WiredWX Christian Hobby Weather Tools
Would you like to react to this message? Create an account in a few clicks or log in to continue.

WiredWX Christian Hobby Weather ToolsLog in

 


Banker.Fox.A and malware

2 posters

descriptionBanker.Fox.A and malware - Page 1 EmptyRe: Banker.Fox.A and malware18th April 2010, 5:02 pm

more_horiz
Hello.

I see that you are running Limewire.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

You are also running two antivirus', I see from the uninstall list you have Avast installed, along with Avira. This is a bad idea as they can conflict and cause more problems. I would recommend that you remove Symantec to avoid conflict and other future problems.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Ask Toolbar
    Java(TM) 6 Update 11
    LimeWire 5.2.13

Completely uninstall Avira

Download the Avira Uninstallation Package

Extract the tool and run it.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Code:


    Registry::
    [-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]
    [-HKLM\~\startupfolder\C:^Documents and Settings^Sam^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5555

  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    Banker.Fox.A and malware - Page 1 Cfscriptb4i

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Banker.Fox.A and malware - Page 1 DXwU4
Banker.Fox.A and malware - Page 1 VvYDg

descriptionBanker.Fox.A and malware - Page 1 EmptyRe: Banker.Fox.A and malware18th April 2010, 6:36 pm

more_horiz
Ok Belahzur! all done BUT
SIX PROBLEMS!!
1. I know he USED to have Avira and then changed it to Avast but Avra does not exist anywhere on his computer that I can see.
2. I am not quite sure what you mean when you say he is running Symantec? As far as I am aware he has never had this.
3. I have deleted the three items as you requested from Add/Remove Programs.
4. I ran the Avira uninstallation program but there was a message when I ran it but it flashed up so quickly I could not read it all properly. - I THINK it said that it could not run because something was open - but there was NOTHING else open.
5. I dragged the CFscript onto Combofix - I then got a mesage to say that there was a newer edition of Combofix did I want to update. As I had just updated it by adding the CFScrpt, I did not know if the update would undo the CFscript - so I said no. - If this was wrong please let me know and I will have to do it again!
6. When the Combofix ran with the CFscript added to it I again got the message about Avira still running - (which it wasn't!) I repeat - he hasn't got it ANYWHERE on his computer. Your uninstallation package thinks it is running but I cannot find it on Processes in Taskbar, or doing a 'search' of his C Drive or in Add/Remove Programs.

Here is the 2nd Combo-fix log

ComboFix 10-04-17.02 - Sam 18/04/2010 19:21:35.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.346 [GMT 1:00]
Running from: c:\documents and settings\Sam\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Sam\Desktop\CFscript.txt
AV: avast! antivirus 4.8.1335 [VPS 100418-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Sygate Personal Firewall *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((( Files Created from 2010-03-18 to 2010-04-18 )))))))))))))))))))))))))))))))
.

2010-04-17 22:38 . 2010-03-29 23:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-17 22:38 . 2010-04-17 22:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-17 22:38 . 2010-03-29 23:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-17 19:41 . 2010-04-17 19:41 -------- d-----w- C:\_OTL
2010-04-17 11:58 . 2010-04-17 11:58 52224 ----a-w- c:\documents and settings\Sam\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-17 11:58 . 2010-04-17 11:58 117760 ----a-w- c:\documents and settings\Sam\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-17 11:58 . 2010-04-17 11:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-17 11:57 . 2010-04-17 11:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-17 11:57 . 2010-04-17 11:57 -------- d-----w- c:\documents and settings\Sam\Application Data\SUPERAntiSpyware.com
2010-04-16 21:46 . 2010-04-16 21:46 -------- d-----w- c:\documents and settings\Sam\Local Settings\Application Data\Threat Expert
2010-04-16 21:09 . 2010-01-22 08:56 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-04-16 21:09 . 2010-01-22 08:56 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-04-16 21:09 . 2010-01-22 08:56 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-04-16 21:09 . 2010-01-22 08:55 767952 ----a-w- c:\windows\BDTSupport.dll
2010-04-16 21:09 . 2009-10-28 00:36 1152444 ----a-w- c:\windows\UDB.zip
2010-04-16 21:09 . 2008-11-26 11:08 131 ----a-w- c:\windows\IDB.zip
2010-04-16 21:09 . 2010-02-05 08:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-04-16 21:09 . 2010-03-10 10:36 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-04-16 21:09 . 2009-11-23 12:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-04-16 21:09 . 2010-02-05 08:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-16 21:08 . 2010-04-16 21:41 -------- d-----w- c:\program files\Spyware Doctor
2010-04-16 21:08 . 2010-04-16 21:08 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-16 21:08 . 2010-04-16 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-04-16 21:08 . 2010-04-16 21:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2010-04-16 21:07 . 2010-04-18 08:18 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-16 21:07 . 2010-04-16 21:07 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-04-15 18:01 . 2010-04-16 21:00 -------- d-----w- c:\documents and settings\Sam\Local Settings\Application Data\kvmxqsenc
2010-04-13 16:21 . 2010-04-13 16:21 -------- d-----w- c:\program files\The Jcwd
2010-04-13 16:11 . 2000-05-16 10:40 83968 ----a-w- c:\windows\UnGins.exe
2010-04-13 16:11 . 2010-04-13 21:34 -------- d-----w- c:\program files\AKye
2010-03-30 18:16 . 2010-03-30 18:16 -------- d-----w- c:\documents and settings\Sam\Application Data\Malwarebytes
2010-03-30 18:15 . 2010-03-30 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-24 08:04 . 2010-03-24 18:17 952768 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\3388\AdobeARM.exe
2010-03-24 08:04 . 2010-03-24 18:17 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\3388\AdobeExtractFiles.dll
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\3388\ReaderUpdater.exe
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\3388\AcrobatUpdater.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-18 18:13 . 2008-11-11 00:32 -------- d-----w- c:\program files\LimeWire
2010-04-18 17:54 . 2009-07-10 18:53 -------- d-----w- c:\program files\Gacela
2010-04-18 08:18 . 2010-01-03 15:32 -------- d-----w- c:\documents and settings\Sam\Application Data\HPAppData
2010-04-17 23:07 . 2008-03-23 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-17 21:00 . 2008-12-01 21:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-17 19:44 . 2008-11-04 13:55 -------- d-----w- c:\program files\Google
2010-04-17 11:56 . 2008-11-04 13:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-17 09:46 . 2008-11-04 14:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-17 09:46 . 2008-11-04 14:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-14 16:38 . 2010-03-08 19:16 439816 ----a-w- c:\documents and settings\Sam\Application Data\Real\Update\setup3.10\setup.exe
2010-04-12 22:57 . 2008-03-23 06:26 -------- d-----w- c:\program files\Microsoft SQL Server
2010-04-12 21:36 . 2008-11-11 00:38 -------- d-----w- c:\documents and settings\Sam\Application Data\LimeWire
2010-04-06 13:49 . 2010-01-19 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-27 19:02 . 2008-03-23 06:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-16 15:50 . 2009-11-16 13:20 79488 ----a-w- c:\documents and settings\Sam\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-10 06:15 . 2004-08-05 04:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-01 20:01 . 2009-09-21 12:46 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AutoLaunch.exe
2010-02-28 18:08 . 2008-12-20 18:43 -------- d-----w- c:\program files\QuickTime
2010-02-27 12:42 . 2010-02-27 12:42 -------- d-----w- c:\program files\Fox
2010-02-25 06:24 . 2007-12-07 01:07 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-05 04:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-20 17:26 . 2008-11-05 04:30 -------- d-----w- c:\program files\Launch Manager
2010-02-16 14:08 . 2007-02-28 09:53 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2007-02-28 09:16 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 10:03 . 2010-03-06 10:35 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:33 . 2004-08-05 04:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-05 04:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-04 20:01 . 2009-06-20 12:46 389784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\UpdateManager.dll
2010-02-04 20:01 . 2009-06-20 12:46 823928 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareAdmin.exe
2010-02-04 20:01 . 2009-06-20 12:46 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWService.exe
2010-01-29 19:58 . 2009-12-03 19:51 75308 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-27 20:02 . 2009-06-20 12:46 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\threatwork.exe
2010-01-27 20:02 . 2009-06-20 12:46 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavamessage.dll
2010-01-27 20:02 . 2009-06-06 13:13 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lsdelete.exe
2010-01-27 20:02 . 2009-02-21 14:31 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-27 20:02 . 2009-10-25 14:01 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\aawapi.dll
2010-01-27 20:02 . 2009-06-20 12:46 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavalicense.dll
2010-01-27 20:02 . 2009-06-06 13:13 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\ShellExt.dll
2010-01-27 20:02 . 2009-06-20 12:46 8 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Savapibridge.dll
2010-01-27 20:02 . 2009-06-20 12:46 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Resources.dll
2010-01-27 20:02 . 2009-06-06 13:13 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\RPAPI.dll
2010-01-27 20:02 . 2009-06-20 12:46 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\CEAPI.dll
2010-01-27 20:02 . 2009-06-06 13:13 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\PrivacyClean.dll
2010-01-27 20:01 . 2009-06-20 12:46 816784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareCommand.exe
2010-01-27 20:01 . 2009-06-20 12:46 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2010-01-27 20:01 . 2009-06-20 12:46 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWTray.exe
2010-01-19 19:40 . 2010-01-19 19:40 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2006-10-11 08:04 . 2008-12-03 16:08 61036 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-10-11 08:04 . 2008-12-03 16:08 48742 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05 . 2008-12-03 16:08 29313 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-10-11 08:05 . 2008-12-03 16:08 41082 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-10-11 08:04 . 2008-12-03 16:08 166510 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-04 2349592]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
2010-02-04 11:59 2349592 ----a-w- c:\program files\Zynga\tbZyng.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-04 2349592]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-04 2349592]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-04 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2010864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Preload"="c:\windows\RUNXMLPL.exe" [2007-04-21 20480]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-07 102400]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-29 16132608]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-12 53248]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-09 68640]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-05 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-05 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 455168]
"Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2007-03-02 208896]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2007-07-04 475136]
"Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 579584]
"StarteLock"="c:\acer\Empowering Technology\eLock\Service\startelock.exe" [2008-04-30 24576]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-05-28 342528]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-10-17 858632]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-03 185872]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-01-27 788880]
"fssui"="c:\program files\Windows Live\Family Safety\fsui.exe" [2009-08-05 647520]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2007-07-11 421888]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-02-15 417792]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-08-09 221184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2008-11-5 45056]
EZ VHS Converter Monitor.lnk - c:\program files\ION\EZ VHS Converter\MediaTVMonitor.exe [2008-12-25 737280]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 16:44 3883856 ----a-w- c:\progra~1\WINDOW~4\MESSEN~1\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-03-18 00:03 251240 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2009\\fm.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [07/11/2008 12:44 38448]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [21/02/2009 14:47 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [14/12/2008 12:10 28544]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [16/04/2010 22:09 217032]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [17/08/2009 21:54 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 11:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2010 11:15 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [17/08/2009 21:54 20560]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [16/04/2010 22:09 112592]
R2 Nurago-Reporting-Service;Nurago-Reporting-Service;c:\program files\Gacela\Nurago-Reporting.exe [01/04/2009 13:26 102400]
R2 Nurago-Update-Service;Nurago-Update-Service;c:\program files\Gacela\Nurago-Updater.exe [01/04/2009 13:27 176128]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [18/03/2009 01:03 92008]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2010 11:15 12872]
S2 gupdate1c9a1c113683008;Google Update Service (gupdate1c9a1c113683008);c:\program files\Google\Update\GoogleUpdate.exe [10/03/2009 21:44 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [24/09/2009 12:17 1181328]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [12/07/2009 22:52 90408]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [12/07/2009 22:56 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [12/07/2009 22:56 122024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [12/07/2009 23:09 111784]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [16/04/2010 22:08 366840]
S3 VCR2PC;VCR2PC Analog Capture;c:\windows\system32\drivers\0140_ION.sys [25/12/2008 19:58 277888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-18 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:01]

2010-04-18 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:01]

2010-04-18 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:01]

2010-04-18 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:01]

2010-04-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:01]

2010-04-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-04-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-04 18:26]

2010-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-10 20:44]

2010-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-10 20:44]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.linksys.com/
uInternet Settings,ProxyOverride =
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
DPF: {445F47D7-E043-4BD6-82EB-7A1BD0EBA773} - hxxp://www.psapoll.com/CopyGuardIE.cab
FF - ProfilePath - c:\documents and settings\Sam\Application Data\Mozilla\Firefox\Profiles\rhcnqdo6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=vmn&type=vdio5&p=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\program files\Mozilla Firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\Mozilla Firefox\extensions\toolbar@dealio.com\components\DealioFF.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-18 19:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2622691187-3930871694-1860969691-1008\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a3,46,32,ec,41,3e,c3,07,14,f1,49,44,fe,b4,8c,09,2b,21,40,4c,eb,2b,ee,
4d,fa,40,d1,db,59,cd,0d,cb,db,5a,7a,33,24,ed,90,c3,85,8f,7d,ae,52,d5,6f,6d,\
"??"=hex:fe,c7,7b,27,fc,5b,58,08,33,6c,42,33,39,0b,95,e2

[HKEY_USERS\S-1-5-21-2622691187-3930871694-1860969691-1008\Software\SecuROM\License information*]
"datasecu"=hex:b9,ce,7e,13,81,dd,be,24,9f,ec,ce,c6,95,7a,78,92,c9,7f,81,05,9c,
1f,aa,1f,fc,4f,7d,1d,8a,f5,a7,13,aa,f9,57,de,76,51,48,25,8e,94,b9,29,67,54,\
"rkeysecu"=hex:8f,82,27,2c,f0,1a,6a,7d,ee,8c,0e,e4,ff,c7,55,6b
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(836)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(2296)
c:\windows\system32\WININET.dll
c:\windows\system32\MSNCHATHOOK.DLL
c:\windows\system32\sysenv.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\MFC71U.DLL
c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-18 19:30:59
ComboFix-quarantined-files.txt 2010-04-18 18:30
ComboFix2.txt 2010-04-18 08:59

Pre-Run: 64,538,722,304 bytes free
Post-Run: 64,487,149,568 bytes free

- - End Of File - - EAD278DEBA4CF81736883086C162FF63

descriptionBanker.Fox.A and malware - Page 1 EmptyRe: Banker.Fox.A and malware18th April 2010, 6:41 pm

more_horiz
Hello.

LMBO or ROFL LMBO or ROFL Ignore the Symantec bit, forgot to change that, bad edit on my part. Avira still shows in the log, so we'll have to get rid of it the hard way, because there's still an old trace left in the registry.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Code:


    KILLALL::

    Folder::
    c:\program files\LimeWire
    c:\documents and settings\Sam\Application Data\LimeWire

    SecCenter::
    {AD166499-45F9-482A-A743-FDD3350758C7}

    DDS::
    uInternet Settings,ProxyOverride =

  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    Banker.Fox.A and malware - Page 1 Cfscriptb4i

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Banker.Fox.A and malware - Page 1 DXwU4
Banker.Fox.A and malware - Page 1 VvYDg

descriptionBanker.Fox.A and malware - Page 1 EmptyRe: Banker.Fox.A and malware18th April 2010, 7:46 pm

more_horiz
Ok - thats all done.
Combofix came up with a message to say that it had deleted 2 items in Limewire - then I took my eyes off it for a minute and then I heard it re-booting! - It came back ok with Combofix still running and said it was producing log report - but Avast, Sygate and Super anti spyware all started up again when it re-booted along with MSN Messenger so I just shut them all down again as soon as possible.
Here is the log......sending in two parts as it's too big!

Part 1
ComboFix 10-04-17.02 - Sam 18/04/2010 20:06:37.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.274 [GMT 1:00]
Running from: c:\documents and settings\Sam\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Sam\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 100418-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sygate Personal Firewall *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sam\Application Data\LimeWire
c:\documents and settings\Sam\Application Data\LimeWire\.AppSpecialShare\Nip.Tuck.S05E01.DSR.XviD-NoTV.srt.torrent.bak
c:\documents and settings\Sam\Application Data\LimeWire\active.mojito
c:\documents and settings\Sam\Application Data\LimeWire\browser\xul-v2.0b2.4-do-not-remove
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\AccessibleMarshal.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\chrome\branding.jar
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\chrome\branding.manifest
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\chrome\classic.jar
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\chrome\classic.manifest
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\chrome\comm.jar
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\chrome\comm.manifest
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\chrome\en-US.jar
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\chrome\en-US.manifest
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\chrome\limewire.jar
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\chrome\limewire.manifest
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\chrome\pippki.jar
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\chrome\pippki.manifest
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\chrome\toolkit.jar
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\chrome\toolkit.manifest
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\accessibility-msaa.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\accessibility.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\alerts.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\appshell.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\appshell_modal.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\appshell_modal.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\appstartup.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\auth.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\autocomplete.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\autoconfig.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\autoconfig.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\caps.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\chardet.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\chrome.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\commandhandler.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\commandlines.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\composer.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\content_base.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\content_html.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\content_htmldoc.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\content_xmldoc.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\content_xslt.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\content_xtf.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\contentprefs.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\cookie.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\directory.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\docshell_base.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\dom.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\dom_base.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\dom_canvas.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\dom_core.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\dom_css.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\dom_events.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\dom_html.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\dom_json.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\dom_loadsave.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\dom_offline.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\dom_range.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\dom_sidebar.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\dom_storage.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\dom_stylesheets.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\dom_svg.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\dom_traversal.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\dom_views.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\dom_xbl.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\dom_xpath.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\dom_xul.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\downloads.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\editor.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\embed_base.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\extensions.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\exthandler.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\exthelper.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\fastfind.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\FeedProcessor.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\feeds.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\find.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\gfx.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\htmlparser.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\imgicon.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\imglib2.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\inspector.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\intl.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\jar.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\jsconsole-clhandler.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\jsdservice.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\layout_base.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\layout_printing.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\layout_xul.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\layout_xul_tree.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\locale.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\loginmgr.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\lwbrk.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\mimetype.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\mozbrwsr.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\mozfind.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\necko.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\necko_about.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\necko_cache.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\necko_cookie.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\necko_dns.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\necko_file.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\necko_ftp.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\necko_http.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\necko_res.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\necko_socket.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\necko_strconv.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\necko_viewsource.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\nsAddonRepository.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\nsBadCertHandler.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\nsBlocklistService.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\nsContentDispatchChooser.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\nsContentPrefService.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\nsDefaultCLH.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\nsDictionary.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\nsDownloadManagerUI.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\nsExtensionManager.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\nsHandlerService.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\nsHelperAppDlg.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\nsLivemarkService.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\nsLoginInfo.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\nsLoginManager.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\nsLoginManagerPrompter.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\nsPostUpdateWin.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\nsProgressDialog.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\nsProxyAutoConfig.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\nsResetPref.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\nsTaggingService.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\nsTryToClose.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\nsUpdateService.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\nsURLFormatter.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\nsWebHandlerApp.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\nsXmlRpcClient.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\nsXULAppInstall.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\oji.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\parentalcontrols.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\pipboot.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\pipboot.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\pipnss.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\pipnss.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\pippki.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\pippki.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\places.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\plugin.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\pluginGlue.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\pref.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\prefetch.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\profile.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\proxyObject.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\rdf.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\satchel.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\saxparser.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\shistory.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\spellchecker.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\storage-Legacy.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\storage.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\toolkitprofile.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\transformiix.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\txEXSLTRegExFunctions.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\txmgr.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\txtsvc.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\uconv.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\unicharutil.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\universalchardet.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\update.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\uriloader.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\urlformatter.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\webBrowser_core.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\webbrowserpersist.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\webshell_idls.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\websrvcs.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\widget.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\windowds.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\windowwatcher.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\xml-rpc.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\xmlextras.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\xpcom_base.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\xpcom_components.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\xpcom_ds.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\xpcom_io.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\xpcom_system.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\xpcom_thread.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\xpcom_xpti.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\xpconnect.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\xpinstall.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\xulapp.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\xulapp_setup.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\xuldoc.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\xultmpl.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\xulutil.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\components\zipwriter.xpt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\crashreporter.exe
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\crashreporter.ini
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\defaults\autoconfig\platform.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\defaults\autoconfig\prefcalls.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\defaults\pref\xulrunner.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\defaults\profile\chrome\userChrome-example.css
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\defaults\profile\chrome\userContent-example.css
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\defaults\profile\localstore.rdf
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userChrome-example.css
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userContent-example.css
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\localstore.rdf
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\dependentlibs.list
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\dictionaries\en-US.aff
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\dictionaries\en-US.dic
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\freebl3.chk
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\freebl3.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\greprefs\all.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\greprefs\security-prefs.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\greprefs\xpinstall.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\IA2Marshal.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\javaxpcom.jar
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\javaxpcomglue.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\js3250.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\LICENSE
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\modules\debug.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\modules\DownloadUtils.jsm
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\modules\ISO8601DateUtils.jsm
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\modules\JSON.jsm
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\modules\Microformats.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\modules\PluralForm.jsm
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\modules\utils.js
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\modules\XPCOMUtils.jsm
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\mozctl.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\mozctlx.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\MSVCP71.DLL
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\msvcr71.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\nspr4.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\nss3.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\nssckbi.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\nssdbm3.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\nssutil3.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\platform.ini
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\plc4.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\plds4.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\plugins\npnul32.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\README.txt
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\arrow.gif
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\arrowd.gif
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\broken-image.gif
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\charsetalias.properties
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\charsetData.properties
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\contenteditable.css
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\designmode.css
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\dtd\mathml.dtd
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\dtd\xhtml11.dtd
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\EditorOverride.css
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Latin1.properties
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Special.properties
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Symbols.properties
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\entityTables\htmlEntityVersions.properties
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\entityTables\mathml20.properties
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\entityTables\transliterate.properties
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfont.properties
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontStandardSymbolsL.properties
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSTIXNonUnicode.properties
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSTIXSize1.properties
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSymbol.properties
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontUnicode.properties
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\forms.css
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\grabber.gif
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\hiddenWindow.html
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\html.css
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\html\folder.png
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\langGroups.properties
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\language.properties
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\loading-image.gif
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\mathml.css
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\quirk.css
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\svg.css
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after-active.gif
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after-hover.gif
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after.gif
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before-active.gif
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before-hover.gif
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before.gif
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after-active.gif
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after-hover.gif
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after.gif
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before-active.gif
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before-hover.gif
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before.gif
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\table-remove-column-active.gif
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\table-remove-column-hover.gif
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\table-remove-column.gif
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\table-remove-row-active.gif
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\table-remove-row-hover.gif
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\table-remove-row.gif
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\ua.css
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\viewsource.css
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\res\wincharset.properties
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\smime3.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\softokn3.chk
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\softokn3.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\sqlite3.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\ssl3.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\updater.exe
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\version.properties
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\xpcom.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\xpcshell.exe
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\xpicleanup.exe
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\xpidl.exe
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\xpt_dump.exe
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\xpt_link.exe
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\xul.dll
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\xulrunner-stub.exe
c:\documents and settings\Sam\Application Data\LimeWire\browser\xulrunner\xulrunner.exe
c:\documents and settings\Sam\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\Sam\Application Data\LimeWire\createtimes.cache
c:\documents and settings\Sam\Application Data\LimeWire\downloads.dat
c:\documents and settings\Sam\Application Data\LimeWire\fileurns.cache
c:\documents and settings\Sam\Application Data\LimeWire\filters.props
c:\documents and settings\Sam\Application Data\LimeWire\gnutella.net
c:\documents and settings\Sam\Application Data\LimeWire\installation.props
c:\documents and settings\Sam\Application Data\LimeWire\library.dat
c:\documents and settings\Sam\Application Data\LimeWire\library5.dat
c:\documents and settings\Sam\Application Data\LimeWire\limewire.props
c:\documents and settings\Sam\Application Data\LimeWire\lock
c:\documents and settings\Sam\Application Data\LimeWire\mojito.props
c:\documents and settings\Sam\Application Data\LimeWire\mozilla-profile\.autoreg
c:\documents and settings\Sam\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_001_
c:\documents and settings\Sam\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_002_
c:\documents and settings\Sam\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_003_
c:\documents and settings\Sam\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_MAP_
c:\documents and settings\Sam\Application Data\LimeWire\mozilla-profile\Cache\280E3FA7d01
c:\documents and settings\Sam\Application Data\LimeWire\mozilla-profile\Cache\7BD6A121d01
c:\documents and settings\Sam\Application Data\LimeWire\mozilla-profile\Cache\AE98BDEDd01
c:\documents and settings\Sam\Application Data\LimeWire\mozilla-profile\Cache\BAFF9A9Bd01
c:\documents and settings\Sam\Application Data\LimeWire\mozilla-profile\Cache\F9D3E29Fd01
c:\documents and settings\Sam\Application Data\LimeWire\mozilla-profile\cert8.db
c:\documents and settings\Sam\Application Data\LimeWire\mozilla-profile\compreg.dat
c:\documents and settings\Sam\Application Data\LimeWire\mozilla-profile\cookies.sqlite
c:\documents and settings\Sam\Application Data\LimeWire\mozilla-profile\downloads.sqlite
c:\documents and settings\Sam\Application Data\LimeWire\mozilla-profile\extensions.cache
c:\documents and settings\Sam\Application Data\LimeWire\mozilla-profile\extensions.ini
c:\documents and settings\Sam\Application Data\LimeWire\mozilla-profile\history.dat
c:\documents and settings\Sam\Application Data\LimeWire\mozilla-profile\key3.db
c:\documents and settings\Sam\Application Data\LimeWire\mozilla-profile\permissions.sqlite
c:\documents and settings\Sam\Application Data\LimeWire\mozilla-profile\places.sqlite-journal
c:\documents and settings\Sam\Application Data\LimeWire\mozilla-profile\places.sqlite
c:\documents and settings\Sam\Application Data\LimeWire\mozilla-profile\pluginreg.dat
c:\documents and settings\Sam\Application Data\LimeWire\mozilla-profile\prefs.js
c:\documents and settings\Sam\Application Data\LimeWire\mozilla-profile\secmod.db
c:\documents and settings\Sam\Application Data\LimeWire\mozilla-profile\XPC.mfl
c:\documents and settings\Sam\Application Data\LimeWire\mozilla-profile\xpti.dat
c:\documents and settings\Sam\Application Data\LimeWire\passive.mojito
c:\documents and settings\Sam\Application Data\LimeWire\player.props
c:\documents and settings\Sam\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\Sam\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\Sam\Application Data\LimeWire\promotion\promodb.lck
c:\documents and settings\Sam\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\Sam\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\Sam\Application Data\LimeWire\questions.props
c:\documents and settings\Sam\Application Data\LimeWire\responses.cache
c:\documents and settings\Sam\Application Data\LimeWire\simpp.xml
c:\documents and settings\Sam\Application Data\LimeWire\spam.dat
c:\documents and settings\Sam\Application Data\LimeWire\tables.props
c:\documents and settings\Sam\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\Sam\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\Sam\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\Sam\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\Sam\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\Sam\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\Sam\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\Sam\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\Sam\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\Sam\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\Sam\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\Sam\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\Sam\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\Sam\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\Sam\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\Sam\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\Sam\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\Sam\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\Sam\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\Sam\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\Sam\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\Sam\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\Sam\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\Sam\Application Data\LimeWire\ttdata.cache
c:\documents and settings\Sam\Application Data\LimeWire\ttroot.cache
c:\documents and settings\Sam\Application Data\LimeWire\version.xml
c:\documents and settings\Sam\Application Data\LimeWire\versions.props
c:\documents and settings\Sam\Application Data\LimeWire\xml\data\audio.sxml2
c:\documents and settings\Sam\Application Data\LimeWire\xml\data\audio.sxml3
c:\documents and settings\Sam\Application Data\LimeWire\xml\data\video.sxml2
c:\documents and settings\Sam\Application Data\LimeWire\xml\data\video.sxml3
c:\program files\LimeWire
c:\program files\LimeWire\hs_err_pid3336.log
c:\program files\LimeWire\hs_err_pid804.log

descriptionBanker.Fox.A and malware - Page 1 EmptyRe: Banker.Fox.A and malware18th April 2010, 7:46 pm

more_horiz
Part 2

.
((((((((((((((((((((((((( Files Created from 2010-03-18 to 2010-04-18 )))))))))))))))))))))))))))))))
.

2010-04-17 22:38 . 2010-03-29 23:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-17 22:38 . 2010-04-17 22:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-17 22:38 . 2010-03-29 23:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-17 19:41 . 2010-04-17 19:41 -------- d-----w- C:\_OTL
2010-04-17 11:58 . 2010-04-17 11:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-17 11:57 . 2010-04-17 11:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-17 11:57 . 2010-04-17 11:57 -------- d-----w- c:\documents and settings\Sam\Application Data\SUPERAntiSpyware.com
2010-04-16 21:46 . 2010-04-16 21:46 -------- d-----w- c:\documents and settings\Sam\Local Settings\Application Data\Threat Expert
2010-04-16 21:09 . 2010-01-22 08:56 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-04-16 21:09 . 2010-01-22 08:56 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-04-16 21:09 . 2010-01-22 08:56 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-04-16 21:09 . 2010-01-22 08:55 767952 ----a-w- c:\windows\BDTSupport.dll
2010-04-16 21:09 . 2009-10-28 00:36 1152444 ----a-w- c:\windows\UDB.zip
2010-04-16 21:09 . 2008-11-26 11:08 131 ----a-w- c:\windows\IDB.zip
2010-04-16 21:09 . 2010-02-05 08:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-04-16 21:09 . 2010-03-10 10:36 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-04-16 21:09 . 2009-11-23 12:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-04-16 21:09 . 2010-02-05 08:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-16 21:08 . 2010-04-16 21:41 -------- d-----w- c:\program files\Spyware Doctor
2010-04-16 21:08 . 2010-04-16 21:08 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-16 21:08 . 2010-04-16 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-04-16 21:08 . 2010-04-16 21:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2010-04-16 21:07 . 2010-04-18 19:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-16 21:07 . 2010-04-16 21:07 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-04-15 18:01 . 2010-04-16 21:00 -------- d-----w- c:\documents and settings\Sam\Local Settings\Application Data\kvmxqsenc
2010-04-13 16:21 . 2010-04-13 16:21 -------- d-----w- c:\program files\The Jcwd
2010-04-13 16:11 . 2000-05-16 10:40 83968 ----a-w- c:\windows\UnGins.exe
2010-04-13 16:11 . 2010-04-13 21:34 -------- d-----w- c:\program files\AKye
2010-03-30 18:16 . 2010-03-30 18:16 -------- d-----w- c:\documents and settings\Sam\Application Data\Malwarebytes
2010-03-30 18:15 . 2010-03-30 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-18 19:17 . 2009-07-10 18:53 -------- d-----w- c:\program files\Gacela
2010-04-18 08:18 . 2010-01-03 15:32 -------- d-----w- c:\documents and settings\Sam\Application Data\HPAppData
2010-04-17 23:07 . 2008-03-23 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-17 21:00 . 2008-12-01 21:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-17 19:44 . 2008-11-04 13:55 -------- d-----w- c:\program files\Google
2010-04-17 11:56 . 2008-11-04 13:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-17 09:46 . 2008-11-04 14:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-17 09:46 . 2008-11-04 14:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-12 22:57 . 2008-03-23 06:26 -------- d-----w- c:\program files\Microsoft SQL Server
2010-04-06 13:49 . 2010-01-19 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-27 19:02 . 2008-03-23 06:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-10 06:15 . 2004-08-05 04:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-28 18:08 . 2008-12-20 18:43 -------- d-----w- c:\program files\QuickTime
2010-02-27 12:42 . 2010-02-27 12:42 -------- d-----w- c:\program files\Fox
2010-02-25 06:24 . 2007-12-07 01:07 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-05 04:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-20 17:26 . 2008-11-05 04:30 -------- d-----w- c:\program files\Launch Manager
2010-02-16 14:08 . 2007-02-28 09:53 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2007-02-28 09:16 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 10:03 . 2010-03-06 10:35 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:33 . 2004-08-05 04:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-05 04:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-01-29 19:58 . 2009-12-03 19:51 75308 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-27 20:02 . 2009-02-21 14:31 15880 ----a-w- c:\windows\system32\lsdelete.exe
2006-10-11 08:04 . 2008-12-03 16:08 61036 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-10-11 08:04 . 2008-12-03 16:08 48742 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05 . 2008-12-03 16:08 29313 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-10-11 08:05 . 2008-12-03 16:08 41082 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-10-11 08:04 . 2008-12-03 16:08 166510 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-04 2349592]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
2010-02-04 11:59 2349592 ----a-w- c:\program files\Zynga\tbZyng.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-04 2349592]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-04 2349592]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-04 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2010864]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Preload"="c:\windows\RUNXMLPL.exe" [2007-04-21 20480]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-07 102400]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-29 16132608]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-12 53248]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-09 68640]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-05 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-05 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 455168]
"Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2007-03-02 208896]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2007-07-04 475136]
"Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 579584]
"StarteLock"="c:\acer\Empowering Technology\eLock\Service\startelock.exe" [2008-04-30 24576]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-05-28 342528]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-10-17 858632]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-03 185872]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-01-27 788880]
"fssui"="c:\program files\Windows Live\Family Safety\fsui.exe" [2009-08-05 647520]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2007-07-11 421888]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-02-15 417792]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-08-09 221184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2008-11-5 45056]
EZ VHS Converter Monitor.lnk - c:\program files\ION\EZ VHS Converter\MediaTVMonitor.exe [2008-12-25 737280]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 16:44 3883856 ----a-w- c:\progra~1\WINDOW~4\MESSEN~1\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-03-18 00:03 251240 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2009\\fm.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [07/11/2008 12:44 38448]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [21/02/2009 14:47 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [14/12/2008 12:10 28544]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [16/04/2010 22:09 217032]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [17/08/2009 21:54 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 11:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2010 11:15 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [17/08/2009 21:54 20560]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [16/04/2010 22:09 112592]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [24/09/2009 12:17 1181328]
R2 Nurago-Reporting-Service;Nurago-Reporting-Service;c:\program files\Gacela\Nurago-Reporting.exe [01/04/2009 13:26 102400]
R2 Nurago-Update-Service;Nurago-Update-Service;c:\program files\Gacela\Nurago-Updater.exe [01/04/2009 13:27 176128]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [18/03/2009 01:03 92008]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2010 11:15 12872]
S2 gupdate1c9a1c113683008;Google Update Service (gupdate1c9a1c113683008);c:\program files\Google\Update\GoogleUpdate.exe [10/03/2009 21:44 133104]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [12/07/2009 22:52 90408]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [12/07/2009 22:56 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [12/07/2009 22:56 122024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [12/07/2009 23:09 111784]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [16/04/2010 22:08 366840]
S3 VCR2PC;VCR2PC Analog Capture;c:\windows\system32\drivers\0140_ION.sys [25/12/2008 19:58 277888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-18 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:01]

2010-04-18 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:01]

2010-04-18 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:01]

2010-04-18 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:01]

2010-04-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:01]

2010-04-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-04-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-04 18:26]

2010-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-10 20:44]

2010-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-10 20:44]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.linksys.com/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
DPF: {445F47D7-E043-4BD6-82EB-7A1BD0EBA773} - hxxp://www.psapoll.com/CopyGuardIE.cab
FF - ProfilePath - c:\documents and settings\Sam\Application Data\Mozilla\Firefox\Profiles\rhcnqdo6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=vmn&type=vdio5&p=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\program files\Mozilla Firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\Mozilla Firefox\extensions\toolbar@dealio.com\components\DealioFF.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-18 20:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2622691187-3930871694-1860969691-1008\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a3,46,32,ec,41,3e,c3,07,14,f1,49,44,fe,b4,8c,09,2b,21,40,4c,eb,2b,ee,
4d,fa,40,d1,db,59,cd,0d,cb,db,5a,7a,33,24,ed,90,c3,85,8f,7d,ae,52,d5,6f,6d,\
"??"=hex:fe,c7,7b,27,fc,5b,58,08,33,6c,42,33,39,0b,95,e2

[HKEY_USERS\S-1-5-21-2622691187-3930871694-1860969691-1008\Software\SecuROM\License information*]
"datasecu"=hex:b9,ce,7e,13,81,dd,be,24,9f,ec,ce,c6,95,7a,78,92,c9,7f,81,05,9c,
1f,aa,1f,fc,4f,7d,1d,8a,f5,a7,13,aa,f9,57,de,76,51,48,25,8e,94,b9,29,67,54,\
"rkeysecu"=hex:8f,82,27,2c,f0,1a,6a,7d,ee,8c,0e,e4,ff,c7,55,6b
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(844)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(3608)
c:\windows\system32\WININET.dll
c:\windows\system32\MSNCHATHOOK.DLL
c:\windows\system32\sysenv.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\MFC71U.DLL
c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll
c:\windows\system32\ieframe.dll
c:\acer\Empowering Technology\ePower\SysHook.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\RTHDCPL.EXE
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\igfxsrvc.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\wbem\unsecapp.exe
c:\docume~1\Sam\LOCALS~1\Temp\RtkBtMnt.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2010-04-18 20:35:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-18 19:35
ComboFix2.txt 2010-04-18 18:31
ComboFix3.txt 2010-04-18 08:59

Pre-Run: 64,507,502,592 bytes free
Post-Run: 64,416,346,112 bytes free

- - End Of File - - 42A735040E9D5B5984BADDB71092F0A8

descriptionBanker.Fox.A and malware - Page 1 EmptyRe: Banker.Fox.A and malware18th April 2010, 10:24 pm

more_horiz
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Banker.Fox.A and malware - Page 1 DXwU4
Banker.Fox.A and malware - Page 1 VvYDg

descriptionBanker.Fox.A and malware - Page 1 EmptyRe: Banker.Fox.A and malware18th April 2010, 10:31 pm

more_horiz
Hi Belahzur, Just to let you know I am off to bed now and have to go to work tomorrow so there might be a bit of a delay in my response tomorrow. I get home at 1900 hours BST so will carry on from there - providing you have left me some instructions of course! :-)

descriptionBanker.Fox.A and malware - Page 1 EmptyRe: Banker.Fox.A and malware18th April 2010, 10:37 pm

more_horiz
Okay, I'll leave you with these:

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Banker.Fox.A and malware - Page 1 DXwU4
Banker.Fox.A and malware - Page 1 VvYDg

descriptionBanker.Fox.A and malware - Page 1 EmptyRe: Banker.Fox.A and malware19th April 2010, 9:01 pm

more_horiz
Hi Belahzur!
Well everything looks Abssolutely fine!
Thank you SO much.
One small thing... When I ran the Combofix uninstall I got the message again about antivir still being Actve??
Didn't you say we would have to do that the hard way?

Not Regedit??

Here is the ESET Log


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=bd12f52d4f8a3440816a2ec3244c2000
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-19 08:50:29
# local_time=2010-04-19 09:50:29 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=769 16775141 100 98 1666 207988062 0 0
# compatibility_mode=1028 16777214 0 15 21165955 21349607 0 0
# compatibility_mode=1792 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 308 308 0 0
# scanned=107931
# found=1
# cleaned=1
# scan_time=6926
C:\Program Files\DVDVideoSoft\Free Video to DVD Converter\eBay_shortcuts_1045.exe a variant of Win32/Adware.ADON application (deleted - quarantined) 00000000000000000000000000000000 C


So if you can let me know about the Antivir thing - I think we are done??

descriptionBanker.Fox.A and malware - Page 1 EmptyRe: Banker.Fox.A and malware20th April 2010, 12:16 pm

more_horiz
Hmm, weird, Combofix removed Avira from the SC.

Anyhow, this looks good now, hows the machine running?

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Banker.Fox.A and malware - Page 1 DXwU4
Banker.Fox.A and malware - Page 1 VvYDg

descriptionBanker.Fox.A and malware - Page 1 EmptyRe: Banker.Fox.A and malware20th April 2010, 12:39 pm

more_horiz
It is absoluetely fine!!
Thank you very much for all your help - it is very much appreciated.
He has just bought a copy of Spyware Doctor with Anti-virus!!

descriptionBanker.Fox.A and malware - Page 1 EmptyRe: Banker.Fox.A and malware

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum