	File version:	n/a
c:\windows\system32\drivers\windrvr.sys:
	Verified:	Unsigned
	File date:	17:49 24/08/2006
	Publisher:	Jungo
	Description:	WinDriver Device Driver 4.33
	Product:	WinDriver Device Driver
	Version:	4.33
	File version:	4.33
magic
Regular Member
 
Posts: 28
Joined: June 8th, 2010, 5:36 pm

Re: Alureon H removal

Unread postby magic » June 23rd, 2010, 3:49 pm

After runing the above process HitMan Pro is now re showing an issue with RDPENCDD.SYS

Plus

bs.serving-sys.com found at c:\Users\owner\AppData\Roaming\Microsoft\Windows\cookies\owner@bs.serving-sys[1].txt

serving-sys.com found at c:\Users\owner\AppData\Roaming\Microsoft\Windows\cookies\owner@serving-sys[1].txt

Look forward to hearing from you.
magic
Regular Member
 
Posts: 28
Joined: June 8th, 2010, 5:36 pm

Re: Alureon H removal

Unread postby Airscape » June 23rd, 2010, 7:55 pm

Hi magic. OK we'll try and replace that driver with a fresh copy. We need to find one first.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :Filefind
    RDPENCDD.*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Thanks.
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Alureon H removal

Unread postby magic » June 24th, 2010, 1:26 pm

Please find log below:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 08:19 on 24/06/2010 by owner (Administrator - Elevation successful)

========== Filefind ==========

Searching for "RDPENCDD.*"
C:\Windows.old\Windows\System32\drivers\RDPENCDD.sys --a--- 6144 bytes [02:24 21/01/2008] [02:24 21/01/2008] 9D91FE5286F748862ECFFA05F8A0710C
C:\Windows.old\Windows\System32\RDPENCDD.dll --a--- 118272 bytes [02:24 21/01/2008] [02:24 21/01/2008] 4707976BDBA8B5999A0006C7609505CB
C:\Windows.old\Windows\winsxs\x86_microsoft-windows-t..llaboration-drivers_31bf3856ad364e35_6.0.6001.18000_none_06cf4b56d5c130dc\RDPENCDD.dll --a--- 118272 bytes [02:24 21/01/2008] [02:24 21/01/2008] 4707976BDBA8B5999A0006C7609505CB
C:\Windows.old\Windows\winsxs\x86_microsoft-windows-t..llaboration-drivers_31bf3856ad364e35_6.0.6001.18000_none_06cf4b56d5c130dc\RDPENCDD.sys --a--- 6144 bytes [02:24 21/01/2008] [02:24 21/01/2008] 9D91FE5286F748862ECFFA05F8A0710C
C:\Windows\maxdrive\RDPENCDD.sys --a--- 6144 bytes [03:22 23/06/2010] [18:29 07/06/2010] E6C6DEAC7256B5A37C7A31C81D34D2A3
C:\Windows\System32\drivers\RDPENCDD.sys --a--- 6144 bytes [02:24 21/01/2008] [18:29 07/06/2010] E6C6DEAC7256B5A37C7A31C81D34D2A3
C:\Windows\System32\RDPENCDD.dll --a--- 118272 bytes [02:24 21/01/2008] [02:24 21/01/2008] 4707976BDBA8B5999A0006C7609505CB
C:\Windows\winsxs\x86_microsoft-windows-t..llaboration-drivers_31bf3856ad364e35_6.0.6001.18000_none_06cf4b56d5c130dc\RDPENCDD.dll --a--- 118272 bytes [02:24 21/01/2008] [02:24 21/01/2008] 4707976BDBA8B5999A0006C7609505CB
C:\Windows\winsxs\x86_microsoft-windows-t..llaboration-drivers_31bf3856ad364e35_6.0.6001.18000_none_06cf4b56d5c130dc\RDPENCDD.sys --a--- 6144 bytes [02:24 21/01/2008] [18:29 07/06/2010] E6C6DEAC7256B5A37C7A31C81D34D2A3

-=End Of File=-
magic
Regular Member
 
Posts: 28
Joined: June 8th, 2010, 5:36 pm

Re: Alureon H removal

Unread postby Airscape » June 25th, 2010, 1:51 am

Hi magic,

Download a new copy of ComboFix.exe Here and save it directly to your desktop

Now I need you to boot into Safe Mode as shown in the link below:

Booting into Safe Mode safely


Once in Safe Mode open Notepad (start > run > type notepad > ok)

Copy/Paste the following bolded text into notepad:


FCopy::
C:\Windows.old\Windows\System32\drivers\RDPENCDD.sys | C:\windows\system32\drivers\RDPENCDD.sys



Save this file as CFScript.txt to your desktop

Now drag CFScript.txt into ComboFix.exe as shown in the animation below... This will start ComboFix again.

Image
When finished, it shall produce a log for you. Please post this log in your next reply, it can also be found at C:\ComboFix.txt
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Reboot Normally then post the CF log with an update on the problem.
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Alureon H removal

Unread postby magic » June 25th, 2010, 3:25 am

Thanks,

We complete the above and have run HitMan Pro, and it is still showing an issue with RDPENCDD.SYS

Plus

bs.serving-sys.com found at c:\Users\owner\AppData\Roaming\Microsoft\Windows\cookies\owner@bs.serving-sys[1].txt

serving-sys.com found at c:\Users\owner\AppData\Roaming\Microsoft\Windows\cookies\owner@serving-sys[1].txt

please find the log below:

ComboFix 10-06-24.01 - owner 25/06/2010 7:43:23.3.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3034.2545 [GMT 1:00]
Running from: C:\Users\owner\Desktop\ComboFix.exe
Command switches used :: C:\Users\owner\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\look.bat

.
magic
Regular Member
 
Posts: 28
Joined: June 8th, 2010, 5:36 pm

Re: Alureon H removal

Unread postby Airscape » June 25th, 2010, 5:50 pm

Please double check to see if that is the complete log from c:\ComboFix.txt
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Alureon H removal

Unread postby magic » June 25th, 2010, 7:20 pm

Hi,

We went back in to the file

c:\combofi\combofix.txt

and this appears to be it.

ComboFix 10-06-24.01 - owner 25/06/2010 7:43:23.3.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3034.2545 [GMT 1:00]
Running from: C:\Users\owner\Desktop\ComboFix.exe
Command switches used :: C:\Users\owner\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\look.bat

We wonder is the infection still present?

Thanks



.
magic
Regular Member
 
Posts: 28
Joined: June 8th, 2010, 5:36 pm

Re: Alureon H removal

Unread postby Airscape » June 26th, 2010, 10:45 am

Hi magic, before going any further.

Are you having any browser redirects when using Google?

Also, what exactly does Hitman Pro say. Please try and note down the location of the file it detects and post any info/logs. (if possible)
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 48 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware