« previous next »
Pages: 1 [2]   Go Down

Author Topic: [Resolved]Re-direct and popups  (Read 2465 times)

0 Members and 1 Guest are viewing this topic.

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7293
Re: [In Progress]Re-direct and popups
« Reply #15 on: August 23, 2009, 10:46:33 AM »
Hi,

OK, we will do something else.  Please perform the following scan:
  • Download any one of the following DDS files by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool.   
  • When done, DDS will open two (2) logs

         1. DDS.txt
         2. Attach.txt
  • Save both reports to your desktop.
  • The instructions here ask you to attach the Attach.txt.

 
  • Instead of attaching, please copy/paste both logs into your next reply.

  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet. 
Information on A/V control HERE
Logged
Don't Read?  Can't learn!

Offline colin1

  • Bronze Member
  • Posts: 108
Re: [In Progress]Re-direct and popups
« Reply #16 on: August 23, 2009, 11:12:53 AM »
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 3/4/2005 1:32:01 AM
System Uptime: 8/23/2009 12:27:04 PM (1 hours ago)

Motherboard: Dell Computer Corporation |  | 09U807
Processor:               Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2790/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 28 GiB total, 12.378 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP345: 5/30/2009 2:54:55 PM - System Checkpoint
RP346: 5/31/2009 9:00:43 PM - System Checkpoint
RP347: 6/2/2009 5:42:23 PM - System Checkpoint
RP348: 6/3/2009 6:35:31 PM - System Checkpoint
RP349: 6/3/2009 8:55:56 PM - Software Distribution Service 3.0
RP350: 6/9/2009 5:57:14 PM - System Checkpoint
RP351: 6/9/2009 6:25:44 PM - Installed Java(TM) 6 Update 14
RP352: 6/10/2009 6:38:54 PM - System Checkpoint
RP353: 6/11/2009 5:38:11 PM - Software Distribution Service 3.0
RP354: 6/14/2009 8:00:16 PM - System Checkpoint
RP355: 6/16/2009 5:19:23 PM - Removed Safari
RP356: 6/16/2009 5:23:30 PM - Removed AVG 8.5
RP357: 6/18/2009 5:03:09 PM - System Checkpoint
RP358: 6/21/2009 8:37:38 AM - System Checkpoint
RP359: 6/25/2009 7:21:58 PM - System Checkpoint
RP360: 6/28/2009 2:16:19 PM - System Checkpoint
RP361: 6/29/2009 8:16:24 PM - System Checkpoint
RP362: 7/3/2009 9:48:13 AM - System Checkpoint
RP363: 7/4/2009 9:56:09 AM - System Checkpoint
RP364: 7/5/2009 2:55:46 PM - System Checkpoint
RP365: 7/6/2009 6:02:12 PM - System Checkpoint
RP366: 7/11/2009 1:46:32 PM - System Checkpoint
RP367: 7/13/2009 4:34:59 PM - System Checkpoint
RP368: 7/15/2009 5:24:58 PM - Software Distribution Service 3.0
RP369: 7/17/2009 11:15:03 PM - System Checkpoint
RP370: 7/20/2009 4:39:10 PM - System Checkpoint
RP371: 7/23/2009 5:46:48 PM - System Checkpoint
RP372: 7/28/2009 5:09:54 PM - Software Distribution Service 3.0
RP373: 8/6/2009 5:12:11 PM - Installed Java(TM) 6 Update 15
RP374: 8/6/2009 5:13:31 PM - Installed Java Runtime Environment
RP375: 8/22/2009 6:12:47 PM - Software Distribution Service 3.0

==== Installed Programs ======================

Adobe Photoshop Album 2.0 Starter Edition
AntiSpy
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoBase 3
ArcSoft PhotoStudio 5
ArcSoft Software Suite
Ashampoo WinOptimizer 2009
ATI Control Panel
ATI Display Driver
BCM V.92 56K Modem
Bonjour
Canon CanoScan Toolbox 4.1
Canon i560
Critical Update for Windows Media Player 11 (KB959772)
Defender Pro Internet Security
Defender Pro PC Repair
Dell ResourceCD
Dell TrueMobile 1400 Dual Band WLAN Mini-PCI Card
DeLorme Street Atlas USA 2005
DeLorme Street Atlas USA 2005 Data
Google Earth
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
hp deskjet 940c series
hp deskjet 940c series (Remove only)
InterActual Player
Internet Cleanup
iTunes
J2SE Runtime Environment 5.0 Update 1
Java(TM) 6 Update 15
Java(TM) 6 Update 7
Malwarebytes' Anti-Malware
Manual CanoScan 5000,5000F,8000F
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Office Professional Edition 2003
Microsoft Streets and Trips 2004
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Modem Test
Modem User Guide
Movcoder
MSN Toolbar
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nikon View 6
Octoshape add-in for Adobe Flash Player
OmniPage SE
OpenOffice.org Installer 1.0
PowerDVD
Presto! PageManager 6
QuickTime
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SigmaTel AC97 Audio Drivers
SnapSync Software
Sonic RecordNow!
Street Atlas USA 2005
Synaptics Pointing Device Driver
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
Viewpoint Media Player
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WordPerfect Office 11

==== Event Viewer Messages From Past Week ========

8/23/2009 9:34:14 AM, error: DCOM [10005]  - DCOM got error "%1055" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
8/23/2009 9:34:12 AM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
8/22/2009 8:52:03 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
8/22/2009 5:34:01 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
8/22/2009 4:18:52 PM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  Fips intelppm kl1 klif
8/20/2009 4:59:23 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
8/20/2009 4:41:11 PM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD Fips intelppm IPSec kl1 klif MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
8/20/2009 4:41:11 PM, error: Service Control Manager [7001]  - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error:  A device attached to the system is not functioning.
8/20/2009 4:41:11 PM, error: Service Control Manager [7001]  - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:  A device attached to the system is not functioning.
8/20/2009 4:41:11 PM, error: Service Control Manager [7001]  - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
8/20/2009 4:41:11 PM, error: Service Control Manager [7001]  - The DHCP Client service depends on the NetBT service which failed to start because of the following error:  A device attached to the system is not functioning.
8/20/2009 4:41:11 PM, error: Service Control Manager [7001]  - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
8/20/2009 4:41:11 PM, error: Service Control Manager [7001]  - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
8/20/2009 4:40:35 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/18/2009 9:01:55 PM, error: Service Control Manager [7009]  - Timeout (30000 milliseconds) waiting for the Defender Pro Internet Security service to connect.
8/18/2009 9:01:55 PM, error: Service Control Manager [7000]  - The Defender Pro Internet Security service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
8/18/2009 8:53:00 PM, error: Schedule [7901]  - The At1.job command failed to start due to the following error:  %%2147942403
8/18/2009 5:41:17 PM, error: Service Control Manager [7023]  - The Application Management service terminated with the following error:  The specified module could not be found.
8/18/2009 5:36:35 PM, error: RemoteAccess [20106]  - Unable to add the interface {A2CD59B8-3713-4793-AA4B-BD92C1BCEFB0} with the Router Manager for the IP protocol. The following error occurred: Cannot complete this function.

==== End Of File ===========================

DDS (Ver_09-07-30.01) - NTFSx86 NETWORK
Run by Colin L. Williams at 13:07:38.82 on Sun 08/23/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.511.304 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Colin L. Williams\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: ICHlprObj Class: {1f0c8547-2639-4c91-b8aa-c7eca24c3163} - c:\program files\aladdin systems\internet cleanup\IC3hlpr.dll
BHO: PopupFilter Class: {1f2e844b-8211-46ff-8262-772f03295cf4} - c:\program files\aladdin systems\internet cleanup\PopFiltr.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0989.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0989.0\msneshellx.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Ebar Class: {68627251-8a78-4bf4-8dd8-c4231dd80494} - c:\program files\aladdin systems\internet cleanup\IC3hlpr.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Omnipage] c:\program files\scansoft\omnipagese\opware32.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LaunchAntiSpy] c:\program files\defenderpro\TSAntiSpy.exe /startup
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\documents and settings\colin l. williams\start menu\programs\startup\PowerReg Scheduler V3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkvmon~1.lnk - c:\program files\nikon\nkview6\NkvMon.exe
mPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\defender pro\defender pro internet security 6.0\scieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {bba9a1cb-c90a-4912-8f01-dfa51a2b4102} - {68627251-8a78-4bf4-8dd8-c4231dd80494} - c:\program files\aladdin systems\internet cleanup\IC3hlpr.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\defend~1\defend~1.0\adialhk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

S0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2007-3-3 110360]
S1 klif;Klif;c:\windows\system32\drivers\klif.sys [2007-6-26 175376]
S2 AVP;Defender Pro Internet Security;c:\program files\defender pro\defender pro internet security 6.0\avz.exe [2007-8-14 206152]
S2 icservice;icservice;c:\program files\aladdin systems\internet cleanup\icserv.exe [2003-4-14 32768]

=============== Created Last 30 ================

2009-08-23 11:43   <DIR>   --d-----   c:\program files\Malwarebytes'Anti-Malware
2009-08-22 18:48   38,160   a-------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-22 18:48   <DIR>   --d-----   c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-22 18:48   19,096   a-------   c:\windows\system32\drivers\mbam.sys
2009-08-20 18:14   <DIR>   --d-----   c:\program files\Trend Micro
2009-08-20 17:37   <DIR>   --d-----   c:\windows\ERUNT
2009-08-20 17:37   <DIR>   --d-----   C:\!FixIEDef
2009-08-18 21:05   <DIR>   --d-----   c:\docume~1\colinl~1.wil\applic~1\Bin
2009-08-18 21:01   242,976   a--sh---   c:\windows\system32\drivers\fidbox2.dat
2009-08-18 21:01   21,308   a--sh---   c:\windows\system32\drivers\fidbox2.idx
2009-08-18 21:01   32   a--sh---   c:\windows\system32\drivers\fidbox.idx
2009-08-18 21:01   32   a--sh---   c:\windows\system32\drivers\fidbox.dat
2009-08-18 20:57   137   a-------   c:\windows\tsiwinfile.dat
2009-08-18 20:57   <DIR>   --d-----   c:\windows\AntiSpy
2009-08-18 20:57   <DIR>   --d-----   c:\program files\DefenderPro
2009-08-18 20:54   91,700   a-------   c:\windows\system32\drivers\klin.dat
2009-08-18 20:54   85,860   a-------   c:\windows\system32\drivers\klick.dat
2009-08-18 20:54   <DIR>   --d-----   c:\docume~1\alluse~1\applic~1\Defender Pro
2009-08-18 20:47   <DIR>   --d-----   c:\program files\Ashampoo
2009-08-18 20:43   <DIR>   --d-----   c:\program files\Defender Pro
2009-08-18 16:58   <DIR>   --d-----   c:\program files\Movcoder
2009-08-12 17:10   128,512   -c------   c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 17:10   1,315,328   -c------   c:\windows\system32\dllcache\msoe.dll
2009-08-06 17:13   <DIR>   --d-----   c:\program files\Carbonite
2009-08-05 05:01   204,800   -c------   c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M  ====================

2009-08-05 05:01   204,800   a-------   c:\windows\system32\mswebdvd.dll
2009-07-25 05:23   411,368   a-------   c:\windows\system32\deploytk.dll
2009-07-17 15:01   58,880   a-------   c:\windows\system32\atl.dll
2009-07-13 23:43   286,208   --------   c:\windows\system32\wmpdxm.dll
2009-06-29 12:12   827,392   a-------   c:\windows\system32\wininet.dll
2009-06-29 12:12   78,336   a-------   c:\windows\system32\ieencode.dll
2009-06-29 12:12   17,408   --------   c:\windows\system32\corpol.dll
2009-06-16 10:36   119,808   a-------   c:\windows\system32\t2embed.dll
2009-06-16 10:36   81,920   a-------   c:\windows\system32\fontsub.dll
2009-06-12 08:31   76,288   a-------   c:\windows\system32\telnet.exe
2009-06-10 10:13   84,992   a-------   c:\windows\system32\avifil32.dll
2009-06-10 09:19   2,066,432   a-------   c:\windows\system32\mstscax.dll
2009-06-10 02:14   132,096   a-------   c:\windows\system32\wkssvc.dll
2009-06-05 11:42   2,060,288   a-------   c:\windows\system32\usbaaplrc.dll
2009-06-03 15:09   1,291,264   a-------   c:\windows\system32\quartz.dll
2009-06-02 11:17   75,776   a-------   c:\windows\system32\WS2Fix.exe
2005-04-05 21:43   336,644   --------   c:\program files\ClnBBear.zip
2005-04-05 10:31   381,959   --------   c:\program files\ClnAbot.zip
2005-03-28 19:00   21,848,504   --------   c:\program files\iTunesSetup.exe
2005-03-07 09:56   4,424,776   --------   c:\program files\EZAntivirus.exe
2005-03-04 15:59   2,636,408   a-------   c:\program files\aawsepersonal.exe
2008-09-17 19:03   32,768   a--sh---   c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091720080918\index.dat
2008-09-28 12:17   32,768   a--sh---   c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092820080929\index.dat

============= FINISH: 13:08:17.53 ===============
Logged

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7293
Re: [In Progress]Re-direct and popups
« Reply #17 on: August 23, 2009, 12:14:50 PM »
Hi,

OK, I see several issues.  Do you have or had Kaspersky Anti-Virus installed on your system?  I see parts of that, and they will badly interact with Defender Pro.  I also see a lot several other "anti-malware" that were installed recently a couple of which are rogues.  You also have fake codec malware, and an agobot worm.  

Please do the following:

1.  Uninstall all of the following:

AntiSpy
Defender Pro Internet Security
Defender Pro PC Repair
Movcoder
Viewpoint Media Player

I want to take your system back to being free of most security software that are likely conflicting.  We can install appropriate ones later.

2.  Download Combofix from any of the links below, and save it to your desktop.  For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note:  It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

a. Close any open browsers.

b. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note:  Do not click combofix's window with your mouse while it's running. That may cause it to stall.

3.  Please post the following:

a. combofix.txt
b. a fresh HJT log
c. let me know if you can now boot into normal Windows (I doubt you will at this point, but I still want to check).
« Last Edit: August 23, 2009, 12:18:22 PM by PCBruiser »
Logged
Don't Read?  Can't learn!

Offline colin1

  • Bronze Member
  • Posts: 108
Re: [In Progress]Re-direct and popups
« Reply #18 on: August 23, 2009, 01:26:50 PM »
PCB,
OK several things just happened.  But first to answer you question I don't remember installing Kaspersky Anti-Virus unless it was part of Defender Pro.  I have removed all the Antivirus soft ware I could find. 

My system booted up in normal, I missed the F8 key, I down loaded Combofix and ran it.  Before it finished I got a system error message: Paraphrase:  A problem was detected and windows shut down to prevent damage to computer. 

Driver IRQL_NOT_LESS_OR_EQUAL

Technical information: ***stop:  0x000000D1 (0x00000006, 0x000000002, 0x00000000, 0xF19F4B22)

Beginning dump of physical memory
physical memory dump complete

But before all that happened, Combofix said I didn't have a system recovery program which I did before but it installed a new one. 

Then I send the message error to micro soft and they said this:
 
Follow these steps to solve the problem with a device driver

You received this message because a device driver installed on your computer caused Windows to stop unexpectedly. This type of error is referred to as a "stop error." A stop error requires you to restart your computer.

Troubleshooting

--------------------------------------------------------------------------------


Depending on which situation is applicable to you, do one of the following:

If this problem occurred after you installed a new hardware device on your computer, the problem might be caused by the device driver. Use the Dell Driver Reset Tool or uninstall the driver.

How do I disable or uninstall a device driver?

Click Start, and then click Control Panel. If you are using Classic View, click Switch to Category View.
Click Performance and Maintenance, and then click System.
Click the Hardware tab, and then click Device Manager.
Click the plus sign (+) next to the faulting device. You should now see the device listed.
Right-click the device, and then click Disable or Uninstall.
If this problem occurred after you installed new software, the software might have installed a driver that caused the problem. Try uninstalling the software.

How do I uninstall a program?


Click Start, click Control Panel, and then click Add or Remove Programs.

Click Change or Remove Programs, click the program you want to remove, and then click Change/Remove or Remove.

Note
If the program that you want to uninstall isn't listed, it might not have been written for this version of Windows. To uninstall the program, check the information that came with the program.


If you don't know the specific driver or software, try performing a System Restore.

Go online to check for updated drivers for a device driver on the Windows Update website

Go online to the Windows Update website:


Windows Update


Note
If Microsoft Update is installed, you'll be taken to the Microsoft Update website.

Click Custom to check for available updates.

In the left pane, under Select by Type, click Hardware, Optional. Select the updates for a device driver, click Review and install updates, and then click Install Updates.

For information about your support options, go online to the Support.Dell.Com website.
 
that's it.
Logged

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7293
Re: [In Progress]Re-direct and popups
« Reply #19 on: August 23, 2009, 01:35:05 PM »
Hi,

First, see if there is a file c:\combofix.txt.  If there is, open it in Notepad, go to the Format menu and uncheck Wordwrap.  Then copy and paste the log for me to see.

If there isn't a file c:\combofix.txt, then reboot into Safe Mode and try to run ComboFix from there.

We are making some progress, at least we can boot into normal Windows now, which suggests that some conflicts among the software we uninstalled was at least part of the problem.  Once we get ComboFix running I will do further cleanup and hopefully fix the driver issue, which I feel is either malware related or part of the conflict issue.
Logged
Don't Read?  Can't learn!

Offline colin1

  • Bronze Member
  • Posts: 108
Re: [In Progress]Re-direct and popups
« Reply #20 on: August 23, 2009, 03:00:17 PM »
PCB,
Sorry I had to eat dinner and Windows did somethings that had to be restarted three times.  Here's the Combofix txt.

omboFix 09-08-22.06 - Colin L. Williams 08/23/2009 16:01.1.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.511.382 [GMT -4:00]
Running from: c:\documents and settings\Colin L. Williams\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Colin L. Williams\Local Settings\Temporary Internet Files\13050b8a.bmp
c:\documents and settings\Colin L. Williams\Local Settings\Temporary Internet Files\35050aec.bmp
c:\documents and settings\Colin L. Williams\Local Settings\Temporary Internet Files\index.dat
c:\windows\Fonts\Wphv07nb.ttf
c:\windows\Installer\9e14d.msp
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\drivers\ESQULtacxivdjbvxtevxfqpatsqtgekpkpjtv.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\ESQULalqeaxvmtkiqennbsmpmfwmiqqkerjke.dll
c:\windows\system32\ESQULpphyfppbnrjrfwsinwbmerjponqickir.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ESQULserv.sys
-------\Legacy_ESQULserv.sys
-------\Service_ESQULserv.sys


(((((((((((((((((((((((((   Files Created from 2009-07-23 to 2009-08-23  )))))))))))))))))))))))))))))))
.

2009-08-23 15:43 . 2009-08-23 16:24   --------   d-----w-   c:\program files\Malwarebytes'Anti-Malware
2009-08-22 22:48 . 2009-08-03 17:36   38160   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-22 22:48 . 2009-08-22 22:48   --------   d-----w-   c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-22 22:48 . 2009-08-03 17:36   19096   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-08-20 22:14 . 2009-08-20 22:14   --------   d-----w-   c:\program files\Trend Micro
2009-08-20 21:38 . 2009-08-20 21:38   --------   d-----w-   C:\ERDNT
2009-08-20 21:37 . 2009-08-20 21:37   --------   d-----w-   c:\windows\ERUNT
2009-08-20 21:37 . 2009-08-20 21:38   --------   d-----w-   C:\!FixIEDef
2009-08-19 01:05 . 2009-08-19 01:05   --------   d-----w-   c:\documents and settings\Colin L. Williams\Application Data\Bin
2009-08-19 00:57 . 2009-08-19 00:57   137   ----a-w-   c:\windows\tsiwinfile.dat
2009-08-19 00:57 . 2009-08-19 00:57   --------   d-----w-   c:\windows\AntiSpy
2009-08-19 00:47 . 2009-08-19 00:47   --------   d-----w-   c:\program files\Ashampoo
2009-08-19 00:43 . 2009-08-19 00:54   --------   d-----w-   c:\program files\Defender Pro
2009-08-12 21:10 . 2009-07-10 13:27   1315328   -c----w-   c:\windows\system32\dllcache\msoe.dll
2009-08-06 21:13 . 2009-08-18 20:22   --------   d-----w-   c:\program files\Carbonite
2009-08-05 09:01 . 2009-08-05 09:01   204800   -c----w-   c:\windows\system32\dllcache\mswebdvd.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-23 18:47 . 2008-12-11 02:46   --------   d-----w-   c:\docume~1\ALLUSE~1\APPLIC~1\Google Updater
2009-08-23 01:21 . 2009-06-13 20:48   --------   d-----w-   c:\program files\Bonjour
2009-08-22 21:35 . 2005-03-04 20:21   --------   d-----w-   c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-08-20 21:01 . 2007-11-28 00:04   --------   d-----w-   c:\program files\Google
2009-08-19 20:52 . 2005-03-06 05:21   71624   ----a-w-   c:\documents and settings\Colin L. Williams\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-18 22:53 . 2009-06-13 18:18   --------   d-----w-   c:\documents and settings\Colin L. Williams\Application Data\LimeWire
2009-08-18 21:40 . 2005-03-04 15:45   --------   d-----w-   c:\program files\Common Files\Adobe
2009-08-06 21:12 . 2005-03-11 02:06   --------   d-----w-   c:\program files\Java
2009-08-05 09:01 . 2003-07-16 20:37   204800   ----a-w-   c:\windows\system32\mswebdvd.dll
2009-07-25 09:23 . 2008-11-28 14:38   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2003-07-16 20:24   58880   ----a-w-   c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 07:56   286208   ------w-   c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2004-12-08 00:37   827392   ----a-w-   c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56   78336   ----a-w-   c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2003-07-16 20:25   17408   ------w-   c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2003-07-16 20:47   119808   ----a-w-   c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2003-07-16 20:28   81920   ----a-w-   c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2003-07-16 20:47   76288   ----a-w-   c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2003-07-16 20:24   84992   ----a-w-   c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2005-03-04 06:19   2066432   ----a-w-   c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2003-07-16 20:52   132096   ----a-w-   c:\windows\system32\wkssvc.dll
2009-06-05 15:42 . 2009-06-13 20:57   2060288   ----a-w-   c:\windows\system32\usbaaplrc.dll
2009-06-05 15:42 . 2009-01-19 17:30   39424   ----a-w-   c:\windows\system32\drivers\usbaapl.sys
2009-06-03 19:09 . 2003-07-16 20:42   1291264   ----a-w-   c:\windows\system32\quartz.dll
2005-04-06 01:43 . 2005-04-06 01:43   336644   ------w-   c:\program files\ClnBBear.zip
2005-04-05 14:31 . 2005-04-05 14:31   381959   ------w-   c:\program files\ClnAbot.zip
2005-03-28 23:00 . 2005-03-28 23:00   21848504   ------w-   c:\program files\iTunesSetup.exe
2005-03-07 13:56 . 2005-03-07 13:56   4424776   ------w-   c:\program files\EZAntivirus.exe
2005-03-04 19:59 . 2005-03-04 19:59   2636408   ----a-w-   c:\program files\aawsepersonal.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-11 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-11-08 294912]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-03 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-03 610304]
"Omnipage"="c:\program files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 49152]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-09-12 196608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-05 28672]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\Colin L. Williams\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2006-7-27 225280]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2005-3-4 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\ScanSoft\\OmniPageSE\\EregEng\\NAVBrowser.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

S2 icservice;icservice;c:\program files\Aladdin Systems\Internet Cleanup\icserv.exe [4/14/2003 2:35 PM 32768]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-23 16:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(512)
c:\windows\system32\WININET.dll
.
Completion time: 2009-08-23 16:46 - machine was rebooted
ComboFix-quarantined-files.txt  2009-08-23 20:46

Pre-Run: 14,290,604,032 bytes free
Post-Run: 14,247,251,968 bytes free

153   --- E O F ---   2009-08-12 21:50
Logged

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7293
Re: [In Progress]Re-direct and popups
« Reply #21 on: August 23, 2009, 03:25:48 PM »
Hi,

I need a fresh HJT log as well.  Your system certainly had malware, a common rootkit to be specific.  But, ComboFix did kill that.  After I see the HJT log, I am going to do some additional manual cleanup, and then we can address the issue of your system's security from a clean slate. 

Does your system boot into normal Windows now?  If so, can you try to reinstall MBAM from a fresh download and then run it.  I think the problems you had running it before related to the rootkit since I know that malware tries hard to block MBAM from running.  It is gone now, so I expect that MBAM should run normally now.  If it does, post a log from that as well.
Logged
Don't Read?  Can't learn!

Offline colin1

  • Bronze Member
  • Posts: 108
Re: [In Progress]Re-direct and popups
« Reply #22 on: August 23, 2009, 06:47:55 PM »
PCB,
Sorry it took so long, It looks like I'm booting in normal Windows again and the malware is gone.  It looked bad for a while.  Here's the two logs you requested.  Thanks I know we have a little more to do.  I'll be back on monday night. 



Malwarebytes' Anti-Malware 1.40
Database version: 2685
Windows 5.1.2600 Service Pack 3

8/23/2009 8:39:19 PM
mbam-log-2009-08-23 (20-39-19).txt

Scan type: Quick Scan
Objects scanned: 98411
Time elapsed: 4 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:42:53, on 8/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Aladdin Systems\Internet Cleanup\icserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: ICHlprObj Class - {1f0c8547-2639-4c91-b8aa-c7eca24c3163} - C:\Program Files\Aladdin Systems\Internet Cleanup\IC3hlpr.dll
O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\Program Files\Aladdin Systems\Internet Cleanup\PopFiltr.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0989.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0989.0\msneshellx.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: IC 3.0 - {bba9a1cb-c90a-4912-8f01-dfa51a2b4102} - C:\Program Files\Aladdin Systems\Internet Cleanup\IC3hlpr.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: icservice - Aladdin Systems, Inc. - C:\Program Files\Aladdin Systems\Internet Cleanup\icserv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6340 bytes
Logged

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7293
Re: [In Progress]Re-direct and popups
« Reply #23 on: August 24, 2009, 05:53:29 AM »
Hi,

With malware like that, you can have a period during which the system looks like it will need a full reformat and reinstall.  But, more than 90% of the time, we can remove even the worst ones without needing to do that. 

I am going to use ComboFix to do some cleanup of some remaining files from all the excess security software on your system, then I will make recommendations for you on what to use for your anti-virus and software firewall.  Do the ComboFix first, because the a/v and firewall may interfere with it.

1.  Open notepad, go to the format menu, uncheck Word Wrap, and then copy/paste the text in the code box below into it:

Code: [Select]

KILLALL::

File::
c:\program files\EZAntivirus.exe
c:\program files\aawsepersonal.exe
c:\program files\ClnBBear.zip
c:\program files\ClnAbot.zip

Folder::
c:\documents and settings\Colin L. Williams\Application Data\LimeWire
c:\program files\Defender Pro
c:\windows\AntiSpy
C:\!FixIEDef


Save this to your Desktop as CFScript.txt.

2.  Close all open browsers.




3.  Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at "C:\ComboFix.txt"

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.

4.  For an AntiVirus, I recommend AntiVir (Free).  Download and install AntiVir PE (Free) from here:

http://www.free-av.com/

Make sure you install AntiVir Guard, the real-time protection. Next open AntiVir and update it to the current definitions. If you would prefer to use a different anti-virus, please check it out with me first.

5.  For your firewall I recommend Online Armor (Free).  Download and install Online Armor Free from here:

http://www.tallemu.com/

The link to the free version is on the left hand side of that page.

If you would prefer to use a different firewall, you can try a different one, but check it with me first to make sure it is legitimate firewall software.

6.  Please post the following:

a. combofix.txt
b. a fresh HJT log  <-------Run this after installing the a/v and firewall.

« Last Edit: August 24, 2009, 05:58:29 AM by PCBruiser »
Logged
Don't Read?  Can't learn!

Offline colin1

  • Bronze Member
  • Posts: 108
Re: [In Progress]Re-direct and popups
« Reply #24 on: August 24, 2009, 04:39:09 PM »
PCB,
Here's the logs you requested.  

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:24:24, on 8/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Aladdin Systems\Internet Cleanup\icserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: ICHlprObj Class - {1f0c8547-2639-4c91-b8aa-c7eca24c3163} - C:\Program Files\Aladdin Systems\Internet Cleanup\IC3hlpr.dll
O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\Program Files\Aladdin Systems\Internet Cleanup\PopFiltr.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0989.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0989.0\msneshellx.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: IC 3.0 - {bba9a1cb-c90a-4912-8f01-dfa51a2b4102} - C:\Program Files\Aladdin Systems\Internet Cleanup\IC3hlpr.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: icservice - Aladdin Systems, Inc. - C:\Program Files\Aladdin Systems\Internet Cleanup\icserv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\OAcat.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6964 bytes

Logged

Offline colin1

  • Bronze Member
  • Posts: 108
Re: [In Progress]Re-direct and popups
« Reply #25 on: August 24, 2009, 04:41:54 PM »
PCB,

It didn't fit on one message so I had to break it up.  


ComboFix 09-08-24.05 - Colin L. Williams 08/24/2009 16:03.2.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.511.290 [GMT -4:00]
Running from: c:\documents and settings\Colin L. Williams\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Colin L. Williams\Desktop\CFScript.txt

FILE ::
"c:\program files\aawsepersonal.exe"
"c:\program files\ClnAbot.zip"
"c:\program files\ClnBBear.zip"
"c:\program files\EZAntivirus.exe"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\!FixIEDef
c:\!fixiedef\Temp\Directories.txt
c:\!fixiedef\Temp\Files.txt
c:\!fixiedef\Temp\RegistryItems.txt
c:\!fixiedef\Temp\UserInitExe.txt
c:\!fixiedef\tmp.reg
c:\!fixiedef\tmp.txt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xul-v2.0b2.4-do-not-remove
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\AccessibleMarshal.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\chrome\branding.jar
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\chrome\branding.manifest
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\chrome\classic.jar
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\chrome\classic.manifest
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\chrome\comm.jar
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\chrome\comm.manifest
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\chrome\en-US.jar
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\chrome\en-US.manifest
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\chrome\limewire.jar
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\chrome\limewire.manifest
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\chrome\pippki.jar
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\chrome\pippki.manifest
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\chrome\toolkit.jar
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\chrome\toolkit.manifest
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\accessibility-msaa.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\accessibility.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\alerts.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\appshell.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\appshell_modal.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\appshell_modal.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\appstartup.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\auth.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\autocomplete.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\autoconfig.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\autoconfig.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\caps.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\chardet.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\chrome.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\commandhandler.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\commandlines.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\composer.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\content_base.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\content_html.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\content_htmldoc.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\content_xmldoc.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\content_xslt.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\content_xtf.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\contentprefs.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\cookie.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\directory.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\docshell_base.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\dom.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\dom_base.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\dom_canvas.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\dom_core.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\dom_css.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\dom_events.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\dom_html.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\dom_json.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\dom_loadsave.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\dom_offline.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\dom_range.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\dom_sidebar.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\dom_storage.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\dom_stylesheets.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\dom_svg.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\dom_traversal.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\dom_views.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\dom_xbl.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\dom_xpath.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\dom_xul.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\downloads.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\editor.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\embed_base.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\extensions.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\exthandler.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\exthelper.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\fastfind.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\FeedProcessor.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\feeds.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\find.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\gfx.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\htmlparser.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\imgicon.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\imglib2.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\inspector.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\intl.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\jar.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\jsconsole-clhandler.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\jsdservice.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\layout_base.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\layout_printing.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\layout_xul.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\layout_xul_tree.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\locale.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\loginmgr.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\lwbrk.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\mimetype.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\mozbrwsr.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\mozfind.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\necko.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\necko_about.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\necko_cache.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\necko_cookie.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\necko_dns.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\necko_file.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\necko_ftp.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\necko_http.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\necko_res.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\necko_socket.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\necko_strconv.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\necko_viewsource.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\nsAddonRepository.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\nsBadCertHandler.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\nsBlocklistService.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\nsContentDispatchChooser.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\nsContentPrefService.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\nsDefaultCLH.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\nsDictionary.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\nsDownloadManagerUI.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\nsExtensionManager.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\nsHandlerService.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\nsHelperAppDlg.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\nsLivemarkService.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\nsLoginInfo.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\nsLoginManager.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\nsLoginManagerPrompter.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\nsPostUpdateWin.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\nsProgressDialog.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\nsProxyAutoConfig.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\nsResetPref.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\nsTaggingService.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\nsTryToClose.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\nsUpdateService.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\nsURLFormatter.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\nsWebHandlerApp.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\nsXmlRpcClient.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\nsXULAppInstall.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\oji.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\parentalcontrols.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\pipboot.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\pipboot.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\pipnss.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\pipnss.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\pippki.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\pippki.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\places.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\plugin.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\pluginGlue.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\pref.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\prefetch.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\profile.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\proxyObject.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\rdf.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\satchel.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\saxparser.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\shistory.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\spellchecker.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\storage-Legacy.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\storage.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\toolkitprofile.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\transformiix.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\txEXSLTRegExFunctions.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\txmgr.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\txtsvc.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\uconv.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\unicharutil.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\universalchardet.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\update.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\uriloader.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\urlformatter.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\webBrowser_core.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\webbrowserpersist.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\webshell_idls.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\websrvcs.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\widget.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\windowds.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\windowwatcher.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\xml-rpc.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\xmlextras.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\xpcom_base.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\xpcom_components.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\xpcom_ds.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\xpcom_io.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\xpcom_system.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\xpcom_thread.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\xpcom_xpti.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\xpconnect.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\xpinstall.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\xulapp.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\xulapp_setup.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\xuldoc.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\xultmpl.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\xulutil.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\components\zipwriter.xpt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\crashreporter.exe
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\crashreporter.ini
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\defaults\autoconfig\platform.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\defaults\autoconfig\prefcalls.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\defaults\pref\xulrunner.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\defaults\profile\chrome\userChrome-example.css
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\defaults\profile\chrome\userContent-example.css
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\defaults\profile\localstore.rdf
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userChrome-example.css
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userContent-example.css
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\localstore.rdf
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\dependentlibs.list
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\dictionaries\en-US.aff
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\dictionaries\en-US.dic
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\freebl3.chk
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\freebl3.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\greprefs\all.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\greprefs\security-prefs.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\greprefs\xpinstall.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\IA2Marshal.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\javaxpcom.jar
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\javaxpcomglue.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\js3250.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\LICENSE
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\modules\debug.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\modules\DownloadUtils.jsm
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\modules\ISO8601DateUtils.jsm
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\modules\JSON.jsm
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\modules\Microformats.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\modules\PluralForm.jsm
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\modules\utils.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\modules\XPCOMUtils.jsm
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\mozctl.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\mozctlx.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\MSVCP71.DLL
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\msvcr71.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\nspr4.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\nss3.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\nssckbi.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\nssdbm3.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\nssutil3.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\platform.ini
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\plc4.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\plds4.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\plugins\npnul32.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\README.txt
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\arrow.gif
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\arrowd.gif
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\broken-image.gif
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\charsetalias.properties
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\charsetData.properties
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\contenteditable.css
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\designmode.css
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\dtd\mathml.dtd
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\dtd\xhtml11.dtd
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\EditorOverride.css
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Latin1.properties
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Special.properties
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Symbols.properties
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\entityTables\htmlEntityVersions.properties
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\entityTables\mathml20.properties
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\entityTables\transliterate.properties
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfont.properties
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontStandardSymbolsL.properties
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSTIXNonUnicode.properties
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSTIXSize1.properties
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSymbol.properties
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontUnicode.properties
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\forms.css
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\grabber.gif
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\hiddenWindow.html
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\html.css
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\html\folder.png
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\langGroups.properties
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\language.properties
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\loading-image.gif
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\mathml.css
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\quirk.css
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\svg.css
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after-active.gif
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after-hover.gif
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after.gif
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before-active.gif
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before-hover.gif
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before.gif
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after-active.gif
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after-hover.gif
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after.gif
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before-active.gif
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before-hover.gif
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before.gif
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\table-remove-column-active.gif
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\table-remove-column-hover.gif
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\table-remove-column.gif
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\table-remove-row-active.gif
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\table-remove-row-hover.gif
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\table-remove-row.gif
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\ua.css
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\viewsource.css
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\res\wincharset.properties
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\smime3.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\softokn3.chk
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\softokn3.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\sqlite3.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\ssl3.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\updater.exe
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\version.properties
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\xpcom.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\xpcshell.exe
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\xpicleanup.exe
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\xpidl.exe
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\xpt_dump.exe
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\xpt_link.exe
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\xul.dll
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\xulrunner-stub.exe
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\browser\xulrunner\xulrunner.exe
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\createtimes.cache
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\downloads.dat
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\fileurns.cache
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\gnutella.net
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\installation.props
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\library.dat
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\library5.dat
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\limewire.props
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\mojito.props
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\mozilla-profile\.autoreg
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_001_
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_002_
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_003_
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_MAP_
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\mozilla-profile\Cache\30B5DE57d01
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\mozilla-profile\Cache\580E3FA7d01
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\mozilla-profile\Cache\7BD6A121d01
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\mozilla-profile\Cache\AE98BDEDd01
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\mozilla-profile\Cache\B7E8F4C3d01
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\mozilla-profile\Cache\BAFF9A9Bd01
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\mozilla-profile\cert8.db
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\mozilla-profile\compreg.dat
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\mozilla-profile\cookies.sqlite
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\mozilla-profile\downloads.sqlite
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\mozilla-profile\extensions.cache
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\mozilla-profile\extensions.ini
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\mozilla-profile\history.dat
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\mozilla-profile\key3.db
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\mozilla-profile\permissions.sqlite
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\mozilla-profile\places.sqlite-journal
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\mozilla-profile\places.sqlite
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\mozilla-profile\pluginreg.dat
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\mozilla-profile\prefs.js
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\mozilla-profile\secmod.db
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\mozilla-profile\XPC.mfl
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\mozilla-profile\xpti.dat
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\questions.props
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\responses.cache
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\simpp.xml
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\spam.dat
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\tables.props
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\ttdata.cache
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\ttroot.cache
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\version.xml
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\versions.props
c:\documents and settings\Colin L. Williams\Application Data\LimeWire\xml\data\audio.sxml3
c:\program files\aawsepersonal.exe
c:\program files\ClnAbot.zip
c:\program files\ClnBBear.zip
c:\program files\Defender Pro
c:\program files\EZAntivirus.exe
c:\windows\AntiSpy
c:\windows\AntiSpy\uninstall.exe
Logged

Offline colin1

  • Bronze Member
  • Posts: 108
Re: [In Progress]Re-direct and popups
« Reply #26 on: August 24, 2009, 04:43:21 PM »
Here's the last part of Combofix. 

.
(((((((((((((((((((((((((   Files Created from 2009-07-24 to 2009-08-24  )))))))))))))))))))))))))))))))
.

2009-08-24 00:31 . 2009-08-24 00:31   --------   d-----w-   c:\documents and settings\Colin L. Williams\Application Data\Malwarebytes
2009-08-24 00:31 . 2009-08-24 00:31   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-08-23 15:43 . 2009-08-23 16:24   --------   d-----w-   c:\program files\Malwarebytes'Anti-Malware
2009-08-22 22:48 . 2009-08-03 17:36   38160   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-22 22:48 . 2009-08-22 22:48   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-22 22:48 . 2009-08-03 17:36   19096   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-08-20 22:14 . 2009-08-20 22:14   --------   d-----w-   c:\program files\Trend Micro
2009-08-20 21:38 . 2009-08-20 21:38   --------   d-----w-   C:\ERDNT
2009-08-20 21:37 . 2009-08-20 21:37   --------   d-----w-   c:\windows\ERUNT
2009-08-19 01:05 . 2009-08-19 01:05   --------   d-----w-   c:\documents and settings\Colin L. Williams\Application Data\Bin
2009-08-19 00:57 . 2009-08-19 00:57   137   ----a-w-   c:\windows\tsiwinfile.dat
2009-08-19 00:47 . 2009-08-19 00:47   --------   d-----w-   c:\program files\Ashampoo
2009-08-12 21:10 . 2009-07-10 13:27   1315328   -c----w-   c:\windows\system32\dllcache\msoe.dll
2009-08-06 21:13 . 2009-08-18 20:22   --------   d-----w-   c:\program files\Carbonite
2009-08-06 21:11 . 2009-08-06 21:11   152576   ----a-w-   c:\documents and settings\Colin L. Williams\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-05 09:01 . 2009-08-05 09:01   204800   -c----w-   c:\windows\system32\dllcache\mswebdvd.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-24 19:48 . 2008-12-11 02:46   --------   d-----w-   c:\documents and settings\All Users\Application Data\Google Updater
2009-08-23 01:21 . 2009-06-13 20:48   --------   d-----w-   c:\program files\Bonjour
2009-08-22 21:35 . 2005-03-04 20:21   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-20 21:01 . 2007-11-28 00:04   --------   d-----w-   c:\program files\Google
2009-08-19 20:52 . 2005-03-06 05:21   71624   ----a-w-   c:\documents and settings\Colin L. Williams\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-18 21:40 . 2005-03-04 15:45   --------   d-----w-   c:\program files\Common Files\Adobe
2009-08-06 21:12 . 2005-03-11 02:06   --------   d-----w-   c:\program files\Java
2009-08-05 09:01 . 2003-07-16 20:37   204800   ----a-w-   c:\windows\system32\mswebdvd.dll
2009-07-25 09:23 . 2008-11-28 14:38   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2003-07-16 20:24   58880   ----a-w-   c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 07:56   286208   ------w-   c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2004-12-08 00:37   827392   ------w-   c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56   78336   ----a-w-   c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2003-07-16 20:25   17408   ------w-   c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2003-07-16 20:47   119808   ----a-w-   c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2003-07-16 20:28   81920   ----a-w-   c:\windows\system32\fontsub.dll
2009-06-13 20:51 . 2009-06-13 20:51   75048   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-12 12:31 . 2003-07-16 20:47   76288   ----a-w-   c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2003-07-16 20:24   84992   ----a-w-   c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2005-03-04 06:19   2066432   ----a-w-   c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2003-07-16 20:52   132096   ----a-w-   c:\windows\system32\wkssvc.dll
2009-06-09 22:25 . 2009-06-09 22:25   152576   ----a-w-   c:\documents and settings\Colin L. Williams\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-05 15:42 . 2009-06-13 20:57   2060288   ----a-w-   c:\windows\system32\usbaaplrc.dll
2009-06-05 15:42 . 2009-01-19 17:30   39424   ----a-w-   c:\windows\system32\drivers\usbaapl.sys
2009-06-03 19:09 . 2003-07-16 20:42   1291264   ----a-w-   c:\windows\system32\quartz.dll
2005-03-28 23:00 . 2005-03-28 23:00   21848504   ------w-   c:\program files\iTunesSetup.exe
.

(((((((((((((((((((((((((((((   SnapShot@2009-08-23_20.42.12   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-24 20:12 . 2009-08-24 20:12   16384              c:\windows\temp\Perflib_Perfdata_7ac.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-11 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-11-08 294912]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-03 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-03 610304]
"Omnipage"="c:\program files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 49152]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-09-12 196608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-05 28672]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\Colin L. Williams\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2006-7-27 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2005-3-4 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\ScanSoft\\OmniPageSE\\EregEng\\NAVBrowser.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R2 icservice;icservice;c:\program files\Aladdin Systems\Internet Cleanup\icserv.exe [4/14/2003 2:35 PM 32768]
.
Contents of the 'Scheduled Tasks' folder

2009-06-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2005-03-13 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2003-07-16 00:12]

2009-08-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-22 19:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-24 16:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3944)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE\ophook32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-08-24 16:19 - machine was rebooted
ComboFix-quarantined-files.txt  2009-08-24 20:19
ComboFix2.txt  2009-08-23 20:46

Pre-Run: 13,669,601,280 bytes free
Post-Run: 13,598,269,440 bytes free

530   --- E O F ---   2009-08-24 00:51
Logged

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7293
Re: [In Progress]Re-direct and popups
« Reply #27 on: August 25, 2009, 08:03:04 AM »
    Hi,

    Excellent.  Looks good.  How is your system running now?

    Before we finish, we need to delete the tools we used, and all the files/folders they quarantined.

    Please download OTCleanIt from one of the following mirrors and save it to your desktop:
  • Double click the icon.
  • Click the large "Cleanup" button.
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
  • Make sure you have an Internet Connection.
  • If you have a firewall that throws out a message that OTMI3 is attempting to contact the Internet that it should be allowed.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

Here are some tips for keeping safe on the Internet.

1.  Always use your AntiVirus and Firewall software.  Update your AntiVirus virus definitions at least once a day.  Scan with it at least once every 2 days.  Check for updates to your Firewall weekly.

2.  Keep using MBAM.  Update the definitions daily and do a quick scan at least once every 2 days.  The free version does not have any real time protection.  If you want extra security, the paid version offers real time protection plus automatic definition updates.

3.  Download and use SpywareBlaster from Javacool. 

4.  Download and use Spybot S&D.  Do not install or use the TeaTimer feature, it can conflict with other security software. 

5.  Use an alternative browser rather than IE.  Two excellent and well tested free ones are Firefox and Opera.  If you use Firefox, make sure to install the AdBlock Plus and NoScript extensions.    WOT ("Web of Trust") is another site evaluation program similar to SiteSdvisor, so it is a good second opinion as to the safety of sites you may visit.  You will find these extensions and hundreds more on the Firefox site.

6.  Download and use McAfee SiteAdvisor.  SiteAdvisor does not work with Opera. 

7.  Always keep your Java version up to date.  Check regularly for updates to Java HERE.

8.  Regularly check the Calendar of Updates for updates to your security software. 

9.  Please read and follow the recommendations in this article.  So how did I get infected in the first place?

10.  Fortunately, not all computer slowdowns and other problems are the result of malware.  Defragmenting, cleaning browser caches, emptying temp folders and other procedures can often speed performance dramatically.  An excellent guide and some additional tools to accomplish these tasks can be found at Slow Computer May Not Be Malware Related.

11.  Always do backups.  For more information on designing a good backup strategy for your system, please see this LINK.

12.  Never use P2P programs or download any software or other files from P2P.  Most of those files are hopelessly infected with malware, are intended to do harm, and will kill your system.  Continuing to use P2P for any purpose in today's environment is a major mistake.

Following these recommendations will help to prevent future malware infestations, and keep your system running in good shape. 
Logged
Don't Read?  Can't learn!

Offline colin1

  • Bronze Member
  • Posts: 108
Re: [Resolved]Re-direct and popups
« Reply #28 on: August 25, 2009, 05:29:01 PM »
PCB,

Wow, thanks so much.  Computer is running great.  Some quick questions.  Should I run SpywareBlaster with Avira?  I lost my flash player in all of this, probably because I deleted it before I came here, I tried downloading Adobe Flashplayer (which I had before) and it gave me the Google toolbar with it.  The flashplayer didn't run very well anyway so I uninstalled both Adobe flashplayer and Google toolbar, is there a flash player that you would recomend?  Is watching YouTube considered P2P? 

I have an older computer that the kids use for school work and it also was infected, a Dell with Windows 2000, it's sending mass emails.  You think it may be in the 90% that can be fixed or is it to old? 

It's nice to see there are some Internet Heros out there standing up to all the bad stuff people are doing.  (I don't like the using the word "evil" I think it was over used in the last administration:) 

Colin1
Logged

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7293
Re: [Resolved]Re-direct and popups
« Reply #29 on: August 26, 2009, 07:00:10 AM »
Hi,

Some answers.

1.  There is only one flash player, and that is from Adobe.  You can unselect the Google toolbar during the install, it is a box that you uncheck.  You might try it again since it is updated frequently and some of the malware may have been having a negative effect on how well it was running.

2.  Watching YouTube is not considered P2P but it can have its own risks.  Unfortunately all of the social networking sites have security issues, and hackers target them because they serve so many people.  And, there are uploaded video files on sites like that that have malware infesting them.  There is a technique called steganography that can be used to embed information inside a media file (video, audio or image) that leaves the media file intact, yet permits that embedded information to be downloaded with the file invisible to the user.  For more info on this:

http://en.wikipedia.org/wiki/Steganography

Bottom line, you always have to be careful and aware of the threats out there.  Here's more info http://spywarehammer.com/simplemachinesforum/index.php?board=97.0

3.  We do W2K fixes also.  We even occasionally see W98 and ME.

Logged
Don't Read?  Can't learn!
Pages: 1 [2]   Go Up
« previous next »