Free Malware Removal Forum

by **Crimson531** » January 16th, 2010, 9:37 pm

I'm having an issue with internet explorer. For some reason the process iexplore.exe will run by itself without me using internet explorer. Occasionally, a window will pop up saying the address is nets.com, I think. It's a site that sells stuff. I'm not sure if the two are related, but any help I can receive to make my computer run better would be greatly appreciated. Thank you again (^_^)

Here's my hijackthis log and and uninstall list,

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 8:18:45 PM, on 1/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Rising\Rav\CCENTER.EXE
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Rising\Rav\RavTask.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Rising\Rav\ScanFrm.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\msiexec.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... p=ZQfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: iOpus iMacros - {0483894E-2422-45E0-8384-021AFF1AF3CD} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: iMacros Web Automation - {0483894E-2422-45E0-8384-021AFF1AF3CD} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - D:\Documents and Settings\Steph and Scott\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} (Auctiva Image Uploader Control) - http://www.auctiva.com/Aurigma/ImageUploader57.cab
O16 - DPF: {4C0A00A6-056B-4314-9928-A705EB97A9AE} (VWT4 Control) - http://www.visualwebtools.com/VWT4.cab
O16 - DPF: {5C4B8FBC-AB9D-40C0-BB0A-E20570B4F754} (Progressbar Control) - http://www.visualwebtools.com/progressbar.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8385773828
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Rav Process Communication Center (RavCCenter) - Beijing Rising Information Technology Co., Ltd. - D:\Program Files\Rising\Rav\CCENTER.EXE
O23 - Service: Rising RavTask Manager (RavTask) - Beijing Rising Information Technology Co., Ltd. - D:\Program Files\Rising\Rav\RavTask.exe
O23 - Service: Rising Scan Service (RsScanSrv) - Beijing Rising Information Technology Co., Ltd. - D:\Program Files\Rising\Rav\ScanFrm.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sprint RcAppSvc (SprintRcAppSvc) - PCTEL - D:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe

--
End of file - 4452 bytes

Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Adobe Shockwave Player 11
Audacity 1.2.6
CA VMN Anti-Spyware (remove only)
Core FTP LE 2.1
Google Update Helper
GTK+ Runtime 2.12.12 rev a (remove only)
HiJackThis
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Photosmart Essential 3.5
HTML Executable IERuntime
Intel(R) PRO Network Adapters and Drivers
Java(TM) 6 Update 11
LimeWire 5.3.6
Live TV
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office Basic Edition 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.7)
MSN
MSXML 6 Service Pack 2 (KB954459)
Nvu 1.0
Paint.NET v3.5.1
QuickTime
Rising Antivirus
Rosetta Stone Version 3
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB976325)
SoundMAX
Sprint SmartView
The Sims Deluxe Edition
TweakNow PowerPack 2009
Ultra WinCleaner One Click! Version 8.0
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Windows Internet Explorer 8
Windows Media Format Runtime
Windows XP Service Pack 3
Wise Disk Cleaner 3.74

by **jmw3** » January 22nd, 2010, 2:31 pm

Hello & Welcome to Malware Removal

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this ensure Notify me when a reply is postedis ticked on the POST A REPLY page.

In the meantime please note the following:

Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.
Any recommendations made are for your computer problems only and should NOT be used on any other computer.
Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
If you get stuck or are unsure of something please ask for a further explanation, do not guess.
It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Thanks

MRU P2P Policy
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

LimeWire 5.3.6

I'd like you to read the MRU policy for P2P Programs.
Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) & any other P2P programs.

DDS
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
Link 1
Link 2

Double-Click on dds.scr and a command window will appear. This is normal
Shortly after two logs will appear, DDS.txt & Attach.txt
A window will open instructing you save & post the logs
Save the logs to a convenient place such as your desktop
Copy the contents of both logs & post in your next reply

Gmer
Download GMER Rootkit Scanner from here.

Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
Save it where you can easily find it, such as your desktop, and post it in reply

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.

To post in next reply:
Contents of DDS log
Contents of Attach.txt
Contents of Gmer log

by **Crimson531** » January 23rd, 2010, 4:54 am

DDS.txt

DDS (Ver_09-09-29.01) - NTFSx86
Run by Steph and Scott at 2:47:59.42 on Sat 01/23/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.180 [GMT -5:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\ctfmon.exe
svchost.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Steph and Scott\Desktop\h991lqks.exe
D:\WINDOWS\system32\taskmgr.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Steph and Scott\Desktop\dds.com

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - d:\program files\java\jre6\bin\ssv.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - No File
TB: {A057A204-BACC-4D26-8287-79A187E26987} - No File
EB: {0483894e-2422-45e0-8384-021aff1af3cd} - iOpus iMacros
uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "d:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: &Search - http://edits.mywebsearch.com/toolbaredi ... p=ZQfox000
IE: E&xport to Microsoft Excel - d:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - d:\documents and settings\steph and scott\start menu\programs\imvu\Run IMVU.lnk
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {0483894E-2422-45E0-8384-021AFF1AF3CD} - {0483894E-2422-45E0-8384-021AFF1AF3CD}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} - hxxp://www.auctiva.com/Aurigma/ImageUploader57.cab
DPF: {4C0A00A6-056B-4314-9928-A705EB97A9AE} - hxxp://www.visualwebtools.com/VWT4.cab
DPF: {5C4B8FBC-AB9D-40C0-BB0A-E20570B4F754} - hxxp://www.visualwebtools.com/progressbar.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupda ... 8385773828
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://active.macromedia.com/flash5/cabs/swflash.cab

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\stepha~1\applic~1\mozilla\firefox\profiles\a9mp4nin.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.searchcanvas.com/web?ot=7&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox ... S:official
FF - prefs.js: keyword.URL - hxxp://recovery.alexa.com/helper/?aid=J ... &location=
FF - component: d:\documents and settings\steph and scott\application data\mozilla\firefox\profiles\a9mp4nin.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - component: d:\documents and settings\steph and scott\application data\mozilla\firefox\profiles\a9mp4nin.default\extensions\toolbar@alot.com\components\AlotXpcom.dll
FF - plugin: d:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: d:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 RsNTGDI;RsNTGDI;d:\windows\system32\drivers\RsNTGdi.sys [2009-11-4 10832]
S2 RavCCenter;Rav Process Communication Center;d:\program files\rising\rav\CCenter.exe [2009-11-4 113264]
S2 RavTask;Rising RavTask Manager;d:\program files\rising\rav\RavTask.exe [2009-11-4 129648]
S2 RsScanSrv;Rising Scan Service;d:\program files\rising\rav\ScanFrm.exe [2009-11-4 51824]
S4 Zwunzi Service;Zwunzi Service;"d:\documents and settings\all users\application data\zwunzi\zwunzi119.exe" "d:\program files\zwunzi\zwunzi.dll" service --> d:\documents and settings\all users\application data\zwunzi\zwunzi119.exe [?]

=============== Created Last 30 ================

2010-01-23 02:22 <DIR> --d----- d:\program files\SumatraPDF
2010-01-20 14:00 552 a------- d:\windows\system32\d3d8caps.dat
2010-01-16 20:51 <DIR> --d----- d:\program files\Power Tab Software
2010-01-16 20:18 <DIR> --d----- d:\program files\TrendMicro
2010-01-12 11:07 <DIR> --dsh--- d:\documents and settings\steph and scott\PrivacIE
2010-01-10 17:01 <DIR> --d----- d:\program files\Trend Micro
2010-01-10 03:57 <DIR> --dsh--- d:\documents and settings\steph and scott\IETldCache
2010-01-10 03:54 <DIR> --d----- d:\windows\ie8updates
2010-01-10 03:51 <DIR> -cd----- d:\windows\ie8
2010-01-10 03:50 594,432 -c------ d:\windows\system32\dllcache\msfeeds.dll
2010-01-10 03:50 55,296 -c------ d:\windows\system32\dllcache\msfeedsbs.dll
2010-01-10 03:50 246,272 -c------ d:\windows\system32\dllcache\ieproxy.dll
2010-01-10 03:50 12,800 -c------ d:\windows\system32\dllcache\xpshims.dll
2010-01-10 03:50 1,985,536 -c------ d:\windows\system32\dllcache\iertutil.dll
2010-01-10 03:49 11,069,952 -c------ d:\windows\system32\dllcache\ieframe.dll
2010-01-10 03:49 92,160 -c------ d:\windows\system32\dllcache\iecompat.dll
2010-01-06 20:29 664 a------- d:\windows\system32\d3d9caps.dat
2010-01-02 20:41 <DIR> --d----- d:\program files\Rosetta Stone
2010-01-02 20:41 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Rosetta Stone
2009-12-30 00:44 471,552 -c------ d:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2009-12-23 12:28 118,784 a------- d:\windows\web\wallpaper\Christmas Clock 2 Wallpaper.exe
2009-12-13 21:26 118,784 a------- d:\windows\web\wallpaper\christmas clock 2 wallpaper dir\uninstall.exe
2009-11-21 10:51 471,552 a------- d:\windows\apppatch\aclayers.dll
2009-11-12 22:23 167 a------- d:\documents and settings\steph and scott\udownload.dat
2009-11-04 18:04 238,704 a------- d:\windows\system32\bsmain.exe
2009-11-04 18:04 146,032 a------- d:\windows\system32\RavExt.dll
2009-10-29 02:45 916,480 a------- d:\windows\system32\wininet.dll

============= FINISH: 2:49:50.73 ===============

Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/16/2008 3:44:25 PM
System Uptime: 1/23/2010 2:09:20 AM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | P4P800-VM
Processor: Intel(R) Pentium(R) 4 CPU 2.26GHz | CPU 1 | 2261/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 26 GiB total, 14.516 GiB free.
D: is FIXED (NTFS) - 11 GiB total, 0.58 GiB free.
E: is CDROM (CDFS)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3
Adobe Shockwave Player 11
Audacity 1.2.6
CA VMN Anti-Spyware (remove only)
Core FTP LE 2.1
Google Update Helper
GTK+ Runtime 2.12.12 rev a (remove only)
HiJackThis
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Photosmart Essential 3.5
HPPhotoSmartDiscLabelContent1
HPPhotosmartEssential
HTML Executable IERuntime
Intel(R) PRO Network Adapters and Drivers
Java(TM) 6 Update 11
Live TV
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office Basic Edition 2003
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.7)
MSN
MSXML 6 Service Pack 2 (KB954459)
Nvu 1.0
Paint.NET v3.5.1
PayPal Plug-In
Power Tab Editor 1.7
QuickTime
Rising Antivirus
Rosetta Stone Version 3
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB976325)
SoundMAX
Sprint SmartView
Sumatra PDF reader
The Sims Deluxe Edition
TweakNow PowerPack 2009
Ultra WinCleaner One Click! Version 8.0
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Movie Maker 2.0
Windows XP Service Pack 3
Wise Disk Cleaner 3.74

==== Event Viewer Messages From Past Week ========

1/23/2010 2:11:20 AM, error: Service Control Manager [7034] - The Rising RavTask Manager service terminated unexpectedly. It has done this 1 time(s).
1/17/2010 11:00:47 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file regsvr32.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
1/16/2010 8:09:35 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
1/16/2010 4:19:56 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
1/16/2010 4:19:56 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/16/2010 4:12:22 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Google Update Service (gupdate) service to connect.
1/16/2010 4:12:22 AM, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/16/2010 2:21:20 AM, error: Dhcp [1002] - The IP address lease 192.168.251.100 for the Network Card with network address 000EA6A29D19 has been denied by the DHCP server 192.168.251.1 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

GMER log

While running the scan Firefox was open. I apologize if this will cause the gmer scan to be inaccurate.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-23 03:52:49
Windows 5.1.2600 Service Pack 3
Running: h991lqks.exe; Driver: D:\DOCUME~1\STEPHA~1\LOCALS~1\Temp\pfwyqaod.sys

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\H8SRTwyedbnejkl.sys (*** hidden *** ) B6F9B000-B6FB8000 (118784 bytes)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\H8SRTmbcjwsrstv.dll (*** hidden *** ) @ D:\WINDOWS\system32\svchost.exe [356] 0x00870000
Library \\?\globalroot\systemroot\system32\H8SRTmbcjwsrstv.dll (*** hidden *** ) @ D:\WINDOWS\system32\winlogon.exe [668] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTmbcjwsrstv.dll (*** hidden *** ) @ D:\WINDOWS\system32\svchost.exe [1000] 0x00870000
Library \\?\globalroot\systemroot\system32\H8SRTmbcjwsrstv.dll (*** hidden *** ) @ D:\Program Files\Mozilla Firefox\firefox.exe [1108] 0x01640000
Library \\?\globalroot\systemroot\system32\H8SRTmbcjwsrstv.dll (*** hidden *** ) @ D:\WINDOWS\System32\svchost.exe [1124] 0x00870000
Library \\?\globalroot\systemroot\system32\H8SRTmbcjwsrstv.dll (*** hidden *** ) @ D:\WINDOWS\system32\svchost.exe [1376] 0x00870000
Library \\?\globalroot\systemroot\system32\H8SRTmbcjwsrstv.dll (*** hidden *** ) @ D:\Program Files\Internet Explorer\iexplore.exe [1984] 0x00F20000
Library \\?\globalroot\systemroot\system32\H8SRTmbcjwsrstv.dll (*** hidden *** ) @ D:\WINDOWS\system32\svchost.exe [2012] 0x00870000

---- Services - GMER 1.0.15 ----

Service D:\WINDOWS\system32\drivers\H8SRTwyedbnejkl.sys (*** hidden *** ) [SYSTEM] H8SRTd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTwyedbnejkl.sys
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTwyedbnejkl.sys
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTydxnjyiddi.dll
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRToyuupxjxnx.dat
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTekvoafynxc.dll
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTpubkkrboed.dll
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTerrors \\?\globalroot\systemroot\system32\H8SRTnpqspyvbrv.log
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTwyedbnejkl.sys
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTwyedbnejkl.sys
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTydxnjyiddi.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRToyuupxjxnx.dat
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTekvoafynxc.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTpubkkrboed.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTerrors \\?\globalroot\systemroot\system32\H8SRTnpqspyvbrv.log
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtmsg \\?\globalroot\systemroot\system32\H8SRTmbcjwsrstv.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTwyedbnejkl.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTwyedbnejkl.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTydxnjyiddi.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRToyuupxjxnx.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTekvoafynxc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTpubkkrboed.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTerrors \\?\globalroot\systemroot\system32\H8SRTnpqspyvbrv.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtmsg \\?\globalroot\systemroot\system32\H8SRTmbcjwsrstv.dll

---- Files - GMER 1.0.15 ----

File D:\Documents and Settings\All Users\Application Data\h8srtkrl32mainweq.dll 643 bytes
File D:\Documents and Settings\Steph and Scott\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{94F8572F-07F2-11DF-9944-000EA6A29D19}.dat 3584 bytes
File D:\Documents and Settings\Steph and Scott\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{94F85730-07F2-11DF-9944-000EA6A29D19}.dat 6144 bytes
File D:\Documents and Settings\Steph and Scott\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{EBE3F251-07F2-11DF-9944-000EA6A29D19}.dat 3584 bytes
File D:\Documents and Settings\Steph and Scott\Local Settings\Temp\H8SRT8344.tmp 343040 bytes executable
File D:\Documents and Settings\Steph and Scott\Local Settings\Temp\h8srtmainqt.dll 16333 bytes
File D:\Documents and Settings\Steph and Scott\Local Settings\Temporary Internet Files\Content.IE5\WUXPL7AT\banner4[1].swf 0 bytes
File D:\Documents and Settings\Steph and Scott\Local Settings\Temporary Internet Files\Content.IE5\WUXPL7AT\adoverlay[1].swf 0 bytes
File D:\Documents and Settings\Steph and Scott\Local Settings\Temporary Internet Files\Content.IE5\WUXPL7AT\crossdomain[4].xml 0 bytes
File D:\WINDOWS\system32\drivers\H8SRTwyedbnejkl.sys 40960 bytes executable <-- ROOTKIT !!!
File D:\WINDOWS\system32\H8SRTekvoafynxc.dll 27136 bytes executable
File D:\WINDOWS\system32\h8srtkrl32mainweq.dll 737 bytes
File D:\WINDOWS\system32\H8SRTmbcjwsrstv.dll 16896 bytes executable
File D:\WINDOWS\system32\H8SRTnpqspyvbrv.log 2610 bytes
File D:\WINDOWS\system32\H8SRToyuupxjxnx.dat 243 bytes
File D:\WINDOWS\system32\H8SRTpubkkrboed.dll 40960 bytes executable
File D:\WINDOWS\system32\h8srtshsyst.dll 524 bytes
File D:\WINDOWS\system32\H8SRTydxnjyiddi.dll 23552 bytes executable

---- EOF - GMER 1.0.15 ----

by **jmw3** » January 23rd, 2010, 6:01 am

Hi

Upload Files for Scanning
Go to VirusTotal & upload the following File/s for scanning.

Copy & paste the following File & Path in the text box next to the Browse button
Code: Select all
```
d:\documents and settings\steph and scott\desktop\h991lqks.exe
```
Click Send File
If confronted with two options, choose Reanalyse file now
Wait for scans to finish then copy & paste the results into your next reply.

ComboFix
Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):
Link 1
Link 2

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
A guide to do this can be found here
Double click on ComboFix.exe & follow the prompts
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

To post in next reply:
Results from VirusTotal scan
ComboFix log
Update on how the computer is running

by **Crimson531** » January 24th, 2010, 4:49 am

The computer is still running poorly and internet explorer still opens by itself, and now recited audio advertisements. I seem to be having an issue with combofix. I save the file to my desktop and run it from there. From what I can tell I"m 99% percent positive that I'm not running any antivirus or antispyware, but all that seems to happen is combofix.exe runs in the task manager. Other than that it doesn't respond. I downloaded combofix from link 2 since link 1 is a dead link.

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.01.24 -
AhnLab-V3 5.0.0.2 2010.01.23 -
AntiVir 7.9.1.146 2010.01.22 -
Antiy-AVL 2.0.3.7 2010.01.22 -
Authentium 5.2.0.5 2010.01.23 -
Avast 4.8.1351.0 2010.01.23 -
AVG 9.0.0.730 2010.01.23 -
BitDefender 7.2 2010.01.24 -
CAT-QuickHeal 10.00 2010.01.22 -
ClamAV 0.94.1 2010.01.22 -
Comodo 3690 2010.01.24 -
DrWeb 5.0.1.12222 2010.01.24 -
eSafe 7.0.17.0 2010.01.21 Win32.TrojanHorse
eTrust-Vet 35.2.7255 2010.01.22 -
F-Prot 4.5.1.85 2010.01.23 -
F-Secure 9.0.15370.0 2010.01.24 -
Fortinet 4.0.14.0 2010.01.24 -
GData 19 2010.01.24 -
Ikarus T3.1.1.80.0 2010.01.24 -
Jiangmin 13.0.900 2010.01.24 -
K7AntiVirus 7.10.952 2010.01.22 -
Kaspersky 7.0.0.125 2010.01.24 -
McAfee 5870 2010.01.23 -
McAfee+Artemis 5870 2010.01.23 -
McAfee-GW-Edition 6.8.5 2010.01.24 -
Microsoft 1.5405 2010.01.24 -
NOD32 4800 2010.01.23 -
Norman 6.04.03 2010.01.23 -
nProtect 2009.1.8.0 2010.01.23 -
Panda 10.0.2.2 2010.01.23 -
PCTools 7.0.3.5 2010.01.24 -
Prevx 3.0 2010.01.24 -
Rising 22.31.06.04 2010.01.24 -
Sophos 4.50.0 2010.01.24 -
Sunbelt 3.2.1858.2 2010.01.23 -
Symantec 20091.2.0.41 2010.01.24 -
TheHacker 6.5.0.9.160 2010.01.24 -
TrendMicro 9.120.0.1004 2010.01.24 -
VBA32 3.12.12.1 2010.01.23 -
ViRobot 2010.1.23.2152 2010.01.23 -
VirusBuster 5.0.21.0 2010.01.23 -
Additional information
File size: 293376 bytes
MD5...: f80f6e09e7f4bafe478ca0da6137e1e2
SHA1..: 719082766cf4f60c8bdaa2b2c9f6967ecbcf8722
SHA256: 682fd0d13d7caf4b17a1eb9bafa0a3c3598139bb3623d3f5fba3bfbd0a6d424a
ssdeep: 6144:Uwbg2xeuJgWM/S1tm/xCIoQPJVZCzw5bEPb3cV9iYpTkyTFHS2:Uw82IZWM
61tUXRd9IPb3cVZkyp/
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xb3f40
timedatestamp.....: 0x4b2763f0 (Tue Dec 15 10:24:48 2009)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x6d000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x6e000 0x47000 0x46200 7.93 7b777c30b7f75e5eb654691bb1616dcb
.rsrc 0xb5000 0x2000 0x1400 3.38 710fb4291f153e98a3a03f3473b8bfd6

( 1 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, ExitProcess

( 0 exports )
RDS...: NSRL Reference Data Set
-
packers (Kaspersky): PE_Patch.UPX, UPX, PE_Patch
packers (F-Prot): UPX
pdfid.: -
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: 1, 0, 15, 15281
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
trid..: UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)

by **jmw3** » January 24th, 2010, 6:31 am

Hi

Delete the copy of ComboFix you have & download it again from which ever link works for you:
Link 1
Link 2

**IMPORTANT !!! Rename ComboFix.exe to commy.exe BEFORE you save it to your Desktop**

Try running it now.

by **Crimson531** » January 24th, 2010, 11:44 pm

Combofix doesn't seem as if it's available from the second link now as well. When I access the link I'm directed to the homepage of forospyware. I'm not very fluent in spanish so I can't navigate the page. I tried to copy the link location from the hypertext and pasted it into the address bar directly and still get redirected to the main page of forospyware.

I'm not sure how recent the situation is, but I did some research on combofix and apparently there's been a discussion on majorgeeks forum saying there's a bug with combofix. I thought I'd let you know since it could be causing my issue with trying to download combofix. I'm sorry and thank you again for your time.

by **jmw3** » January 25th, 2010, 7:45 am

Hi

My apologies in replying.... hectic day. Yes there was an issue with it bit it has now been fixed. Should be OK now to download & use.
With regard to the Forospyware link. I've been told that is problem at their end. Though pasting the link into the address bar does work. It was probably due to ComboFix being temporarily unavailable that caused that issue.

So please follow my previous instructions re downloading then Renaming ComboFix.

by **Crimson531** » January 26th, 2010, 1:43 am

Yet again thank you for everything you are doing for me. It took a little while to get combofix to work on my computer, but after I disabled a service I didn't recognize I was able to run it fine. Here are the two scans you requested. From the looks of it I'd say I'm not having the issue anymore, but I'm not the professional so I'll wait for your response about the logs. Thank you again so much. (^_^)

Virus Total Scan

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.01.24 -
AhnLab-V3 5.0.0.2 2010.01.23 -
AntiVir 7.9.1.146 2010.01.22 -
Antiy-AVL 2.0.3.7 2010.01.22 -
Authentium 5.2.0.5 2010.01.23 -
Avast 4.8.1351.0 2010.01.23 -
AVG 9.0.0.730 2010.01.23 -
BitDefender 7.2 2010.01.24 -
CAT-QuickHeal 10.00 2010.01.22 -
ClamAV 0.94.1 2010.01.22 -
Comodo 3690 2010.01.24 -
DrWeb 5.0.1.12222 2010.01.24 -
eSafe 7.0.17.0 2010.01.21 Win32.TrojanHorse
eTrust-Vet 35.2.7255 2010.01.22 -
F-Prot 4.5.1.85 2010.01.23 -
F-Secure 9.0.15370.0 2010.01.24 -
Fortinet 4.0.14.0 2010.01.24 -
GData 19 2010.01.24 -
Ikarus T3.1.1.80.0 2010.01.24 -
Jiangmin 13.0.900 2010.01.24 -
K7AntiVirus 7.10.952 2010.01.22 -
Kaspersky 7.0.0.125 2010.01.24 -
McAfee 5870 2010.01.23 -
McAfee+Artemis 5870 2010.01.23 -
McAfee-GW-Edition 6.8.5 2010.01.24 -
Microsoft 1.5405 2010.01.24 -
NOD32 4800 2010.01.23 -
Norman 6.04.03 2010.01.23 -
nProtect 2009.1.8.0 2010.01.23 -
Panda 10.0.2.2 2010.01.23 -
PCTools 7.0.3.5 2010.01.24 -
Prevx 3.0 2010.01.24 -
Rising 22.31.06.04 2010.01.24 -
Sophos 4.50.0 2010.01.24 -
Sunbelt 3.2.1858.2 2010.01.23 -
Symantec 20091.2.0.41 2010.01.24 -
TheHacker 6.5.0.9.160 2010.01.24 -
TrendMicro 9.120.0.1004 2010.01.24 -
VBA32 3.12.12.1 2010.01.23 -
ViRobot 2010.1.23.2152 2010.01.23 -
VirusBuster 5.0.21.0 2010.01.23 -
Additional information
File size: 293376 bytes
MD5...: f80f6e09e7f4bafe478ca0da6137e1e2
SHA1..: 719082766cf4f60c8bdaa2b2c9f6967ecbcf8722
SHA256: 682fd0d13d7caf4b17a1eb9bafa0a3c3598139bb3623d3f5fba3bfbd0a6d424a
ssdeep: 6144:Uwbg2xeuJgWM/S1tm/xCIoQPJVZCzw5bEPb3cV9iYpTkyTFHS2:Uw82IZWM
61tUXRd9IPb3cVZkyp/
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xb3f40
timedatestamp.....: 0x4b2763f0 (Tue Dec 15 10:24:48 2009)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x6d000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x6e000 0x47000 0x46200 7.93 7b777c30b7f75e5eb654691bb1616dcb
.rsrc 0xb5000 0x2000 0x1400 3.38 710fb4291f153e98a3a03f3473b8bfd6

( 1 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, ExitProcess

( 0 exports )
RDS...: NSRL Reference Data Set
-
packers (Kaspersky): PE_Patch.UPX, UPX, PE_Patch
packers (F-Prot): UPX
pdfid.: -
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: 1, 0, 15, 15281
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
trid..: UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)

Combofix Log

ComboFix 10-01-25.02 - Steph and Scott 01/26/2010 0:16.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.338 [GMT -5:00]
Running from: d:\documents and settings\Steph and Scott\Desktop\commy531.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documents and settings\All Users\Application Data\MSN6
d:\documents and settings\All Users\Application Data\MSN6\au.ini
d:\documents and settings\Steph and Scott\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk
d:\documents and settings\Steph and Scott\Application Data\MSN6
d:\documents and settings\Steph and Scott\Application Data\MSN6\au.ini
d:\documents and settings\Steph and Scott\Application Data\MSN6\msndata.dat
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\fastsettings.dat
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\favcache.xml
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\favorites.xml
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\favthumb.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\15 DAY CASH COURSE.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\Anthem.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\Archived Mail.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\Bulk Mail.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\CABELLAS.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\CAP 1.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\Clone DVD.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\Commission Junction.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\contacts.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\Credit Inform.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\Drafts.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\EBAY Fees Paid.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\Emetrix.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\Ezine.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\Fafsa.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\Farmers Ins..dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\folders.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\From Boo Boo.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\From Mom.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\Go Articles.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\GOOGLE ADWORDS.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\Goolge Adsense.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\Hinkel Mail.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\Hotmail.ini
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\HOUSEHOLD.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\Inbox.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\JUNIPER.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\Misc. Family Letters.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\misc.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\MSN Announcements.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\My Affiliate Programs.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\NEW VENTURE.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\offline.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\ORCHARD.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\Outbox.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\PAY PAL BUYERS CREDIT.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\Paypal Receipts.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\Press release.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\PROFIT LANCE.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\Sent Messages(1).dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\Sent Messages.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\Synthasite.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\Tax Act.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\Taylor Bean Whitaker.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\telephone service.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\Trash(1).dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\Trash.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\Hotmail\VERIZON.dbx
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\localsettings.xml
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\msnuser.dat
d:\documents and settings\Steph and Scott\Application Data\MSN6\UserData\{734938B2-4823-01C9-0300-000069AC34EE}\settings.xml
d:\documents and settings\Steph and Scott\Application Data\Privacy components
d:\documents and settings\Steph and Scott\Application Data\Privacy components\dbases\cg.dat
d:\documents and settings\Steph and Scott\Application Data\Privacy components\dbases\mw.dat
d:\documents and settings\Steph and Scott\Application Data\Privacy components\dbases\rd.dat
d:\documents and settings\Steph and Scott\Application Data\Privacy components\dbases\sc.dat
d:\documents and settings\Steph and Scott\Application Data\Privacy components\dbases\sm.dat
d:\documents and settings\Steph and Scott\Application Data\Privacy components\dbases\sp.dat
d:\documents and settings\Steph and Scott\Application Data\Privacy components\keys\cg.key
d:\documents and settings\Steph and Scott\Application Data\Privacy components\keys\rd.key
d:\documents and settings\Steph and Scott\Application Data\Privacy components\keys\sc.key
d:\documents and settings\Steph and Scott\Application Data\Privacy components\keys\sp.key
d:\documents and settings\Steph and Scott\Application Data\Privacy components\temp\settings.ini
d:\documents and settings\Steph and Scott\Application Data\Privacy components\temp\spfilter
d:\documents and settings\Steph and Scott\Desktop\Internet Security 2010.lnk
d:\documents and settings\Steph and Scott\Start Menu\Internet Security 2010.lnk
d:\program files\FunWebProducts
d:\program files\InternetSecurity2010
d:\program files\InternetSecurity2010\IS2010.exe
d:\program files\Mozilla Firefox\extensions\{F270F1AF-34D6-41CB-A9F5-8200EF7DB41F}
d:\program files\Mozilla Firefox\extensions\{F270F1AF-34D6-41CB-A9F5-8200EF7DB41F}\chrome.manifest
d:\program files\Mozilla Firefox\extensions\{F270F1AF-34D6-41CB-A9F5-8200EF7DB41F}\chrome\zwunzi.jar
d:\program files\Mozilla Firefox\extensions\{F270F1AF-34D6-41CB-A9F5-8200EF7DB41F}\defaults\preferences\prefs.js
d:\program files\Mozilla Firefox\extensions\{F270F1AF-34D6-41CB-A9F5-8200EF7DB41F}\install.rdf
d:\program files\Mozilla Firefox\searchplugins\zwunzi119.xml
d:\program files\MyWebSearch
d:\program files\MyWebSearch\bar\History\search3
d:\program files\MyWebSearch\bar\Settings\s_pid.dat
d:\program files\Privacy components
d:\program files\Zwunzi
d:\program files\Zwunzi\zwunzi.exe
d:\recycler\S-1-5-21-789336058-299502267-725345543-1003
d:\windows\system32\41.exe
d:\windows\system32\drivers\H8SRTwyedbnejkl.sys
d:\windows\system32\H8SRTekvoafynxc.dll
d:\windows\system32\h8srtkrl32mainweq.dll
d:\windows\system32\H8SRTmbcjwsrstv.dll
d:\windows\system32\H8SRTnpqspyvbrv.log
d:\windows\system32\H8SRToyuupxjxnx.dat
d:\windows\system32\H8SRTpubkkrboed.dll
d:\windows\system32\h8srtshsyst.dll
d:\windows\system32\H8SRTydxnjyiddi.dll
d:\windows\system32\helper32.dll
d:\windows\system32\IS15.exe
d:\windows\system32\smss32.exe
d:\windows\system32\warning.html
d:\windows\system32\winlogon32.exe
d:\windows\ukizobifuyiwogil.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys
-------\Legacy_ZWUNZI_SERVICE
-------\Service_Zwunzi Service

((((((((((((((((((((((((( Files Created from 2009-12-26 to 2010-01-26 )))))))))))))))))))))))))))))))
.

2010-01-26 04:14 . 2010-01-26 05:15 0 ----a-w- d:\windows\Wzeqokecikota.bin
2010-01-26 04:14 . 2010-01-26 04:14 120 ----a-w- d:\windows\Wyifacehezusuqi.dat
2010-01-26 04:14 . 2010-01-26 04:14 -------- d-----w- d:\documents and settings\Steph and Scott\Local Settings\Application Data\{4F1AE5E8-B4D9-43B7-B9F9-D29A3BC53592}
2010-01-23 07:27 . 2010-01-23 07:27 -------- d-----w- d:\program files\Common Files\Adobe
2010-01-20 19:00 . 2010-01-20 19:00 552 ----a-w- d:\windows\system32\d3d8caps.dat
2010-01-18 04:00 . 2010-01-18 04:00 -------- d-----w- d:\documents and settings\Steph and Scott\Local Settings\Application Data\tcsavd
2010-01-17 01:51 . 2010-01-17 01:51 -------- d-----w- d:\program files\Power Tab Software
2010-01-17 01:18 . 2010-01-17 01:18 -------- d-----w- d:\program files\TrendMicro
2010-01-12 16:07 . 2010-01-12 16:07 -------- d-sh--w- d:\documents and settings\Steph and Scott\PrivacIE
2010-01-10 22:01 . 2010-01-10 22:01 -------- d-----w- d:\program files\Trend Micro
2010-01-10 08:58 . 2010-01-10 08:58 -------- d-sh--w- d:\windows\system32\config\systemprofile\IETldCache
2010-01-10 08:57 . 2010-01-10 08:57 -------- d-sh--w- d:\documents and settings\Steph and Scott\IETldCache
2010-01-10 08:54 . 2010-01-26 04:49 -------- d-----w- d:\windows\ie8updates
2010-01-10 08:51 . 2009-09-25 05:37 81920 ----a-w- d:\windows\system32\ieencode.dll
2010-01-10 08:51 . 2009-09-25 05:37 81920 ----a-w- d:\windows\system32\dllcache\ieencode.dll
2010-01-10 08:50 . 2009-10-29 07:45 594432 -c----w- d:\windows\system32\dllcache\msfeeds.dll
2010-01-10 08:50 . 2009-10-29 07:45 55296 -c----w- d:\windows\system32\dllcache\msfeedsbs.dll
2010-01-10 08:50 . 2009-10-29 07:45 12800 -c----w- d:\windows\system32\dllcache\xpshims.dll
2010-01-10 08:50 . 2009-10-29 07:45 246272 -c----w- d:\windows\system32\dllcache\ieproxy.dll
2010-01-10 08:50 . 2009-10-29 07:45 1985536 -c----w- d:\windows\system32\dllcache\iertutil.dll
2010-01-10 08:49 . 2009-10-29 07:45 11069952 -c----w- d:\windows\system32\dllcache\ieframe.dll
2010-01-10 08:49 . 2009-10-02 04:44 92160 -c----w- d:\windows\system32\dllcache\iecompat.dll
2010-01-10 02:40 . 2010-01-10 02:40 -------- d-----w- d:\documents and settings\Administrator\Application Data\VMNTOOLBAR
2010-01-10 02:40 . 2010-01-10 02:40 -------- d-----w- d:\documents and settings\Administrator\Application Data\EmailNotifier
2010-01-09 23:48 . 2010-01-10 00:51 -------- d-----w- d:\documents and settings\Administrator\Application Data\U3
2010-01-07 01:29 . 2010-01-20 19:00 664 ----a-w- d:\windows\system32\d3d9caps.dat
2010-01-03 15:54 . 2010-01-03 15:54 -------- d-----w- d:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-03 15:49 . 2010-01-03 15:49 -------- d-----w- d:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-01-03 15:48 . 2010-01-03 15:57 -------- d-----w- d:\documents and settings\Steph and Scott\Local Settings\Application Data\Google
2010-01-03 15:47 . 2010-01-04 19:29 -------- d-----w- d:\program files\Google
2010-01-03 01:41 . 2010-01-05 21:26 -------- d-----w- d:\documents and settings\All Users\Application Data\Rosetta Stone
2010-01-03 01:41 . 2010-01-03 01:41 -------- d-----w- d:\program files\Rosetta Stone
2009-12-30 05:44 . 2009-11-21 15:51 471552 -c----w- d:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-26 04:46 . 2008-11-17 05:05 18632 ----a-w- d:\documents and settings\Steph and Scott\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-26 04:10 . 2010-01-22 10:51 1016 ----a-w- d:\documents and settings\All Users\Application Data\h8srtkrl32mainweq.dll
2010-01-23 07:22 . 2009-12-23 01:38 -------- d-----w- d:\program files\Free Offers from Freeze.com
2010-01-16 08:20 . 2008-12-16 18:42 -------- d-----w- d:\documents and settings\Steph and Scott\Application Data\LimeWire
2010-01-13 02:05 . 2008-12-11 19:30 -------- d-----w- d:\program files\Paint.NET
2010-01-12 17:56 . 2008-09-16 14:58 -------- d---a-w- d:\documents and settings\All Users\Application Data\TEMP
2010-01-10 16:49 . 2009-12-14 02:33 -------- d-----w- d:\program files\Freeze.com
2010-01-06 18:01 . 2009-11-12 18:29 -------- d-----w- d:\documents and settings\Steph and Scott\Application Data\vmntoolbar
2010-01-03 01:44 . 2009-06-08 21:48 -------- d-----w- d:\documents and settings\All Users\Application Data\FLEXnet
2009-12-23 17:29 . 2008-11-21 17:48 -------- d-----w- d:\program files\Yahoo!
2009-12-23 17:28 . 2009-12-23 17:28 118784 ----a-w- d:\windows\Web\Wallpaper\Christmas Clock 2 Wallpaper.exe
2009-12-23 17:25 . 2009-11-13 17:16 -------- d-----w- d:\documents and settings\Steph and Scott\Application Data\BitZipper
2009-12-23 01:53 . 2009-12-23 01:53 -------- d-----w- d:\program files\FramePhotoEditor
2009-12-23 01:38 . 2009-12-23 01:38 -------- d-----w- d:\documents and settings\Steph and Scott\Application Data\WeatherBug
2009-12-23 01:38 . 2009-12-23 01:38 -------- d-----w- d:\documents and settings\Steph and Scott\Application Data\blinkx
2009-12-20 19:30 . 2008-11-16 22:22 -------- d-----w- d:\documents and settings\Steph and Scott\Application Data\U3
2009-12-14 02:26 . 2009-12-14 02:26 118784 ----a-w- d:\windows\Web\Wallpaper\Christmas Clock 2 Wallpaper dir\uninstall.exe
2009-12-03 07:32 . 2009-12-03 07:32 -------- d-----w- d:\documents and settings\Steph and Scott\Application Data\Digsby
2009-11-23 22:02 . 2009-11-23 21:36 1037 ----a-w- d:\windows\eReg.dat
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- d:\windows\AppPatch\aclayers.dll
2009-11-13 03:23 . 2009-11-13 03:23 167 ----a-w- d:\documents and settings\Steph and Scott\udownload.dat
2009-11-04 23:04 . 2009-11-04 23:08 15216 ----a-w- d:\windows\system32\drivers\HookCont.sys
2009-11-04 23:04 . 2009-11-04 23:08 238704 ----a-w- d:\windows\system32\bsmain.exe
2009-11-04 23:04 . 2009-11-04 23:08 10832 ----a-w- d:\windows\system32\drivers\RsNTGdi.sys
2009-11-04 23:04 . 2009-11-04 23:08 33904 ----a-w- d:\windows\system32\drivers\HookHelp.sys
2009-11-04 23:04 . 2009-11-04 23:08 140656 ----a-w- d:\windows\system32\drivers\HookSys.sys
2009-11-04 23:04 . 2009-11-04 23:08 146032 ----a-w- d:\windows\system32\RavExt.dll
2009-10-29 05:38 . 2004-08-04 12:00 667136 ----a-w- d:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0 bsmain

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli opntierp.dll

[HKLM\~\startupfolder\D:^Documents and Settings^Steph and Scott^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=d:\documents and settings\Steph and Scott\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=d:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\D:^Documents and Settings^Steph and Scott^Start Menu^Programs^Startup^Voobys.lnk]
path=d:\documents and settings\Steph and Scott\Start Menu\Programs\Startup\Voobys.lnk
backup=d:\windows\pss\Voobys.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
d:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 20:57 948672 ----a-r- d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57 35760 ----a-w- d:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- d:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-08-20 18:54 150016 ----a-w- d:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 22:09 413696 ----a-w- d:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RavTray]
2009-11-04 23:04 141936 ------w- d:\program files\Rising\Rav\RsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
2002-11-08 23:50 98304 ----a-w- d:\program files\Analog Devices\SoundMAX\SMTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sprint SmartView]
2008-10-15 20:02 17664 ----a-w- d:\program files\Sprint\Sprint SmartView\SprintSV.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CiSvc"=3 (0x3)
"wuauserv"=2 (0x2)
"SprintRcAppSvc"=3 (0x3)
"SoundMAX Agent Service (default)"=2 (0x2)
"RsScanSrv"=2 (0x2)
"RavTask"=2 (0x2)
"RavCCenter"=2 (0x2)
"ose"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Schedule"=2 (0x2)
"SamSs"=2 (0x2)
"BITS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"d:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"d:\\Program Files\\Sprint\\Sprint SmartView\\SwiApiMux.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\RosettaStoneVersion3.exe"=

R0 RsNTGDI;RsNTGDI;d:\windows\system32\drivers\RsNTGdi.sys [11/4/2009 6:08 PM 10832]
S4 RavCCenter;Rav Process Communication Center;d:\program files\Rising\Rav\CCenter.exe [11/4/2009 6:08 PM 113264]
S4 RavTask;Rising RavTask Manager;d:\program files\Rising\Rav\RavTask.exe [11/4/2009 6:08 PM 129648]
S4 RsScanSrv;Rising Scan Service;d:\program files\Rising\Rav\ScanFrm.exe [11/4/2009 6:08 PM 51824]
.
Contents of the 'Scheduled Tasks' folder

2010-01-26 d:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- d:\program files\Google\Update\GoogleUpdate.exe [2010-01-03 15:48]

2010-01-26 d:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- d:\program files\Google\Update\GoogleUpdate.exe [2010-01-03 15:48]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
IE: &Search - http://edits.mywebsearch.com/toolbaredi ... p=ZQfox000
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - d:\documents and settings\Steph and Scott\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: {4C0A00A6-056B-4314-9928-A705EB97A9AE} - hxxp://www.visualwebtools.com/VWT4.cab
DPF: {5C4B8FBC-AB9D-40C0-BB0A-E20570B4F754} - hxxp://www.visualwebtools.com/progressbar.cab
FF - ProfilePath - d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.searchcanvas.com/web?ot=7&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox ... S:official
FF - prefs.js: keyword.URL - hxxp://recovery.alexa.com/helper/?aid=J ... &location=
FF - component: d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - component: d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\components\AlotXpcom.dll
FF - plugin: d:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {4F1AE5E8-B4D9-43B7-B9F9-D29A3BC53592} - d:\documents and settings\Steph and Scott\Local Settings\Application Data\{4F1AE5E8-B4D9-43B7-B9F9-D29A3BC53592}

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
WebBrowser-{A057A204-BACC-4D26-8287-79A187E26987} - (no file)
HKLM-Run-Fdasoqaxaco - d:\windows\ukizobifuyiwogil.dll
MSConfigStartUp-Aim6 - d:\program files\AIM6\aim6.exe
MSConfigStartUp-Fdasoqaxaco - d:\windows\ukizobifuyiwogil.dll
MSConfigStartUp-Internet Security 2010 - d:\program files\InternetSecurity2010\IS2010.exe
MSConfigStartUp-Messenger (Yahoo!) - d:\program files\Yahoo!\Messenger\YahooMessenger.exe
MSConfigStartUp-MyWebSearch Email Plugin - d:\progra~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
MSConfigStartUp-smss32 - d:\windows\system32\smss32.exe
MSConfigStartUp-Weather - d:\program files\AWS\WeatherBug\Weather.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-26 00:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(728)
d:\windows\opntierp.dll

- - - - - - - > 'explorer.exe'(584)
d:\windows\opntierp.dll
.
------------------------ Other Running Processes ------------------------
.
d:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2010-01-26 00:37:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-26 05:37

Pre-Run: 493,936,640 bytes free
Post-Run: 1,083,592,704 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 341C179E603D13225E7E4A701036F96A

by **jmw3** » January 26th, 2010, 4:25 am

Hi

Good to hear things are looking better. Still a bit to do though. And a couple of questions for you.
Just out of curiosity, can you remember the service you disabled in order to get ComboFix to run?
I also note ComboFix deleted the following folder & everything in it:
d:\documents and settings\All Users\Application Data\MSN6
Are you using MSN6?

CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all

http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=48893
Collect::
d:\windows\Wzeqokecikota.bin
d:\windows\Wyifacehezusuqi.dat
d:\documents and settings\All Users\Application Data\h8srtkrl32mainweq.dll
d:\windows\opntierp.dll
File::
d:\documents and settings\Steph and Scott\Start Menu\Programs\Startup\LimeWire On Startup.lnk
d:\windows\pss\LimeWire On Startup.lnkStartup
Folder::
d:\documents and settings\Steph and Scott\Local Settings\Application Data\{4F1AE5E8-B4D9-43B7-B9F9-D29A3BC53592}
d:\documents and settings\Steph and Scott\Local Settings\Application Data\tcsavd
d:\documents and settings\Administrator\Application Data\VMNTOOLBAR
d:\documents and settings\Administrator\Application Data\EmailNotifier
d:\program files\Free Offers from Freeze.com
d:\documents and settings\Steph and Scott\Application Data\LimeWire
d:\program files\Freeze.com
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com
d:\documents and settings\Steph and Scott\Local Settings\Application Data\{4F1AE5E8-B4D9-43B7-B9F9-D29A3BC53592}
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
[-HKLM\~\startupfolder\D:^Documents and Settings^Steph and Scott^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
DDS::
IE: &Search - http://edits.mywebsearch.com/toolbaredi ... p=ZQfox000
Firefox::
FF - ProfilePath - d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\
FF - prefs.js: browser.search.defaulturl - 
FF - prefs.js: keyword.URL - 
FF - HiddenExtension: XULRunner: {4F1AE5E8-B4D9-43B7-B9F9-D29A3BC53592} -

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 18.

Download the latest version of Java Runtime Environment (JRE) 6 Here
Scroll down to where it says "JDK 6 Update 18 (JDK or JRE)"
Click the orange Download JRE button to the right
Select the Windows platform from the dropdown menu
Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
Click on the link to download Windows Offline Installation & save the file to your desktop
Close any programs you may have running - especially your web browser
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel

Kaspersky Online Scan
Do an online scan with >Kaspersky Online Scanner<

Read through the requirements and privacy statement and click on Accept button
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
When the downloads have finished, click on Settings
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Click on My Computer under Scan
Once the scan is complete, it will display the results. Click on View Scan Report
You will see a list of infected items there. Click on Save Report As...
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
Please post this log in your next reply

Pictured tutorial if required.

To post in next reply:
ComboFix log
Kaspersky Online Scan log
New HijackThis log

by **Crimson531** » January 27th, 2010, 6:01 pm

I'm sorry about the lateness of this post. My mother quit out of the Kaspersky scan and totally threw me off schedule... It took a while to get it to run through completely. But here are the logs you requested.

Combofix log
ComboFix 10-01-26.02 - Steph and Scott 01/26/2010 18:27:40.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.377 [GMT -5:00]
Running from: d:\documents and settings\Steph and Scott\Desktop\Jon's Computer Tools\commy531.exe
Command switches used :: d:\documents and settings\Steph and Scott\Desktop\Jon's Computer Tools\CFscript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documents and settings\Steph and Scott\Local Settings\Application Data\tcsavd
d:\documents and settings\Steph and Scott\Local Settings\Application Data\tcsavd\ysqpsysguard.exe

.
((((((((((((((((((((((((( Files Created from 2009-12-26 to 2010-01-26 )))))))))))))))))))))))))))))))
.

2010-01-26 04:14 . 2010-01-26 05:15 0 ----a-w- d:\windows\Wzeqokecikota.bin
2010-01-26 04:14 . 2010-01-26 04:14 120 ----a-w- d:\windows\Wyifacehezusuqi.dat
2010-01-26 04:14 . 2010-01-26 04:14 -------- d-----w- d:\documents and settings\Steph and Scott\Local Settings\Application Data\{4F1AE5E8-B4D9-43B7-B9F9-D29A3BC53592}
2010-01-23 07:27 . 2010-01-23 07:27 -------- d-----w- d:\program files\Common Files\Adobe
2010-01-22 10:51 . 2010-01-26 04:10 1016 ----a-w- d:\documents and settings\All Users\Application Data\h8srtkrl32mainweq.dll
2010-01-20 19:00 . 2010-01-20 19:00 552 ----a-w- d:\windows\system32\d3d8caps.dat
2010-01-17 01:51 . 2010-01-17 01:51 3310 ----a-r- d:\documents and settings\Steph and Scott\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_16496df1.exe
2010-01-17 01:51 . 2010-01-17 01:51 1078 ----a-r- d:\documents and settings\Steph and Scott\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_69525f90.exe
2010-01-17 01:51 . 2010-01-17 01:51 1078 ----a-r- d:\documents and settings\Steph and Scott\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_4ae13d6c.exe
2010-01-17 01:51 . 2010-01-17 01:51 1078 ----a-r- d:\documents and settings\Steph and Scott\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_2cd672ae.exe
2010-01-17 01:51 . 2010-01-17 01:51 1078 ----a-r- d:\documents and settings\Steph and Scott\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_294823.exe
2010-01-17 01:51 . 2010-01-17 01:51 1078 ----a-r- d:\documents and settings\Steph and Scott\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_18be6784.exe
2010-01-17 01:51 . 2010-01-17 01:51 -------- d-----w- d:\program files\Power Tab Software
2010-01-17 01:18 . 2010-01-17 01:18 388096 ----a-r- d:\documents and settings\Steph and Scott\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-17 01:18 . 2010-01-17 01:18 -------- d-----w- d:\program files\TrendMicro
2010-01-12 16:07 . 2010-01-12 16:07 -------- d-sh--w- d:\documents and settings\Steph and Scott\PrivacIE
2010-01-10 22:01 . 2010-01-10 22:01 -------- d-----w- d:\program files\Trend Micro
2010-01-10 08:58 . 2010-01-10 08:58 -------- d-sh--w- d:\windows\system32\config\systemprofile\IETldCache
2010-01-10 08:57 . 2010-01-10 08:57 -------- d-sh--w- d:\documents and settings\Steph and Scott\IETldCache
2010-01-10 08:54 . 2010-01-26 04:49 -------- d-----w- d:\windows\ie8updates
2010-01-10 08:51 . 2009-09-25 05:37 81920 ----a-w- d:\windows\system32\ieencode.dll
2010-01-10 08:51 . 2009-09-25 05:37 81920 ----a-w- d:\windows\system32\dllcache\ieencode.dll
2010-01-10 08:50 . 2009-10-29 07:45 594432 -c----w- d:\windows\system32\dllcache\msfeeds.dll
2010-01-10 08:50 . 2009-10-29 07:45 55296 -c----w- d:\windows\system32\dllcache\msfeedsbs.dll
2010-01-10 08:50 . 2009-10-29 07:45 12800 -c----w- d:\windows\system32\dllcache\xpshims.dll
2010-01-10 08:50 . 2009-10-29 07:45 246272 -c----w- d:\windows\system32\dllcache\ieproxy.dll
2010-01-10 08:50 . 2009-10-29 07:45 1985536 -c----w- d:\windows\system32\dllcache\iertutil.dll
2010-01-10 08:49 . 2009-10-29 07:45 11069952 -c----w- d:\windows\system32\dllcache\ieframe.dll
2010-01-10 08:49 . 2009-10-02 04:44 92160 -c----w- d:\windows\system32\dllcache\iecompat.dll
2010-01-10 02:40 . 2010-01-10 02:40 -------- d-----w- d:\documents and settings\Administrator\Application Data\VMNTOOLBAR
2010-01-10 02:40 . 2010-01-10 02:40 -------- d-----w- d:\documents and settings\Administrator\Application Data\EmailNotifier
2010-01-10 00:48 . 2007-10-23 14:27 110592 ----a-w- d:\documents and settings\Administrator\Application Data\U3\temp\cleanup.exe
2010-01-09 23:48 . 2008-05-02 15:41 3493888 ----a-w- d:\documents and settings\Administrator\Application Data\U3\temp\Launchpad Removal.exe
2010-01-09 23:48 . 2010-01-10 00:51 -------- d-----w- d:\documents and settings\Administrator\Application Data\U3
2010-01-07 01:29 . 2010-01-20 19:00 664 ----a-w- d:\windows\system32\d3d9caps.dat
2010-01-03 15:54 . 2010-01-03 15:54 -------- d-----w- d:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-03 15:49 . 2010-01-03 15:49 -------- d-----w- d:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-01-03 15:48 . 2010-01-03 15:57 -------- d-----w- d:\documents and settings\Steph and Scott\Local Settings\Application Data\Google
2010-01-03 15:47 . 2010-01-04 19:29 -------- d-----w- d:\program files\Google
2010-01-03 01:41 . 2010-01-05 21:26 -------- d-----w- d:\documents and settings\All Users\Application Data\Rosetta Stone
2010-01-03 01:41 . 2010-01-03 01:41 -------- d-----w- d:\program files\Rosetta Stone
2009-12-30 05:44 . 2009-11-21 15:51 471552 -c----w- d:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-26 08:20 . 2009-11-23 21:26 -------- d-----w- d:\program files\Maxis
2010-01-26 04:46 . 2008-11-17 05:05 18632 ----a-w- d:\documents and settings\Steph and Scott\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-23 07:22 . 2009-12-23 01:38 -------- d-----w- d:\program files\Free Offers from Freeze.com
2010-01-16 08:20 . 2008-12-16 18:42 -------- d-----w- d:\documents and settings\Steph and Scott\Application Data\LimeWire
2010-01-13 02:05 . 2008-12-11 19:30 -------- d-----w- d:\program files\Paint.NET
2010-01-12 17:56 . 2008-09-16 14:58 -------- d---a-w- d:\documents and settings\All Users\Application Data\TEMP
2010-01-10 16:49 . 2009-12-14 02:33 -------- d-----w- d:\program files\Freeze.com
2010-01-06 18:01 . 2009-11-12 18:29 -------- d-----w- d:\documents and settings\Steph and Scott\Application Data\vmntoolbar
2010-01-03 01:44 . 2009-06-08 21:48 -------- d-----w- d:\documents and settings\All Users\Application Data\FLEXnet
2009-12-23 17:29 . 2008-11-21 17:48 -------- d-----w- d:\program files\Yahoo!
2009-12-23 17:28 . 2009-12-23 17:28 118784 ----a-w- d:\windows\Web\Wallpaper\Christmas Clock 2 Wallpaper.exe
2009-12-23 17:25 . 2009-11-13 17:16 -------- d-----w- d:\documents and settings\Steph and Scott\Application Data\BitZipper
2009-12-23 04:04 . 2009-11-12 19:50 79488 ----a-w- d:\documents and settings\Steph and Scott\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-23 01:53 . 2009-12-23 01:53 -------- d-----w- d:\program files\FramePhotoEditor
2009-12-23 01:38 . 2009-12-23 01:38 -------- d-----w- d:\documents and settings\Steph and Scott\Application Data\WeatherBug
2009-12-23 01:38 . 2009-12-23 01:38 -------- d-----w- d:\documents and settings\Steph and Scott\Application Data\blinkx
2009-12-20 19:30 . 2008-11-16 22:22 -------- d-----w- d:\documents and settings\Steph and Scott\Application Data\U3
2009-12-14 02:26 . 2009-12-14 02:26 118784 ----a-w- d:\windows\Web\Wallpaper\Christmas Clock 2 Wallpaper dir\uninstall.exe
2009-12-03 07:32 . 2009-12-03 07:32 -------- d-----w- d:\documents and settings\Steph and Scott\Application Data\Digsby
2009-11-23 22:02 . 2009-11-23 21:36 1037 ----a-w- d:\windows\eReg.dat
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- d:\windows\AppPatch\aclayers.dll
2009-11-13 03:23 . 2009-11-13 03:23 167 ----a-w- d:\documents and settings\Steph and Scott\udownload.dat
2009-11-11 20:29 . 2009-12-06 00:57 12800 ----a-w- d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\components\AlotXpcom.dll
2009-11-04 23:04 . 2009-11-04 23:08 15216 ----a-w- d:\windows\system32\drivers\HookCont.sys
2009-11-04 23:04 . 2009-11-04 23:08 238704 ----a-w- d:\windows\system32\bsmain.exe
2009-11-04 23:04 . 2009-11-04 23:08 10832 ----a-w- d:\windows\system32\drivers\RsNTGdi.sys
2009-11-04 23:04 . 2009-11-04 23:08 33904 ----a-w- d:\windows\system32\drivers\HookHelp.sys
2009-11-04 23:04 . 2009-11-04 23:08 140656 ----a-w- d:\windows\system32\drivers\HookSys.sys
2009-11-04 23:04 . 2009-11-04 23:08 146032 ----a-w- d:\windows\system32\RavExt.dll
2009-10-29 05:38 . 2004-08-04 12:00 667136 ------w- d:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0 bsmain

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli opntierp.dll

[HKLM\~\startupfolder\D:^Documents and Settings^Steph and Scott^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=d:\documents and settings\Steph and Scott\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=d:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\D:^Documents and Settings^Steph and Scott^Start Menu^Programs^Startup^Voobys.lnk]
path=d:\documents and settings\Steph and Scott\Start Menu\Programs\Startup\Voobys.lnk
backup=d:\windows\pss\Voobys.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
d:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 20:57 948672 ----a-r- d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57 35760 ----a-w- d:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- d:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-08-20 18:54 150016 ----a-w- d:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 22:09 413696 ----a-w- d:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RavTray]
2009-11-04 23:04 141936 ------w- d:\program files\Rising\Rav\RsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
2002-11-08 23:50 98304 ----a-w- d:\program files\Analog Devices\SoundMAX\SMTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sprint SmartView]
2008-10-15 20:02 17664 ----a-w- d:\program files\Sprint\Sprint SmartView\SprintSV.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CiSvc"=3 (0x3)
"wuauserv"=2 (0x2)
"SprintRcAppSvc"=3 (0x3)
"SoundMAX Agent Service (default)"=2 (0x2)
"RsScanSrv"=2 (0x2)
"RavTask"=2 (0x2)
"RavCCenter"=2 (0x2)
"ose"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Schedule"=2 (0x2)
"SamSs"=2 (0x2)
"BITS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"d:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"d:\\Program Files\\Sprint\\Sprint SmartView\\SwiApiMux.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\RosettaStoneVersion3.exe"=

R0 RsNTGDI;RsNTGDI;d:\windows\system32\drivers\RsNTGdi.sys [11/4/2009 6:08 PM 10832]
.
Contents of the 'Scheduled Tasks' folder

2010-01-26 d:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- d:\program files\Google\Update\GoogleUpdate.exe [2010-01-03 15:48]

2010-01-26 d:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- d:\program files\Google\Update\GoogleUpdate.exe [2010-01-03 15:48]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
IE: &Search - http://edits.mywebsearch.com/toolbaredi ... p=ZQfox000
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - d:\documents and settings\Steph and Scott\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: {4C0A00A6-056B-4314-9928-A705EB97A9AE} - hxxp://www.visualwebtools.com/VWT4.cab
DPF: {5C4B8FBC-AB9D-40C0-BB0A-E20570B4F754} - hxxp://www.visualwebtools.com/progressbar.cab
FF - ProfilePath - d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.searchcanvas.com/web?ot=7&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox ... S:official
FF - prefs.js: keyword.URL - hxxp://recovery.alexa.com/helper/?aid=J ... &location=
FF - component: d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - component: d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\components\AlotXpcom.dll
FF - plugin: d:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {4F1AE5E8-B4D9-43B7-B9F9-D29A3BC53592} - d:\documents and settings\Steph and Scott\Local Settings\Application Data\{4F1AE5E8-B4D9-43B7-B9F9-D29A3BC53592}

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-26 18:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(728)
d:\windows\opntierp.dll
.
Completion time: 2010-01-26 18:37:40
ComboFix-quarantined-files.txt 2010-01-26 23:37
ComboFix2.txt 2010-01-26 05:37

Pre-Run: 2,050,048,000 bytes free
Post-Run: 2,014,732,288 bytes free

- - End Of File - - A76305B014C500323344D00794A37D4A

Kaspersky Log

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, January 27, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, January 27, 2010 16:21:18
Records in database: 3377373
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Objects scanned: 205116
Threats found: 9
Infected objects found: 26
Suspicious objects found: 0
Scan duration: 04:28:09

File name / Threat / Threats count
lsass.exe\opntierp.dll/lsass.exe\opntierp.dll Infected: Trojan-Downloader.Win32.Mufanom.hgo 1
D:\WINDOWS\opntierp.dll/D:\WINDOWS\opntierp.dll Infected: Trojan-Downloader.Win32.Mufanom.hia 2
explorer.exe\opntierp.dll/explorer.exe\opntierp.dll Infected: Trojan-Downloader.Win32.Mufanom.hgo 1
D:\Qoobox\Quarantine\D\Documents and Settings\Steph and Scott\Local Settings\Application Data\tcsavd\ysqpsysguard.exe.vir Infected: Trojan.Win32.FraudPack.akio 1
D:\Qoobox\Quarantine\D\Program Files\InternetSecurity2010\IS2010.exe.vir Infected: not-a-virus:FraudTool.Win32.InternetSecurity2010.j 1
D:\Qoobox\Quarantine\D\Program Files\Zwunzi\zwunzi.exe.vir Infected: not-a-virus:AdWare.Win32.Zwangi.ae 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\41.exe.vir Infected: Trojan-Downloader.Win32.Mufanom.hia 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\drivers\H8SRTwyedbnejkl.sys.vir Infected: Rootkit.Win32.TDSS.af 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\H8SRTekvoafynxc.dll.vir Infected: Packed.Win32.TDSS.aa 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\H8SRTmbcjwsrstv.dll.vir Infected: Packed.Win32.TDSS.aa 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\H8SRTpubkkrboed.dll.vir Infected: Packed.Win32.TDSS.aa 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\H8SRTydxnjyiddi.dll.vir Infected: Packed.Win32.TDSS.aa 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\helper32.dll.vir Infected: Trojan.Win32.BHO.adiv 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\IS15.exe.vir Infected: not-a-virus:FraudTool.Win32.InternetSecurity2010.j 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\smss32.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.wxta 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\winlogon32.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.wxta 1
D:\System Volume Information\_restore{CFD90517-45DA-468B-98A4-068CE7DDC7BB}\RP1\A0000041.exe Infected: not-a-virus:FraudTool.Win32.InternetSecurity2010.j 1
D:\System Volume Information\_restore{CFD90517-45DA-468B-98A4-068CE7DDC7BB}\RP1\A0000043.exe Infected: not-a-virus:AdWare.Win32.Zwangi.ae 1
D:\System Volume Information\_restore{CFD90517-45DA-468B-98A4-068CE7DDC7BB}\RP1\A0000044.exe Infected: Trojan-Downloader.Win32.Mufanom.hia 1
D:\System Volume Information\_restore{CFD90517-45DA-468B-98A4-068CE7DDC7BB}\RP1\A0000047.dll Infected: Trojan.Win32.BHO.adiv 1
D:\System Volume Information\_restore{CFD90517-45DA-468B-98A4-068CE7DDC7BB}\RP1\A0000048.exe Infected: not-a-virus:FraudTool.Win32.InternetSecurity2010.j 1
D:\System Volume Information\_restore{CFD90517-45DA-468B-98A4-068CE7DDC7BB}\RP1\A0000049.exe Infected: Trojan-Downloader.Win32.FraudLoad.wxta 1
D:\System Volume Information\_restore{CFD90517-45DA-468B-98A4-068CE7DDC7BB}\RP1\A0000050.exe Infected: Trojan-Downloader.Win32.FraudLoad.wxta 1
D:\System Volume Information\_restore{CFD90517-45DA-468B-98A4-068CE7DDC7BB}\RP2\A0000536.exe Infected: Trojan.Win32.FraudPack.akio 1
D:\WINDOWS\opntierp.dll Infected: Trojan-Downloader.Win32.Mufanom.hia 1

Selected area has been scanned.

Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 4:57:44 PM, on 1/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\notepad.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Java\jre6\bin\java.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Common Files\Java\Java Update\jusched.exe"
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... p=ZQfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: iOpus iMacros - {0483894E-2422-45E0-8384-021AFF1AF3CD} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: iMacros Web Automation - {0483894E-2422-45E0-8384-021AFF1AF3CD} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - D:\Documents and Settings\Steph and Scott\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} (Auctiva Image Uploader Control) - http://www.auctiva.com/Aurigma/ImageUploader57.cab
O16 - DPF: {4C0A00A6-056B-4314-9928-A705EB97A9AE} (VWT4 Control) - http://www.visualwebtools.com/VWT4.cab
O16 - DPF: {5C4B8FBC-AB9D-40C0-BB0A-E20570B4F754} (Progressbar Control) - http://www.visualwebtools.com/progressbar.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8385773828
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 3874 bytes

by **jmw3** » January 28th, 2010, 12:16 am

Hi

The CFScript didn't appear to work. Nothing was removed that was supposed to be removed. We'll try it again.

Delete the copy of ComboFix you have & download it again:
Link 1
Link 2

No need to rename it this time & save it directly to the desktop, not in a folder.

CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all

KillAll::
File::
d:\windows\Wzeqokecikota.bin
d:\windows\Wyifacehezusuqi.dat
d:\documents and settings\All Users\Application Data\h8srtkrl32mainweq.dll
d:\windows\opntierp.dll
d:\documents and settings\Steph and Scott\Start Menu\Programs\Startup\LimeWire On Startup.lnk
d:\windows\pss\LimeWire On Startup.lnkStartup
Folder::
d:\documents and settings\Steph and Scott\Local Settings\Application Data\{4F1AE5E8-B4D9-43B7-B9F9-D29A3BC53592}
d:\documents and settings\Steph and Scott\Local Settings\Application Data\tcsavd
d:\documents and settings\Administrator\Application Data\VMNTOOLBAR
d:\documents and settings\Administrator\Application Data\EmailNotifier
d:\program files\Free Offers from Freeze.com
d:\documents and settings\Steph and Scott\Application Data\LimeWire
d:\program files\Freeze.com
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com
d:\documents and settings\Steph and Scott\Local Settings\Application Data\{4F1AE5E8-B4D9-43B7-B9F9-D29A3BC53592}
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
[-HKLM\~\startupfolder\D:^Documents and Settings^Steph and Scott^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
DDS::
IE: &Search - http://edits.mywebsearch.com/toolbaredi ... p=ZQfox000
Firefox::
FF - ProfilePath - d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\
FF - prefs.js: browser.search.defaulturl - 
FF - prefs.js: keyword.URL - 
FF - HiddenExtension: XULRunner: {4F1AE5E8-B4D9-43B7-B9F9-D29A3BC53592} -

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

To post in next reply:
ComboFix log

by **Crimson531** » January 28th, 2010, 2:03 am

Yeah sorry about not answering your questions last time... It completely slipped my mind. But no we don't use MSN, so I'm not really bothered that it was deleted. As for the service I disabled, since I've run combofix I can't seem to find the service that was there. Or maybe I can't really remember. Or it possibly ran because I changed the name of the combofix.exe file another time after you told me to name it commyfix.exe. I named it to commyfix531.exe, which afterwards it worked again. Another funny thing is after I ran combofix the first time the first combofix link works on this computer now. Didn't think malware could do that... I think this CFScript worked. I know I keep saying this, but thank you again for your help.

Combofix Log

ComboFix 10-01-27.03 - Steph and Scott 01/28/2010 0:18.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.321 [GMT -5:00]
Running from: d:\documents and settings\Steph and Scott\Desktop\Jon's Computer Tools\ComboFix.exe
Command switches used :: d:\documents and settings\Steph and Scott\Desktop\Jon's Computer Tools\CFScript.txt

FILE ::
"d:\documents and settings\All Users\Application Data\h8srtkrl32mainweq.dll"
"d:\documents and settings\Steph and Scott\Start Menu\Programs\Startup\LimeWire On Startup.lnk"
"d:\windows\opntierp.dll"
"d:\windows\pss\LimeWire On Startup.lnkStartup"
"d:\windows\Wyifacehezusuqi.dat"
"d:\windows\Wzeqokecikota.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documents and settings\Administrator\Application Data\EmailNotifier
d:\documents and settings\Administrator\Application Data\VMNTOOLBAR
d:\documents and settings\All Users\Application Data\h8srtkrl32mainweq.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire
d:\documents and settings\Steph and Scott\Application Data\LimeWire\active.mojito
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xul-v2.0b2.4-do-not-remove
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\AccessibleMarshal.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\chrome\branding.jar
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\chrome\branding.manifest
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\chrome\classic.jar
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\chrome\classic.manifest
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\chrome\comm.jar
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\chrome\comm.manifest
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\chrome\en-US.jar
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\chrome\en-US.manifest
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\chrome\limewire.jar
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\chrome\limewire.manifest
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\chrome\pippki.jar
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\chrome\pippki.manifest
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\chrome\toolkit.jar
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\chrome\toolkit.manifest
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\accessibility-msaa.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\accessibility.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\alerts.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\appshell.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\appshell_modal.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\appshell_modal.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\appstartup.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\auth.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\autocomplete.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\autoconfig.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\autoconfig.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\caps.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\chardet.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\chrome.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\commandhandler.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\commandlines.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\composer.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\content_base.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\content_html.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\content_htmldoc.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\content_xmldoc.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\content_xslt.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\content_xtf.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\contentprefs.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\cookie.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\directory.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\docshell_base.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\dom.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\dom_base.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\dom_canvas.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\dom_core.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\dom_css.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\dom_events.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\dom_html.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\dom_json.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\dom_loadsave.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\dom_offline.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\dom_range.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\dom_sidebar.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\dom_storage.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\dom_stylesheets.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\dom_svg.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\dom_traversal.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\dom_views.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\dom_xbl.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\dom_xpath.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\dom_xul.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\downloads.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\editor.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\embed_base.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\extensions.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\exthandler.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\exthelper.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\fastfind.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\FeedProcessor.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\feeds.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\find.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\gfx.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\htmlparser.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\imgicon.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\imglib2.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\inspector.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\intl.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\jar.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\jsconsole-clhandler.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\jsdservice.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\layout_base.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\layout_printing.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\layout_xul.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\layout_xul_tree.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\locale.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\loginmgr.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\lwbrk.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\mimetype.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\mozbrwsr.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\mozfind.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\necko.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\necko_about.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\necko_cache.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\necko_cookie.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\necko_dns.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\necko_file.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\necko_ftp.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\necko_http.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\necko_res.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\necko_socket.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\necko_strconv.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\necko_viewsource.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\nsAddonRepository.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\nsBadCertHandler.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\nsBlocklistService.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\nsContentDispatchChooser.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\nsContentPrefService.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\nsDefaultCLH.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\nsDictionary.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\nsDownloadManagerUI.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\nsExtensionManager.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\nsHandlerService.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\nsHelperAppDlg.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\nsLivemarkService.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\nsLoginInfo.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\nsLoginManager.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\nsLoginManagerPrompter.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\nsPostUpdateWin.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\nsProgressDialog.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\nsProxyAutoConfig.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\nsResetPref.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\nsTaggingService.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\nsTryToClose.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\nsUpdateService.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\nsURLFormatter.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\nsWebHandlerApp.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\nsXmlRpcClient.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\nsXULAppInstall.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\oji.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\parentalcontrols.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\pipboot.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\pipboot.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\pipnss.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\pipnss.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\pippki.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\pippki.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\places.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\plugin.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\pluginGlue.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\pref.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\prefetch.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\profile.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\proxyObject.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\rdf.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\satchel.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\saxparser.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\shistory.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\spellchecker.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\storage-Legacy.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\storage.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\toolkitprofile.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\transformiix.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\txEXSLTRegExFunctions.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\txmgr.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\txtsvc.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\uconv.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\unicharutil.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\universalchardet.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\update.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\uriloader.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\urlformatter.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\webBrowser_core.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\webbrowserpersist.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\webshell_idls.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\websrvcs.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\widget.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\windowds.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\windowwatcher.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\xml-rpc.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\xmlextras.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\xpcom_base.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\xpcom_components.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\xpcom_ds.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\xpcom_io.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\xpcom_system.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\xpcom_thread.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\xpcom_xpti.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\xpconnect.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\xpinstall.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\xulapp.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\xulapp_setup.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\xuldoc.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\xultmpl.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\xulutil.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\components\zipwriter.xpt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\crashreporter.exe
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\crashreporter.ini
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\defaults\autoconfig\platform.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\defaults\autoconfig\prefcalls.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\defaults\pref\xulrunner.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\defaults\profile\chrome\userChrome-example.css
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\defaults\profile\chrome\userContent-example.css
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\defaults\profile\localstore.rdf
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userChrome-example.css
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userContent-example.css
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\localstore.rdf
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\dependentlibs.list
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\dictionaries\en-US.aff
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\dictionaries\en-US.dic
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\freebl3.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\greprefs\all.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\greprefs\security-prefs.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\greprefs\xpinstall.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\IA2Marshal.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\javaxpcom.jar
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\javaxpcomglue.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\js3250.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\LICENSE
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\modules\debug.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\modules\DownloadUtils.jsm
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\modules\ISO8601DateUtils.jsm
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\modules\JSON.jsm
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\modules\Microformats.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\modules\PluralForm.jsm
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\modules\utils.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\modules\XPCOMUtils.jsm
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\mozctl.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\mozctlx.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\MSVCP71.DLL
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\msvcr71.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\nspr4.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\nss3.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\nssckbi.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\nssdbm3.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\nssutil3.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\platform.ini
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\plc4.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\plds4.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\plugins\npnul32.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\README.txt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\arrow.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\arrowd.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\broken-image.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\charsetalias.properties
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\charsetData.properties
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\contenteditable.css
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\designmode.css
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\dtd\mathml.dtd
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\dtd\xhtml11.dtd
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\EditorOverride.css
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Latin1.properties
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Special.properties
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Symbols.properties
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\entityTables\htmlEntityVersions.properties
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\entityTables\mathml20.properties
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\entityTables\transliterate.properties
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfont.properties
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontStandardSymbolsL.properties
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSTIXNonUnicode.properties
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSTIXSize1.properties
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSymbol.properties
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontUnicode.properties
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\forms.css
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\grabber.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\hiddenWindow.html
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\html.css
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\html\folder.png
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\langGroups.properties
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\language.properties
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\loading-image.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\mathml.css
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\quirk.css
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\svg.css
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after-active.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after-hover.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before-active.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before-hover.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after-active.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after-hover.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before-active.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before-hover.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\table-remove-column-active.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\table-remove-column-hover.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\table-remove-column.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\table-remove-row-active.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\table-remove-row-hover.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\table-remove-row.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\ua.css
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\viewsource.css
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\res\wincharset.properties
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\smime3.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\softokn3.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\sqlite3.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\ssl3.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\updater.exe
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\version.properties
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\xpcom.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\xpcshell.exe
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\xpicleanup.exe
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\xpidl.exe
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\xpt_dump.exe
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\xpt_link.exe
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\xul.dll
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\xulrunner-stub.exe
d:\documents and settings\Steph and Scott\Application Data\LimeWire\browser\xulrunner\xulrunner.exe
d:\documents and settings\Steph and Scott\Application Data\LimeWire\certificate\limewire.keystore
d:\documents and settings\Steph and Scott\Application Data\LimeWire\createtimes.cache
d:\documents and settings\Steph and Scott\Application Data\LimeWire\downloads.dat
d:\documents and settings\Steph and Scott\Application Data\LimeWire\fileurns.cache
d:\documents and settings\Steph and Scott\Application Data\LimeWire\filters.props
d:\documents and settings\Steph and Scott\Application Data\LimeWire\gnutella.net
d:\documents and settings\Steph and Scott\Application Data\LimeWire\installation.props
d:\documents and settings\Steph and Scott\Application Data\LimeWire\library.dat
d:\documents and settings\Steph and Scott\Application Data\LimeWire\library5.dat
d:\documents and settings\Steph and Scott\Application Data\LimeWire\limewire.props
d:\documents and settings\Steph and Scott\Application Data\LimeWire\lock
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mojito.props
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\.autoreg
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_001_
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_002_
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_003_
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_MAP_
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\Cache\60393689d01
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\Cache\60D7D5A5d01
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\Cache\7BD6A121d01
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\Cache\98E79480d01
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\Cache\AE98BDF4d01
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\Cache\BAFF9A85d01
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\Cache\C758BCB7d01
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\Cache\C9DF1160d01
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\Cache\D5267890d01
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\cert8.db
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\compreg.dat
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\cookies.sqlite
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\downloads.sqlite
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\extensions.cache
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\extensions.ini
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\history.dat
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\key3.db
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\permissions.sqlite
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\places.sqlite-journal
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\places.sqlite
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\pluginreg.dat
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\prefs.js
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\secmod.db
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\XPC.mfl
d:\documents and settings\Steph and Scott\Application Data\LimeWire\mozilla-profile\xpti.dat
d:\documents and settings\Steph and Scott\Application Data\LimeWire\passive.mojito
d:\documents and settings\Steph and Scott\Application Data\LimeWire\player.props
d:\documents and settings\Steph and Scott\Application Data\LimeWire\promotion\promodb.backup
d:\documents and settings\Steph and Scott\Application Data\LimeWire\promotion\promodb.data
d:\documents and settings\Steph and Scott\Application Data\LimeWire\promotion\promodb.lck
d:\documents and settings\Steph and Scott\Application Data\LimeWire\promotion\promodb.log
d:\documents and settings\Steph and Scott\Application Data\LimeWire\promotion\promodb.properties
d:\documents and settings\Steph and Scott\Application Data\LimeWire\promotion\promodb.script
d:\documents and settings\Steph and Scott\Application Data\LimeWire\questions.props
d:\documents and settings\Steph and Scott\Application Data\LimeWire\responses.cache
d:\documents and settings\Steph and Scott\Application Data\LimeWire\simpp.xml
d:\documents and settings\Steph and Scott\Application Data\LimeWire\spam.dat
d:\documents and settings\Steph and Scott\Application Data\LimeWire\tables.props
d:\documents and settings\Steph and Scott\Application Data\LimeWire\themes\windows_theme.lwtp
d:\documents and settings\Steph and Scott\Application Data\LimeWire\themes\windows_theme\01_star.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\themes\windows_theme\02_star.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\themes\windows_theme\03_star.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\themes\windows_theme\04_star.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\themes\windows_theme\05_star.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\themes\windows_theme\chat.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\themes\windows_theme\forward_up.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\themes\windows_theme\kill.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\themes\windows_theme\kill_on.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\themes\windows_theme\pause_up.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\themes\windows_theme\play_dn.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\themes\windows_theme\play_up.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\themes\windows_theme\question.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\themes\windows_theme\stop_up.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\themes\windows_theme\theme.txt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\themes\windows_theme\version.txt
d:\documents and settings\Steph and Scott\Application Data\LimeWire\themes\windows_theme\warning.gif
d:\documents and settings\Steph and Scott\Application Data\LimeWire\ttdata.cache
d:\documents and settings\Steph and Scott\Application Data\LimeWire\ttrees.cache
d:\documents and settings\Steph and Scott\Application Data\LimeWire\ttroot.cache
d:\documents and settings\Steph and Scott\Application Data\LimeWire\version.xml
d:\documents and settings\Steph and Scott\Application Data\LimeWire\versions.props
d:\documents and settings\Steph and Scott\Application Data\LimeWire\xml\data\audio.sxml2
d:\documents and settings\Steph and Scott\Application Data\LimeWire\xml\data\audio.sxml3
d:\documents and settings\Steph and Scott\Application Data\LimeWire\xml\data\video.sxml3
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\chrome.manifest
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\chrome\alottb.jar
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\components\aAboutAlotError.js
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\components\aAlotCustom.js
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\components\aAlotCustomButton.js
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\components\aAlotSitepass.js
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\components\aAlotToolbar.js
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\components\aAlotWidget.js
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\components\aAlotWidgetBrowser.js
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\components\aAlotWidgetButton.js
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\components\aAlotWidgetWindow.js
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\components\aIAlotCustom.xpt
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\components\aIAlotCustomButton.xpt
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\components\aIAlotSitepass.xpt
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\components\aIAlotWidget.xpt
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\components\aIAlotWidgetBrowser.xpt
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\components\aIAlotWidgetButton.xpt
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\components\aIAlotWidgetWindow.xpt
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\components\AlotXpcom.dll
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\components\IAlotXpcom.xpt
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\defaults\preferences\alottb.js
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\firstrun.txt
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\gen\.keep
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\gen\alottb-search-defend-dialog.xul
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\install.rdf
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\META-INF\manifest.mf
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\META-INF\zigbert.rsa
d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\toolbar@alot.com\META-INF\zigbert.sf
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\__slider.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\a.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\amazon.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\an.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\arrow.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\arrow_down.gif
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\arrow_up.gif
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\arrowB.gif
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\arrowT.gif
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\autofill.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\b.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\bg_pub.gif
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\bg_ttl.gif
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\bn.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\bottom.png
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\bottom_left.png
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\bottom_right.png
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\c.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\CAlogo.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\canalblog.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\cn.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\COMBOSEARCH.acs
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\d.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\dictionary2.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\dn.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\DownloadCOM.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\dropdown.css
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\email_b.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\equalizer_loading.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\equalizer_off.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\equalizer_on.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\ErrorLog.txt
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\ErrorPageTemplate.css
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\ErrorPageTemplate_search.css
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\f.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\fn.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\g.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\gaming.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\gn.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\graphred0.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\graphred0_5.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\graphred1.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\graphred1_5.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\graphred2.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\graphred2_5.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\graphred3.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\graphred3_5.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\graphred4.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\graphred4_5.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\graphred5.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\h.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\h_aquarius.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\h_aries.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\h_cancer.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\h_capricorn.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\h_gemini.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\h_leo.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\h_libra.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\h_pisces.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\h_sagittarius.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\h_scorpio.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\h_taurus.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\h_virgo.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\help.gif
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\hideremove.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\highlight.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\hn.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\hororank.xml
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\i.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\IEtab1_8.zip
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\images01.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\in.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\j.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\jn.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\k.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\kn.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\l.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\left.png
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\ln.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\loading.gif
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\logo.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\logo_facebook.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\minus.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\minus_on.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\music2.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\n.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\New York_NY_weather.txt
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\New York_NY_weather.txt564812
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\news.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\news.html
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\newsb.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\nn.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\o.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\on.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\p.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\p_yahoo.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\p_yahoo_fr.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\pixsy.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\play.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\play_on.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\plus.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\plus_on.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\pn.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\popup_off.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\popup_on.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\popup_ona.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\q.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\qn.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\r.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\relatedlinks.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\report.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\right.png
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\rn.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\rss.xsl
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\rss1.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\rsslib.js
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\rssmenu1_7a.zip
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\s.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\search.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\search.gif
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\search_fr.gif
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\settings.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\shop2.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\sinfo.txt
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\sinfo.txt564812
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\siteinfo.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\slider.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\sn.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\spacer.gif
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\stars-red1.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\stars-red2.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\stars-red3.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\stars-red4.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\stars-red5.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\stop.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\stop_on.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\t.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\tab_icon.png
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\tabdataV3.js
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\tabwelcome_en.html
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\tabwelcome_fr.html
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\technorati.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\Thumbs.db
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\tn.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\tools.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\top.png
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\top_left.png
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\top_right.png
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\translate.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\u.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\un.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\utf8.js
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\v.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\vmlib.js
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\vmntoolbartb0501.cfg
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\vn.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\w.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\web_en.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\web_fr.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\wikipedia.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\wn.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\x.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\xp_close_small.gif
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\yahoo_search.gif
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\YouTube.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\z.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\zn.bmp
d:\documents and settings\Steph and Scott\Application Data\vmntoolbar\zoom.bmp
d:\documents and settings\Steph and Scott\Local Settings\Application Data\{4F1AE5E8-B4D9-43B7-B9F9-D29A3BC53592}
d:\documents and settings\Steph and Scott\Local Settings\Application Data\{4F1AE5E8-B4D9-43B7-B9F9-D29A3BC53592}\chrome.manifest
d:\documents and settings\Steph and Scott\Local Settings\Application Data\{4F1AE5E8-B4D9-43B7-B9F9-D29A3BC53592}\chrome\content\_cfg.js
d:\documents and settings\Steph and Scott\Local Settings\Application Data\{4F1AE5E8-B4D9-43B7-B9F9-D29A3BC53592}\chrome\content\overlay.xul
d:\documents and settings\Steph and Scott\Local Settings\Application Data\{4F1AE5E8-B4D9-43B7-B9F9-D29A3BC53592}\install.rdf
d:\program files\Free Offers from Freeze.com
d:\program files\Free Offers from Freeze.com\101_Free_Songs.ico
d:\program files\Free Offers from Freeze.com\4115.url
d:\program files\Free Offers from Freeze.com\4294.url
d:\program files\Free Offers from Freeze.com\5007.url
d:\program files\Free Offers from Freeze.com\5540.url
d:\program files\Free Offers from Freeze.com\5542.url
d:\program files\Free Offers from Freeze.com\6285.url
d:\program files\Free Offers from Freeze.com\clickfinderror.ico
d:\program files\Free Offers from Freeze.com\control.txt
d:\program files\Free Offers from Freeze.com\games.ico
d:\program files\Free Offers from Freeze.com\games_icon2.ico
d:\program files\Free Offers from Freeze.com\musicoasis.ico
d:\program files\Free Offers from Freeze.com\theft_protection.ico
d:\program files\Freeze.com
d:\program files\Freeze.com\My 3D Christmas Tree Animated Wallpaper\resource.dat
d:\windows\opntierp.dll
d:\windows\pss\LimeWire On Startup.lnkStartup
d:\windows\Wyifacehezusuqi.dat
d:\windows\Wzeqokecikota.bin

.
((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-28 )))))))))))))))))))))))))))))))
.

2010-01-26 23:43 . 2010-01-26 23:43 -------- d-----w- d:\program files\Common Files\Java
2010-01-23 07:27 . 2010-01-23 07:27 -------- d-----w- d:\program files\Common Files\Adobe
2010-01-20 19:00 . 2010-01-20 19:00 552 ----a-w- d:\windows\system32\d3d8caps.dat
2010-01-17 01:51 . 2010-01-17 01:51 -------- d-----w- d:\program files\Power Tab Software
2010-01-17 01:18 . 2010-01-17 01:18 -------- d-----w- d:\program files\TrendMicro
2010-01-12 16:07 . 2010-01-12 16:07 -------- d-sh--w- d:\documents and settings\Steph and Scott\PrivacIE
2010-01-10 22:01 . 2010-01-10 22:01 -------- d-----w- d:\program files\Trend Micro
2010-01-10 08:58 . 2010-01-10 08:58 -------- d-sh--w- d:\windows\system32\config\systemprofile\IETldCache
2010-01-10 08:57 . 2010-01-10 08:57 -------- d-sh--w- d:\documents and settings\Steph and Scott\IETldCache
2010-01-10 08:54 . 2010-01-26 04:49 -------- d-----w- d:\windows\ie8updates
2010-01-10 08:51 . 2009-09-25 05:37 81920 ----a-w- d:\windows\system32\ieencode.dll
2010-01-10 08:51 . 2009-09-25 05:37 81920 ----a-w- d:\windows\system32\dllcache\ieencode.dll
2010-01-10 08:50 . 2009-10-29 07:45 594432 -c----w- d:\windows\system32\dllcache\msfeeds.dll
2010-01-10 08:50 . 2009-10-29 07:45 55296 -c----w- d:\windows\system32\dllcache\msfeedsbs.dll
2010-01-10 08:50 . 2009-10-29 07:45 12800 -c----w- d:\windows\system32\dllcache\xpshims.dll
2010-01-10 08:50 . 2009-10-29 07:45 246272 -c----w- d:\windows\system32\dllcache\ieproxy.dll
2010-01-10 08:50 . 2009-10-29 07:45 1985536 -c----w- d:\windows\system32\dllcache\iertutil.dll
2010-01-10 08:49 . 2009-10-29 07:45 11069952 -c----w- d:\windows\system32\dllcache\ieframe.dll
2010-01-10 08:49 . 2009-10-02 04:44 92160 -c----w- d:\windows\system32\dllcache\iecompat.dll
2010-01-09 23:48 . 2010-01-10 00:51 -------- d-----w- d:\documents and settings\Administrator\Application Data\U3
2010-01-07 01:29 . 2010-01-20 19:00 664 ----a-w- d:\windows\system32\d3d9caps.dat
2010-01-03 15:54 . 2010-01-03 15:54 -------- d-----w- d:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-03 15:49 . 2010-01-03 15:49 -------- d-----w- d:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-01-03 15:48 . 2010-01-03 15:57 -------- d-----w- d:\documents and settings\Steph and Scott\Local Settings\Application Data\Google
2010-01-03 15:47 . 2010-01-04 19:29 -------- d-----w- d:\program files\Google
2010-01-03 01:41 . 2010-01-05 21:26 -------- d-----w- d:\documents and settings\All Users\Application Data\Rosetta Stone
2010-01-03 01:41 . 2010-01-03 01:41 -------- d-----w- d:\program files\Rosetta Stone
2009-12-30 05:44 . 2009-11-21 15:51 471552 -c----w- d:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-26 23:43 . 2010-01-26 23:43 503808 ----a-w- d:\documents and settings\Steph and Scott\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-50c77ad2-n\msvcp71.dll
2010-01-26 23:43 . 2010-01-26 23:43 499712 ----a-w- d:\documents and settings\Steph and Scott\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-50c77ad2-n\jmc.dll
2010-01-26 23:43 . 2010-01-26 23:43 348160 ----a-w- d:\documents and settings\Steph and Scott\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-50c77ad2-n\msvcr71.dll
2010-01-26 23:43 . 2010-01-26 23:43 61440 ----a-w- d:\documents and settings\Steph and Scott\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-56d89b7a-n\decora-sse.dll
2010-01-26 23:43 . 2010-01-26 23:43 12800 ----a-w- d:\documents and settings\Steph and Scott\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-56d89b7a-n\decora-d3d.dll
2010-01-26 23:43 . 2008-12-16 18:38 411368 ----a-w- d:\windows\system32\deploytk.dll
2010-01-26 08:20 . 2009-11-23 21:26 -------- d-----w- d:\program files\Maxis
2010-01-26 04:46 . 2008-11-17 05:05 18632 ----a-w- d:\documents and settings\Steph and Scott\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-17 01:51 . 2010-01-17 01:51 3310 ----a-r- d:\documents and settings\Steph and Scott\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_16496df1.exe
2010-01-17 01:51 . 2010-01-17 01:51 1078 ----a-r- d:\documents and settings\Steph and Scott\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_69525f90.exe
2010-01-17 01:51 . 2010-01-17 01:51 1078 ----a-r- d:\documents and settings\Steph and Scott\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_4ae13d6c.exe
2010-01-17 01:51 . 2010-01-17 01:51 1078 ----a-r- d:\documents and settings\Steph and Scott\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_2cd672ae.exe
2010-01-17 01:51 . 2010-01-17 01:51 1078 ----a-r- d:\documents and settings\Steph and Scott\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_294823.exe
2010-01-17 01:51 . 2010-01-17 01:51 1078 ----a-r- d:\documents and settings\Steph and Scott\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_18be6784.exe
2010-01-17 01:18 . 2010-01-17 01:18 388096 ----a-r- d:\documents and settings\Steph and Scott\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-13 02:05 . 2008-12-11 19:30 -------- d-----w- d:\program files\Paint.NET
2010-01-12 17:56 . 2008-09-16 14:58 -------- d---a-w- d:\documents and settings\All Users\Application Data\TEMP
2010-01-03 01:44 . 2009-06-08 21:48 -------- d-----w- d:\documents and settings\All Users\Application Data\FLEXnet
2009-12-23 17:29 . 2008-11-21 17:48 -------- d-----w- d:\program files\Yahoo!
2009-12-23 17:28 . 2009-12-23 17:28 118784 ----a-w- d:\windows\Web\Wallpaper\Christmas Clock 2 Wallpaper.exe
2009-12-23 17:25 . 2009-11-13 17:16 -------- d-----w- d:\documents and settings\Steph and Scott\Application Data\BitZipper
2009-12-23 04:04 . 2009-11-12 19:50 79488 ----a-w- d:\documents and settings\Steph and Scott\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-23 01:53 . 2009-12-23 01:53 -------- d-----w- d:\program files\FramePhotoEditor
2009-12-23 01:38 . 2009-12-23 01:38 -------- d-----w- d:\documents and settings\Steph and Scott\Application Data\WeatherBug
2009-12-23 01:38 . 2009-12-23 01:38 -------- d-----w- d:\documents and settings\Steph and Scott\Application Data\blinkx
2009-12-20 19:30 . 2008-11-16 22:22 -------- d-----w- d:\documents and settings\Steph and Scott\Application Data\U3
2009-12-14 02:26 . 2009-12-14 02:26 118784 ----a-w- d:\windows\Web\Wallpaper\Christmas Clock 2 Wallpaper dir\uninstall.exe
2009-12-03 07:32 . 2009-12-03 07:32 -------- d-----w- d:\documents and settings\Steph and Scott\Application Data\Digsby
2009-11-23 22:02 . 2009-11-23 21:36 1037 ----a-w- d:\windows\eReg.dat
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- d:\windows\AppPatch\aclayers.dll
2009-11-13 03:23 . 2009-11-13 03:23 167 ----a-w- d:\documents and settings\Steph and Scott\udownload.dat
2009-11-04 23:04 . 2009-11-04 23:08 15216 ----a-w- d:\windows\system32\drivers\HookCont.sys
2009-11-04 23:04 . 2009-11-04 23:08 238704 ----a-w- d:\windows\system32\bsmain.exe
2009-11-04 23:04 . 2009-11-04 23:08 10832 ----a-w- d:\windows\system32\drivers\RsNTGdi.sys
2009-11-04 23:04 . 2009-11-04 23:08 33904 ----a-w- d:\windows\system32\drivers\HookHelp.sys
2009-11-04 23:04 . 2009-11-04 23:08 140656 ----a-w- d:\windows\system32\drivers\HookSys.sys
2009-11-04 23:04 . 2009-11-04 23:08 146032 ----a-w- d:\windows\system32\RavExt.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0 bsmain

[HKLM\~\startupfolder\D:^Documents and Settings^Steph and Scott^Start Menu^Programs^Startup^Voobys.lnk]
path=d:\documents and settings\Steph and Scott\Start Menu\Programs\Startup\Voobys.lnk
backup=d:\windows\pss\Voobys.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 20:57 948672 ----a-r- d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57 35760 ----a-w- d:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- d:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-08-20 18:54 150016 ----a-w- d:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 22:09 413696 ----a-w- d:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RavTray]
2009-11-04 23:04 141936 ------w- d:\program files\Rising\Rav\RsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
2002-11-08 23:50 98304 ----a-w- d:\program files\Analog Devices\SoundMAX\SMTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sprint SmartView]
2008-10-15 20:02 17664 ----a-w- d:\program files\Sprint\Sprint SmartView\SprintSV.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CiSvc"=3 (0x3)
"wuauserv"=2 (0x2)
"SprintRcAppSvc"=3 (0x3)
"SoundMAX Agent Service (default)"=2 (0x2)
"RsScanSrv"=2 (0x2)
"RavTask"=2 (0x2)
"RavCCenter"=2 (0x2)
"ose"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Schedule"=2 (0x2)
"SamSs"=2 (0x2)
"BITS"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"d:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"d:\\Program Files\\Sprint\\Sprint SmartView\\SwiApiMux.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\RosettaStoneVersion3.exe"=

R0 RsNTGDI;RsNTGDI;d:\windows\system32\drivers\RsNTGdi.sys [11/4/2009 6:08 PM 10832]
S4 RavCCenter;Rav Process Communication Center;d:\program files\Rising\Rav\CCenter.exe [11/4/2009 6:08 PM 113264]
S4 RavTask;Rising RavTask Manager;d:\program files\Rising\Rav\RavTask.exe [11/4/2009 6:08 PM 129648]
S4 RsScanSrv;Rising Scan Service;d:\program files\Rising\Rav\ScanFrm.exe [11/4/2009 6:08 PM 51824]
.
Contents of the 'Scheduled Tasks' folder

2010-01-26 d:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- d:\program files\Google\Update\GoogleUpdate.exe [2010-01-03 15:48]

2010-01-26 d:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- d:\program files\Google\Update\GoogleUpdate.exe [2010-01-03 15:48]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - d:\documents and settings\Steph and Scott\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: {4C0A00A6-056B-4314-9928-A705EB97A9AE} - hxxp://www.visualwebtools.com/VWT4.cab
DPF: {5C4B8FBC-AB9D-40C0-BB0A-E20570B4F754} - hxxp://www.visualwebtools.com/progressbar.cab
FF - ProfilePath - d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox ... S:official
FF - component: d:\documents and settings\Steph and Scott\Application Data\Mozilla\Firefox\Profiles\a9mp4nin.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - plugin: d:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-28 00:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
d:\program files\Java\jre6\bin\jqs.exe
d:\windows\system32\wdfmgr.exe
d:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-28 00:54:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-28 05:54
ComboFix2.txt 2010-01-26 23:37
ComboFix3.txt 2010-01-26 05:37

Pre-Run: 1,817,833,472 bytes free
Post-Run: 1,870,069,760 bytes free

- - End Of File - - 9A228FD36D47B7C54CA11CFDF45290A5

by **jmw3** » January 28th, 2010, 4:00 am

Hi

Looks good. Any problems?

by **Crimson531** » January 28th, 2010, 4:28 pm

I can't say there are any problems with the computer. In fact, it's run the best it has in a long time, and I couldn't be happier. I was having such a hell of a time trying to figure out how to fix it on my own, but I couldn't do it. It's amazing how many wrong fixes there are out there. Thank you again for fixing my computer. I wish that I could donate some money to the website, but unfortunately I'm currently unemployed and money is kind of an issue for me at the moment. Is there any other way that I could contribute to the site?

Free Malware Removal Forum

iexplore runs by itself

iexplore runs by itself

Re: iexplore runs by itself

Re: iexplore runs by itself

Re: iexplore runs by itself

Re: iexplore runs by itself

Re: iexplore runs by itself

Re: iexplore runs by itself

Re: iexplore runs by itself

Re: iexplore runs by itself

Re: iexplore runs by itself

Re: iexplore runs by itself

Re: iexplore runs by itself

Re: iexplore runs by itself

Re: iexplore runs by itself

Re: iexplore runs by itself

Who is online