Need help with viruses please - logs attached

[davybhoy]

Original post

Viruses galore - request help please

Hi all. I seem to have a lot of viruses on my laptop as AVG keeps popping up with various different ones. I try and heal or delete them but on occasion it has said that it can't. Strange thing is that if I do a scan straight away after, it doesn't find the virus that it popped up with and then said it couldn't delete

The only one I can remember was trojan horse small.BPB or maybe PBP. I have done all the scans in the instructions and attached them


DDS (Ver_09-07-30.01) - NTFSx86
Run by Dave at 12:35:26.20 on 17/08/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2037.1102 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Dave\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [braviax] þ
uRun: [userinit] c:\users\dave\appdata\roaming\sdra64.exe
uRun: [msword98] "c:\windows\temp\wpv491249950026.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Keyboard Manager Utility] "c:\program files\keyboard manager\manager utility\KeyboardManager.exe" /lang en /H
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\dave\appdata\roaming\micros~1\windows\startm~1\programs\startup\xfire.lnk - c:\program files\xfire\Xfire.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\dave\appdata\roaming\mozilla\firefox\profiles\1o9gh5yo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-12 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-7 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-7 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-8-7 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-7 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
S2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-8-11 234888]

=============== Created Last 30 ================

2009-08-12 21:41 891,448 a------- c:\windows\system32\drivers\tcpip.sys
2009-08-12 21:41 72,192 a------- c:\windows\system32\drivers\pacer.sys
2009-08-12 21:41 15,360 a------- c:\windows\system32\pacerprf.dll
2009-08-12 21:41 71,680 a------- c:\windows\system32\atl.dll
2009-08-12 21:41 160,256 a------- c:\windows\system32\wkssvc.dll
2009-08-12 06:53 15,688 a------- c:\windows\system32\lsdelete.exe
2009-08-12 06:45 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-08-12 06:44 <DIR> -cd-h--- c:\programdata\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-12 06:44 <DIR> -cd-h--- c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-12 06:43 <DIR> --d----- c:\programdata\Lavasoft
2009-08-12 06:43 <DIR> --d----- c:\program files\Lavasoft
2009-08-11 23:58 <DIR> --dsh--- c:\users\dave\appdata\roaming\lowsec
2009-08-11 18:05 <DIR> --d----- C:\PerfLogs
2009-08-11 13:01 2,623,488 a------- c:\windows\system32\SLsvc.exe
2009-08-11 13:01 1,541,120 a------- c:\windows\system32\onex.dll
2009-08-11 12:59 3,216,896 a------- c:\windows\system32\WinSAT.exe
2009-08-11 12:59 <DIR> --d----- c:\program files\AskBarDis
2009-08-11 12:58 704,512 a------- c:\windows\system32\PhotoScreensaver.scr
2009-08-11 12:58 <DIR> --d----- c:\users\dave\appdata\roaming\uTorrent
2009-08-11 12:57 312,320 a------- c:\windows\system32\mswmdm.dll
2009-08-11 12:56 777,216 a------- c:\windows\system32\slcc.dll
2009-08-11 12:55 173,568 a------- c:\windows\system32\dsdmo.dll
2009-08-10 12:18 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-08-10 09:31 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-08-10 09:31 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-08-10 09:31 <DIR> --d----- c:\program files\iPod
2009-08-10 09:31 <DIR> --d----- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-10 09:31 <DIR> --d----- c:\program files\iTunes
2009-08-10 09:31 <DIR> --d----- c:\progra~2\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-10 09:30 <DIR> --d----- c:\program files\Bonjour
2009-08-10 09:29 <DIR> --d----- c:\programdata\Apple Computer
2009-08-10 09:27 <DIR> --d----- c:\programdata\Apple
2009-08-10 07:05 <DIR> --d----- C:\Poker
2009-08-09 23:37 <DIR> --d----- c:\program files\VideoLAN
2009-08-09 23:25 <DIR> --d----- c:\program files\K-Lite Codec Pack
2009-08-09 23:09 <DIR> --d----- c:\users\dave\appdata\roaming\LimeWire
2009-08-09 23:07 410,984 a------- c:\windows\system32\deploytk.dll
2009-08-09 19:56 <DIR> --d----- c:\users\dave\appdata\roaming\Xfire
2009-08-09 19:56 <DIR> --d----- c:\programdata\Xfire
2009-08-09 19:56 <DIR> --d----- c:\program files\Xfire
2009-08-09 19:56 <DIR> --d----- c:\progra~2\Xfire
2009-08-08 18:10 269,312 a------- c:\windows\system32\es.dll
2009-08-08 09:24 2,048 a------- c:\windows\system32\tzres.dll
2009-08-07 21:37 361,984 a------- c:\windows\system32\IPSECSVC.DLL
2009-08-07 21:37 61,440 a------- c:\windows\system32\winipsec.dll
2009-08-07 21:37 28,672 a------- c:\windows\system32\FwRemoteSvr.dll
2009-08-07 21:37 272,896 a------- c:\windows\system32\polstore.dll
2009-08-07 21:35 1,820 a------- c:\windows\system32\rasctrnm.h
2009-08-07 21:34 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2009-08-07 21:34 160,768 a------- c:\windows\system32\PortableDeviceTypes.dll
2009-08-07 21:34 94,720 a------- c:\windows\system32\PortableDeviceClassExtension.dll
2009-08-07 21:26 428,544 a------- c:\windows\system32\EncDec.dll
2009-08-07 21:26 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-08-07 21:26 293,376 a------- c:\windows\system32\psisdecd.dll
2009-08-07 21:26 217,088 a------- c:\windows\system32\psisrndr.ax
2009-08-07 21:26 80,896 a------- c:\windows\system32\MSNP.ax
2009-08-07 21:26 69,632 a------- c:\windows\system32\Mpeg2Data.ax
2009-08-07 21:26 57,856 a------- c:\windows\system32\MSDvbNP.ax
2009-08-07 21:23 12,880 a------- c:\windows\system32\wbem\wlan.mof
2009-08-07 21:20 2,033,152 a------- c:\windows\system32\win32k.sys
2009-08-07 21:19 156,672 a------- c:\windows\system32\t2embed.dll
2009-08-07 21:19 289,792 a------- c:\windows\system32\atmfd.dll
2009-08-07 21:19 72,704 a------- c:\windows\system32\fontsub.dll
2009-08-07 21:19 34,304 a------- c:\windows\system32\atmlib.dll
2009-08-07 21:19 23,552 a------- c:\windows\system32\lpk.dll
2009-08-07 21:19 10,240 a------- c:\windows\system32\dciman32.dll
2009-08-07 21:15 376,832 a------- c:\windows\system32\winhttp.dll
2009-08-07 21:12 296,960 a------- c:\windows\system32\gdi32.dll
2009-08-07 21:10 212,480 a------- c:\windows\system32\drivers\mrxsmb10.sys
2009-08-07 21:08 562,176 a------- c:\windows\system32\msdtcprx.dll
2009-08-07 21:08 38,912 a------- c:\windows\system32\xolehlp.dll
2009-08-07 21:02 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-08-07 21:02 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-07 21:02 1,695,744 a------- c:\windows\system32\gameux.dll
2009-08-07 21:00 303,616 a------- c:\windows\system32\wmpeffects.dll
2009-08-07 20:59 1,191,936 a------- c:\windows\system32\msxml3.dll
2009-08-07 20:59 2,048 a------- c:\windows\system32\msxml3r.dll
2009-08-07 20:45 636,928 a------- c:\windows\system32\localspl.dll
2009-08-07 20:36 2,927,104 a------- c:\windows\explorer.exe
2009-08-07 20:20 1,793,536 a------- c:\windows\system32\NlsLexicons0045.dll
2009-08-07 20:20 1,808,896 a------- c:\windows\system32\NlsLexicons0046.dll
2009-08-07 20:20 1,411,072 a------- c:\windows\system32\NlsLexicons0047.dll
2009-08-07 20:20 1,558,016 a------- c:\windows\system32\NlsLexicons0049.dll
2009-08-07 20:20 1,236,992 a------- c:\windows\system32\NlsLexicons0020.dll
2009-08-07 20:20 1,782,272 a------- c:\windows\system32\NlsLexicons0039.dll
2009-08-07 20:20 2,136,064 a------- c:\windows\system32\NlsLexicons0021.dll
2009-08-07 20:19 5,499,904 a------- c:\windows\system32\NlsLexicons0022.dll
2009-08-07 20:19 7,964,672 a------- c:\windows\system32\NlsLexicons0024.dll
2009-08-07 20:19 5,791,232 a------- c:\windows\system32\NlsLexicons0026.dll
2009-08-07 20:19 6,224,896 a------- c:\windows\system32\NlsLexicons0027.dll
2009-08-07 20:19 4,175,872 a------- c:\windows\system32\NlsLexicons0010.dll
2009-08-07 20:19 2,466,816 a------- c:\windows\system32\NlsLexicons0011.dll
2009-08-07 20:19 4,981,248 a------- c:\windows\system32\NlsLexicons0013.dll
2009-08-07 20:19 3,331,072 a------- c:\windows\system32\NlsLexicons0018.dll
2009-08-07 20:19 6,781,440 a------- c:\windows\system32\NlsLexicons0019.dll
2009-08-07 20:18 11,722,752 a------- c:\windows\system32\NlsLexicons0001.dll
2009-08-07 20:18 4,164,096 a------- c:\windows\system32\NlsLexicons0002.dll
2009-08-07 20:18 1,452,544 a------- c:\windows\system32\NlsLexicons0003.dll
2009-08-07 20:18 12,240,896 a------- c:\windows\system32\NlsLexicons0007.dll
2009-08-07 20:18 2,644,480 a------- c:\windows\system32\NlsLexicons0009.dll
2009-08-07 20:18 3,419,136 a------- c:\windows\system32\NlsLexicons004a.dll
2009-08-07 20:18 1,702,912 a------- c:\windows\system32\NlsLexicons004b.dll
2009-08-07 20:18 4,093,440 a------- c:\windows\system32\NlsLexicons004c.dll
2009-08-07 20:18 1,972,736 a------- c:\windows\system32\NlsLexicons004e.dll
2009-08-07 20:18 4,045,824 a------- c:\windows\system32\NlsLexicons003e.dll
2009-08-07 20:18 4,096 a------- c:\windows\system32\NlsLexicons002a.dll
2009-08-07 20:18 6,014,976 a------- c:\windows\system32\NlsLexicons001a.dll
2009-08-07 20:17 6,585,856 a------- c:\windows\system32\NlsLexicons001b.dll
2009-08-07 20:17 6,346,240 a------- c:\windows\system32\NlsLexicons001d.dll
2009-08-07 20:17 9,892,864 a------- c:\windows\system32\NlsLexicons000a.dll
2009-08-07 20:17 6,237,696 a------- c:\windows\system32\NlsLexicons000c.dll
2009-08-07 20:17 1,722,368 a------- c:\windows\system32\NlsLexicons000d.dll
2009-08-07 20:17 5,654,528 a------- c:\windows\system32\NlsLexicons000f.dll
2009-08-07 20:17 4,616,192 a------- c:\windows\system32\NlsLexicons0414.dll
2009-08-07 20:17 5,090,816 a------- c:\windows\system32\NlsLexicons0416.dll
2009-08-07 20:17 5,031,936 a------- c:\windows\system32\NlsLexicons0816.dll
2009-08-07 20:08 6,656 a------- c:\windows\system32\kbd106n.dll
2009-08-07 20:08 927,288 a------- c:\windows\system32\winresume.exe
2009-08-07 20:08 988,216 a------- c:\windows\system32\winload.exe
2009-08-07 20:08 378,368 a------- c:\windows\system32\srcore.dll
2009-08-07 20:08 318,464 a------- c:\windows\system32\rstrui.exe
2009-08-07 20:08 40,960 a------- c:\windows\system32\srclient.dll
2009-08-07 20:08 14,848 a------- c:\windows\system32\srdelayed.exe
2009-08-07 20:08 19,000 a------- c:\windows\system32\kd1394.dll
2009-08-07 20:08 46,592 a------- c:\windows\system32\setbcdlocale.dll
2009-08-07 20:08 615,992 a------- c:\windows\system32\ci.dll
2009-08-07 20:01 1,255,936 a------- c:\windows\system32\lsasrv.dll
2009-08-07 20:01 441,400 a------- c:\windows\system32\drivers\ksecdd.sys
2009-08-07 20:01 72,704 a------- c:\windows\system32\secur32.dll
2009-08-07 20:01 13,780 a------- c:\windows\system32\wbem\lsasrv.mof
2009-08-07 20:01 9,728 a------- c:\windows\system32\lsass.exe
2009-08-07 20:01 24,064 a------- c:\windows\system32\amxread.dll
2009-08-07 20:01 13,824 a------- c:\windows\system32\apilogen.dll
2009-08-07 19:59 425,472 a------- c:\windows\system32\PhotoMetadataHandler.dll
2009-08-07 19:59 712,704 a------- c:\windows\system32\WindowsCodecs.dll
2009-08-07 19:59 347,136 a------- c:\windows\system32\WindowsCodecsExt.dll
2009-08-07 19:53 443,392 a------- c:\windows\system32\win32spl.dll
2009-08-07 19:53 37,888 a------- c:\windows\system32\printcom.dll
2009-08-07 19:52 113,664 a------- c:\windows\system32\drivers\rmcast.sys
2009-08-07 19:52 14,848 a------- c:\windows\system32\wshrm.dll
2009-08-07 19:50 288,768 a------- c:\windows\system32\drivers\srv.sys
2009-08-07 19:48 268,288 a------- c:\windows\system32\schannel.dll
2009-08-07 19:45 622,080 a------- c:\windows\system32\icardagt.exe
2009-08-07 19:45 97,800 a------- c:\windows\system32\infocardapi.dll
2009-08-07 19:45 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-08-07 19:45 11,264 a------- c:\windows\system32\icardres.dll
2009-08-07 19:44 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-08-07 19:44 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-08-07 19:44 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-08-07 19:44 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-08-07 19:31 196,608 a------- c:\windows\ocsetup_cbs_install_NetFx3.perf
2009-08-07 19:31 65,536 a------- c:\windows\ocsetup_cbs_install_NetFx3.dpx
2009-08-07 19:31 20,971,520 a------- c:\windows\ocsetup_install_NetFx3.etl
2009-08-07 19:28 96,760 a------- c:\windows\system32\dfshim.dll
2009-08-07 19:28 41,984 a------- c:\windows\system32\netfxperf.dll
2009-08-07 19:28 282,112 a------- c:\windows\system32\mscoree.dll
2009-08-07 19:28 158,720 a------- c:\windows\system32\mscorier.dll
2009-08-07 19:28 83,968 a------- c:\windows\system32\mscories.dll
2009-08-07 19:13 2,868,736 a------- c:\windows\system32\mf.dll
2009-08-07 19:13 98,816 a------- c:\windows\system32\mfps.dll
2009-08-07 19:13 53,248 a------- c:\windows\system32\rrinstaller.exe
2009-08-07 19:13 2,048 a------- c:\windows\system32\mferror.dll
2009-08-07 19:13 24,576 a------- c:\windows\system32\mfpmp.exe
2009-08-07 19:13 996,352 a------- c:\windows\system32\WMNetMgr.dll
2009-08-07 19:13 94,720 a------- c:\windows\system32\logagent.exe
2009-08-07 19:12 738,304 a------- c:\windows\system32\inetcomm.dll
2009-08-07 19:12 84,480 a------- c:\windows\system32\INETRES.dll
2009-08-07 19:12 1,645,568 a------- c:\windows\system32\connect.dll
2009-08-07 19:11 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-08-07 19:11 1,314,816 a------- c:\windows\system32\quartz.dll
2009-08-07 19:10 1,334,272 a------- c:\windows\system32\msxml6.dll
2009-08-07 19:10 2,048 a------- c:\windows\system32\msxml6r.dll
2009-08-07 18:46 <DIR> --d----- c:\users\dave\Tracing
2009-08-07 18:43 <DIR> --d----- c:\program files\Microsoft
2009-08-07 18:42 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-08-07 18:42 <DIR> --d----- c:\windows\PCHEALTH
2009-08-07 18:40 <DIR> --d----- c:\program files\common files\Windows Live
2009-08-07 18:21 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-08-07 18:21 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-07 18:21 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-07 18:21 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-08-07 18:21 <DIR> --d----- c:\program files\AVG
2009-08-07 18:20 <DIR> --d----- c:\programdata\avg8
2009-08-07 18:20 <DIR> --d----- c:\progra~2\avg8
2009-08-07 18:17 <DIR> --d----- c:\users\dave\appdata\roaming\AVG8
2009-08-07 18:17 1,524,736 a------- c:\windows\system32\wucltux.dll
2009-08-07 18:16 83,456 a------- c:\windows\system32\wudriver.dll
2009-08-07 18:15 162,064 a------- c:\windows\system32\wuwebv.dll
2009-08-07 18:15 31,232 a------- c:\windows\system32\wuapp.exe
2009-08-07 18:13 <DIR> --d----- c:\programdata\Adobe
2009-08-07 18:12 <DIR> --d----- c:\users\Dave
2009-07-24 02:58 41,872 a------- c:\windows\system32\xfcodec.dll

==================== Find3M ====================

2009-08-11 18:21 174 a--sh--- c:\program files\desktop.ini
2009-08-11 18:20 86,016 a------- c:\windows\inf\infstor.dat
2009-08-11 18:20 51,200 a------- c:\windows\inf\infpub.dat
2009-08-11 18:20 86,016 a------- c:\windows\inf\infstrng.dat
2009-08-11 18:05 665,600 a------- c:\windows\inf\drvindex.dat
2009-08-11 17:53 101,888 a------- c:\windows\system32\ifxcardm.dll
2009-08-11 17:53 82,432 a------- c:\windows\system32\axaltocm.dll
2009-08-07 21:02 2,560 a------- c:\windows\apppatch\AcRes.dll
2009-08-07 21:02 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2009-08-07 21:02 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-07 21:02 541,696 a------- c:\windows\apppatch\AcLayers.dll
2009-08-07 21:02 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-07 21:02 52,736 a------- c:\windows\apppatch\iebrshim.dll
2009-08-07 20:05 551,424 a------- c:\windows\system32\rpcss.dll
2009-08-07 20:01 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-08-07 19:56 72,704 a------- c:\windows\system32\admparse.dll
2009-08-07 19:56 827,904 a------- c:\windows\system32\wininet.dll
2009-08-07 19:56 78,336 a------- c:\windows\system32\ieencode.dll
2009-08-07 19:56 48,128 a------- c:\windows\system32\mshtmler.dll
2009-08-07 19:56 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-07-14 14:00 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-07-14 13:59 4,096 a------- c:\windows\system32\dxmasf.dll
2009-07-14 13:58 7,680 a------- c:\windows\system32\spwmp.dll
2009-07-14 11:59 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-06-10 13:07 91,136 a------- c:\windows\system32\avifil32.dll
2009-06-04 13:34 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-02 17:11 85,504 a------- c:\windows\system32\ff_vfw.dll
2009-05-29 22:37 205,824 a------- c:\windows\system32\xvidvfw.dll
2009-05-29 22:31 881,664 a------- c:\windows\system32\xvidcore.dll
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-03-07 13:54 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 12:36:49.30 ===============


Many thanks for any help

Dave

[tetonbob]

Hello, and welcome back.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

You can read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?


---------------------------------------------------------------------------------------------

1. Download ComboFix from this location:
   
   Link 1
   
   * Save the file to your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
   
   You can get help on disabling your protection programs here
   
   
   AVG 8.5
   Please open the AVG 8.5 Control Center, by right clicking on the AVG icon on task bar.
   • Click on Open AVG Interface.
   • Double click on Resident Shield
   • Deselect the option to "Enable Resident Shield."
   • Save changes, and exit the application.
   • To re-enable AVG 8.5, please select "Enable Resident Shield" again.
   
   
   Windows Defender
   
   Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries.
   • Launch Windows Defender, right click on the System Tray icon, select Open.
   • Click on Tools>Options.
   • Scroll down and uncheck "Use real-time protection (recommended)".
   • Scroll down further, and uncheck "Use Windows Defender"
   • After you uncheck these, click on the Save button, approve the UAC prompt, and close Windows Defender.
   
   
3. Double click on the file you downloaded & follow the prompts.
   
   
4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
5. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   
   ---------------------------------------------------------------------------------------------

[davybhoy]

Hi and thanks for your help. I followed the instructions to disable AVG but when I try and run combo fix it says that AVG is still running for antivirus and spyware. I checked but it's definately disabled so I figured just to carry on and see if it worked. I then get and error saying, "Where you trying to run CFScript? The name, CFScript appears to be incorrectly spelt"

I hit ok as it's the only option and the command window closes and nothing happens.

Any ideas what could be the problem?

[tetonbob]

Let me look into that.

Please see your private messages.

[davybhoy]

I did what you suggested via PM and this was the log that it produced:

Volume in drive C is Vista
Volume Serial Number is D2CC-D085

I thought that was very little so I did a re-start and tried again but it only gave me the same thing as above.

Dave

[tetonbob]

Please delete your existing version of ComboFix

1. Download Combofix from any of the links below. You must rename it before saving it. Name it ComFx and Save it to your desktop.
   
   Link 1
   Link 2
   
   
   
   
   
   
   --------------------------------------------------------------------
   
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
3. Double click on ComFx.exe & follow the prompts.
   
4. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
5. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
   
   
   ---------------------------------------------------------------------------------------------

[davybhoy]

This seems to have worked better. Just to remind you that it said AVG was still running although I did definately follow the steps to turn it off.

Here's the log:

ComboFix 09-08-10.06 - Dave 17/08/2009 22:05.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2037.1239 [GMT 1:00]
Running from: c:\users\Dave\Desktop\ComFx.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2139252429-1018222934-1169608220-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-780966261-791558582-1927200443-500
c:\users\Dave\AppData\Roaming\wiaserva.log
c:\users\Dave\oashdihasidhasuidhiasdhiashdiuasdhasd


.
((((((((((((((((((((((((( Files Created from 2009-07-17 to 2009-08-17 )))))))))))))))))))))))))))))))
.

2009-08-17 21:08 . 2009-08-17 21:09 -------- d-----w- c:\users\Dave\AppData\Local\temp
2009-08-17 21:08 . 2009-08-17 21:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-14 08:58 . 2009-08-14 08:58 -------- d-----w- c:\users\Dave\AppData\Roaming\CyberLink
2009-08-12 20:41 . 2008-04-26 08:26 891448 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-12 20:41 . 2008-04-05 03:34 15360 ----a-w- c:\windows\system32\pacerprf.dll
2009-08-12 20:41 . 2008-04-05 01:21 72192 ----a-w- c:\windows\system32\drivers\pacer.sys
2009-08-12 20:41 . 2009-07-17 14:35 71680 ----a-w- c:\windows\system32\atl.dll
2009-08-12 20:41 . 2009-06-10 12:12 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-12 05:53 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-12 05:45 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-12 05:44 . 2009-08-12 05:44 -------- dc-h--w- c:\programdata\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-12 05:44 . 2009-07-08 17:28 2920112 -c--a-w- c:\programdata\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-08-12 05:43 . 2009-08-12 05:45 -------- d-----w- c:\programdata\Lavasoft
2009-08-12 05:43 . 2009-08-12 05:43 -------- d-----w- c:\program files\Lavasoft
2009-08-11 22:58 . 2009-08-14 21:52 -------- d-sh--w- c:\users\Dave\AppData\Roaming\lowsec
2009-08-11 17:05 . 2009-08-11 17:05 -------- d-----w- C:\PerfLogs
2009-08-11 16:35 . 2009-08-11 16:35 -------- d-----w- c:\users\Dave\AppData\Roaming\AdobeUM
2009-08-11 16:35 . 2009-08-11 16:35 -------- d-----w- c:\users\Dave\AppData\Local\Adobe
2009-08-11 12:01 . 2008-01-19 07:36 1541120 ----a-w- c:\windows\system32\onex.dll
2009-08-11 12:01 . 2008-01-19 07:33 2623488 ----a-w- c:\windows\system32\SLsvc.exe
2009-08-11 11:59 . 2008-01-19 07:36 347648 ----a-w- c:\windows\system32\wbem\wbemess.dll
2009-08-11 11:58 . 2008-01-19 07:36 189952 ----a-w- c:\windows\system32\winmm.dll
2009-08-11 11:57 . 2008-01-19 07:41 21560 ----a-w- c:\windows\system32\kdusb.dll
2009-08-11 11:56 . 2008-01-19 07:36 175616 ----a-w- c:\windows\system32\syncui.dll
2009-08-11 11:55 . 2008-01-19 07:36 77824 ----a-w- c:\windows\system32\odbccr32.dll
2009-08-10 11:18 . 2009-08-15 15:03 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-10 08:31 . 2009-08-11 23:33 -------- d-----w- c:\users\Dave\AppData\Local\Apple Computer
2009-08-10 08:27 . 2009-08-10 08:27 -------- d-----w- c:\programdata\Apple
2009-08-10 06:05 . 2009-08-10 06:05 -------- d-----w- C:\Poker
2009-08-09 22:40 . 2009-08-11 23:29 -------- d-----w- c:\users\Dave\AppData\Roaming\vlc
2009-08-09 22:37 . 2009-08-09 22:37 -------- d-----w- c:\program files\VideoLAN
2009-08-09 22:25 . 2008-09-16 19:23 168448 ----a-w- c:\windows\system32\unrar.dll
2009-08-09 22:25 . 2009-05-29 21:37 205824 ----a-w- c:\windows\system32\xvidvfw.dll
2009-08-09 22:25 . 2009-05-29 21:31 881664 ----a-w- c:\windows\system32\xvidcore.dll
2009-08-09 22:25 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2009-08-09 22:25 . 2009-05-01 21:02 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-08-09 22:25 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\divx.dll
2009-08-09 22:25 . 2008-11-06 16:37 3596288 ----a-w- c:\windows\system32\qt-dx331.dll
2009-08-09 22:25 . 2009-06-02 16:11 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-08-09 22:25 . 2009-08-09 22:25 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-08-09 22:07 . 2009-08-09 22:07 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-08-09 22:07 . 2009-08-09 22:07 -------- d-----w- c:\program files\Java
2009-08-09 18:56 . 2009-08-17 19:34 -------- d-----w- c:\users\Dave\AppData\Roaming\Xfire
2009-08-09 18:56 . 2009-08-13 05:16 -------- d-----w- c:\programdata\Xfire
2009-08-09 18:56 . 2009-08-09 18:56 -------- d-----w- c:\program files\Xfire
2009-08-08 17:10 . 2009-08-08 17:10 269312 ----a-w- c:\windows\system32\es.dll
2009-08-08 08:24 . 2009-08-08 08:24 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-07 20:37 . 2009-08-07 20:37 61440 ----a-w- c:\windows\system32\winipsec.dll
2009-08-07 20:37 . 2009-08-07 20:37 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2009-08-07 20:37 . 2009-08-07 20:37 28672 ----a-w- c:\windows\system32\FwRemoteSvr.dll
2009-08-07 20:37 . 2009-08-07 20:37 272896 ----a-w- c:\windows\system32\polstore.dll
2009-08-07 20:34 . 2009-08-07 20:34 94720 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-08-07 20:34 . 2009-08-07 20:34 241152 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-08-07 20:34 . 2009-08-07 20:34 160768 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-08-07 20:26 . 2009-08-07 20:26 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-08-07 20:26 . 2009-08-07 20:26 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-07 20:20 . 2009-08-07 20:20 2033152 ----a-w- c:\windows\system32\win32k.sys
2009-08-07 20:19 . 2009-08-07 20:19 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-08-07 20:19 . 2009-08-07 20:19 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-08-07 20:19 . 2009-08-07 20:19 34304 ----a-w- c:\windows\system32\atmlib.dll
2009-08-07 20:19 . 2009-08-07 20:19 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-08-07 20:19 . 2009-08-07 20:19 23552 ----a-w- c:\windows\system32\lpk.dll
2009-08-07 20:19 . 2009-08-07 20:19 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-08-07 20:15 . 2009-08-07 20:15 376832 ----a-w- c:\windows\system32\winhttp.dll
2009-08-07 20:12 . 2009-08-07 20:12 296960 ----a-w- c:\windows\system32\gdi32.dll
2009-08-07 20:10 . 2009-08-07 20:10 212480 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-08-07 20:08 . 2009-08-07 20:08 562176 ----a-w- c:\windows\system32\msdtcprx.dll
2009-08-07 20:08 . 2009-08-07 20:08 38912 ----a-w- c:\windows\system32\xolehlp.dll
2009-08-07 20:02 . 2009-08-07 20:02 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-07 20:02 . 2009-08-07 20:02 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-07 20:02 . 2009-08-07 20:02 1695744 ----a-w- c:\windows\system32\gameux.dll
2009-08-07 20:00 . 2009-08-07 20:00 303616 ----a-w- c:\windows\system32\wmpeffects.dll
2009-08-07 19:59 . 2009-08-07 19:59 2048 ----a-w- c:\windows\system32\msxml3r.dll
2009-08-07 19:59 . 2009-08-07 19:59 1191936 ----a-w- c:\windows\system32\msxml3.dll
2009-08-07 19:45 . 2009-08-07 19:45 636928 ----a-w- c:\windows\system32\localspl.dll
2009-08-07 19:36 . 2009-08-07 19:36 2927104 ----a-w- c:\windows\explorer.exe
2009-08-07 19:20 . 2009-08-07 19:20 1793536 ----a-w- c:\windows\system32\NlsLexicons0045.dll
2009-08-07 19:20 . 2009-08-07 19:20 1808896 ----a-w- c:\windows\system32\NlsLexicons0046.dll
2009-08-07 19:20 . 2009-08-07 19:20 1411072 ----a-w- c:\windows\system32\NlsLexicons0047.dll
2009-08-07 19:20 . 2009-08-07 19:20 1558016 ----a-w- c:\windows\system32\NlsLexicons0049.dll
2009-08-07 19:20 . 2009-08-07 19:20 1236992 ----a-w- c:\windows\system32\NlsLexicons0020.dll
2009-08-07 19:20 . 2009-08-07 19:20 1782272 ----a-w- c:\windows\system32\NlsLexicons0039.dll
2009-08-07 19:20 . 2009-08-07 19:20 2136064 ----a-w- c:\windows\system32\NlsLexicons0021.dll
2009-08-07 19:19 . 2009-08-07 19:19 5499904 ----a-w- c:\windows\system32\NlsLexicons0022.dll
2009-08-07 19:19 . 2009-08-07 19:19 7964672 ----a-w- c:\windows\system32\NlsLexicons0024.dll
2009-08-07 19:19 . 2009-08-07 19:19 5791232 ----a-w- c:\windows\system32\NlsLexicons0026.dll
2009-08-07 19:19 . 2009-08-07 19:19 6224896 ----a-w- c:\windows\system32\NlsLexicons0027.dll
2009-08-07 19:19 . 2009-08-07 19:19 4175872 ----a-w- c:\windows\system32\NlsLexicons0010.dll
2009-08-07 19:19 . 2009-08-07 19:19 2466816 ----a-w- c:\windows\system32\NlsLexicons0011.dll
2009-08-07 19:19 . 2009-08-07 19:19 4981248 ----a-w- c:\windows\system32\NlsLexicons0013.dll
2009-08-07 19:19 . 2009-08-07 19:19 3331072 ----a-w- c:\windows\system32\NlsLexicons0018.dll
2009-08-07 19:19 . 2009-08-07 19:19 6781440 ----a-w- c:\windows\system32\NlsLexicons0019.dll
2009-08-07 19:18 . 2009-08-07 19:18 11722752 ----a-w- c:\windows\system32\NlsLexicons0001.dll
2009-08-07 19:18 . 2009-08-07 19:18 4164096 ----a-w- c:\windows\system32\NlsLexicons0002.dll
2009-08-07 19:18 . 2009-08-07 19:18 1452544 ----a-w- c:\windows\system32\NlsLexicons0003.dll
2009-08-07 19:18 . 2009-08-07 19:18 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2009-08-07 19:18 . 2009-08-07 19:18 2644480 ----a-w- c:\windows\system32\NlsLexicons0009.dll
2009-08-07 19:18 . 2009-08-07 19:18 3419136 ----a-w- c:\windows\system32\NlsLexicons004a.dll
2009-08-07 19:18 . 2009-08-07 19:18 1702912 ----a-w- c:\windows\system32\NlsLexicons004b.dll
2009-08-07 19:18 . 2009-08-07 19:18 4093440 ----a-w- c:\windows\system32\NlsLexicons004c.dll
2009-08-07 19:18 . 2009-08-07 19:18 1972736 ----a-w- c:\windows\system32\NlsLexicons004e.dll
2009-08-07 19:18 . 2009-08-07 19:18 4045824 ----a-w- c:\windows\system32\NlsLexicons003e.dll
2009-08-07 19:18 . 2009-08-07 19:18 4096 ----a-w- c:\windows\system32\NlsLexicons002a.dll
2009-08-07 19:18 . 2009-08-07 19:18 6014976 ----a-w- c:\windows\system32\NlsLexicons001a.dll
2009-08-07 19:17 . 2009-08-07 19:17 6585856 ----a-w- c:\windows\system32\NlsLexicons001b.dll
2009-08-07 19:17 . 2009-08-07 19:17 6346240 ----a-w- c:\windows\system32\NlsLexicons001d.dll
2009-08-07 19:17 . 2009-08-07 19:17 9892864 ----a-w- c:\windows\system32\NlsLexicons000a.dll
2009-08-07 19:17 . 2009-08-07 19:17 6237696 ----a-w- c:\windows\system32\NlsLexicons000c.dll
2009-08-07 19:17 . 2009-08-07 19:17 1722368 ----a-w- c:\windows\system32\NlsLexicons000d.dll
2009-08-07 19:17 . 2009-08-07 19:17 5654528 ----a-w- c:\windows\system32\NlsLexicons000f.dll
2009-08-07 19:17 . 2009-08-07 19:17 4616192 ----a-w- c:\windows\system32\NlsLexicons0414.dll
2009-08-07 19:17 . 2009-08-07 19:17 5090816 ----a-w- c:\windows\system32\NlsLexicons0416.dll
2009-08-07 19:17 . 2009-08-07 19:17 5031936 ----a-w- c:\windows\system32\NlsLexicons0816.dll
2009-08-07 19:08 . 2009-08-07 19:08 6656 ----a-w- c:\windows\system32\kbd106n.dll
2009-08-07 19:08 . 2009-08-07 19:08 927288 ----a-w- c:\windows\system32\winresume.exe
2009-08-07 19:08 . 2009-08-07 19:08 988216 ----a-w- c:\windows\system32\winload.exe
2009-08-07 19:08 . 2009-08-07 19:08 40960 ----a-w- c:\windows\system32\srclient.dll
2009-08-07 19:08 . 2009-08-07 19:08 378368 ----a-w- c:\windows\system32\srcore.dll
2009-08-07 19:08 . 2009-08-07 19:08 318464 ----a-w- c:\windows\system32\rstrui.exe
2009-08-07 19:08 . 2009-08-07 19:08 14848 ----a-w- c:\windows\system32\srdelayed.exe
2009-08-07 19:08 . 2009-08-07 19:08 19000 ----a-w- c:\windows\system32\kd1394.dll
2009-08-07 19:08 . 2009-08-07 19:08 46592 ----a-w- c:\windows\system32\setbcdlocale.dll
2009-08-07 19:08 . 2009-08-07 19:08 615992 ----a-w- c:\windows\system32\ci.dll
2009-08-07 19:01 . 2009-08-07 19:01 9728 ----a-w- c:\windows\system32\lsass.exe
2009-08-07 19:01 . 2009-08-07 19:01 72704 ----a-w- c:\windows\system32\secur32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-17 11:30 . 2009-08-11 11:58 -------- d-----w- c:\users\Dave\AppData\Roaming\uTorrent
2009-08-14 08:58 . 2007-06-14 00:29 -------- d-----w- c:\programdata\CyberLink
2009-08-12 21:01 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-11 23:37 . 2009-08-09 22:09 -------- d-----w- c:\users\Dave\AppData\Roaming\LimeWire
2009-08-11 17:13 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-08-11 17:13 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-08-11 17:13 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-08-11 17:13 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-08-11 17:13 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-08-11 17:13 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-08-11 17:05 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-08-11 16:53 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2009-08-11 16:53 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2009-08-11 11:59 . 2009-08-11 11:59 -------- d-----w- c:\program files\AskBarDis
2009-08-10 08:31 . 2009-08-10 08:31 -------- d-----w- c:\users\Dave\AppData\Roaming\Apple Computer
2009-08-10 08:31 . 2009-08-10 08:31 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-10 08:31 . 2009-08-10 08:31 -------- d-----w- c:\program files\iTunes
2009-08-10 08:31 . 2009-08-10 08:31 -------- d-----w- c:\program files\iPod
2009-08-10 08:31 . 2009-08-10 08:27 -------- d-----w- c:\program files\Common Files\Apple
2009-08-10 08:31 . 2009-08-10 08:29 -------- d-----w- c:\programdata\Apple Computer
2009-08-10 08:30 . 2009-08-10 08:30 -------- d-----w- c:\program files\Bonjour
2009-08-10 08:30 . 2009-08-10 08:29 -------- d-----w- c:\program files\QuickTime
2009-08-10 08:29 . 2009-08-10 08:29 -------- d-----w- c:\program files\Apple Software Update
2009-08-07 19:16 . 2009-08-07 19:16 7042560 ----a-w- c:\windows\system32\NlsLexicons081a.dll
2009-08-07 19:05 . 2009-08-07 19:05 551424 ----a-w- c:\windows\system32\rpcss.dll
2009-08-07 18:56 . 2009-08-07 18:56 72704 ----a-w- c:\windows\system32\admparse.dll
2009-08-07 18:56 . 2009-08-07 18:56 827904 ----a-w- c:\windows\system32\wininet.dll
2009-08-07 18:56 . 2009-08-07 18:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-07 18:56 . 2009-08-07 18:56 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-08-07 18:56 . 2009-08-07 18:56 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-14 13:00 . 2009-08-12 20:40 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 12:59 . 2009-08-12 20:40 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-14 12:58 . 2009-08-12 20:40 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-14 10:59 . 2009-08-12 20:40 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-13 13:22 . 2009-07-13 13:22 75048 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-06-10 12:07 . 2009-08-12 20:40 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-06-04 12:34 . 2009-08-12 20:40 2066432 ----a-w- c:\windows\system32\mstscax.dll
2007-03-07 12:54 . 2007-03-07 12:54 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 11:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-11-06 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-11-06 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-11-06 81920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 815104]
"Keyboard Manager Utility"="c:\program files\Keyboard Manager\Manager Utility\KeyboardManager.exe" [2007-01-11 1359872]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-07 2000152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-09 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

c:\users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2009-7-24 3191696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{1B73EE88-4F7A-43BB-8042-113A66691A1F}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{8E038C9E-A763-4122-A8D7-C4B553673276}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{5F365C61-1136-4ED9-AE87-DE932DC90DEF}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"TCP Query User{76BEC04D-5730-45FB-97EA-8CAD4D43DA86}c:\\program files\\xfire\\xfire.exe"= UDP:c:\program files\xfire\xfire.exe:Xfire
"UDP Query User{93A64BD9-A71B-458F-AF67-E69E4EB86DD9}c:\\program files\\xfire\\xfire.exe"= TCP:c:\program files\xfire\xfire.exe:Xfire
"{CBE9CDA2-88CB-4DC3-BF7A-75D4DB431F97}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{2AA95F0C-DA8B-47EC-A0D7-F83D7800F576}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{F445CF40-7926-4506-88D3-9EE971376E89}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{C2E7DA6A-5100-4656-AEA1-DF572F7F6F84}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{0B288A6F-68EB-41A5-B3D9-79654FD07900}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{5EBCD7BB-A024-4A08-9A58-AF867CCDF378}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{524EC277-5CF9-4ACD-BD37-D56389DF1E0A}c:\\windows\\explorer.exe"= UDP:c:\windows\explorer.exe:Windows Explorer
"UDP Query User{2967A633-B9CB-4EF3-B8A3-6B32CFB6ADA7}c:\\windows\\explorer.exe"= TCP:c:\windows\explorer.exe:Windows Explorer

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [12/08/2009 06:45 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [07/08/2009 18:21 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [07/08/2009 18:21 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [07/08/2009 18:21 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [07/08/2009 18:21 297752]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [11/08/2009 12:59 234888]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1029456]
.
Contents of the 'Scheduled Tasks' folder

2009-08-12 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\1o9gh5yo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-17 22:09
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-08-17 22:10
ComboFix-quarantined-files.txt 2009-08-17 21:10

Pre-Run: 77,015,982,080 bytes free
Post-Run: 76,999,180,288 bytes free

333 --- E O F --- 2009-08-12 21:04


Thanks for all your help so far

Dave

[tetonbob]

That's fine, it seems to have run with no complications.

I wonder if you've intentionally installed the Ask Toolbar. It's listed as "O", open to debate.

http://www.systemlookup.com/CLSID/20...skBar_dll.html

Your choice on whether to keep it or uninstall it.

===========================

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to the following:
  
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

Also....


Click the Start button, in the search box copy/paste the following, then press Enter:

C:\QooBox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

[davybhoy]

Ok, here is the malwarebytes log:

Malwarebytes' Anti-Malware 1.40
Database version: 2644
Windows 6.0.6001 Service Pack 1

17/08/2009 22:45:16
mbam-log-2009-08-17 (22-45-16).txt

Scan type: Quick Scan
Objects scanned: 80266
Time elapsed: 6 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


And here is the log from the search:

Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.8
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
AVG Free 8.5
Bonjour
Choice Guard
Conexant HD Audio
HDAUDIO Soft Data Fax Modem with SmartCP
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Graphics Media Accelerator Driver
iTunes
Java(TM) 6 Update 11
K-Lite Codec Pack 5.0.5 (Full)
Keyboard Manager Utility
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.2)
MSVCRT
Power2Go 5.0
QuickTime
Ralink Wireless LAN Card
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.0.1
William Hill Poker
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
WinRAR archiver
Xfire (remove only)

I also removed the ASK toolbar using add/remove programs

Dave

[tetonbob]

Please do this....

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

dir /a /s "c:\users\Dave\AppData\Roaming\lowsec" > log.txt
notepad log.txt
del log.txt

Save this as peek.bat Choose to "Save type as - All Files"
It should look like this:
Right click on peek.bat, select Run As Administrator, & allow it to run. A log file should open. Please post the contents of the log.

[davybhoy]

Ok here is the peek.bat log:

Volume in drive C is Vista
Volume Serial Number is D2CC-D085

Directory of c:\users\Dave\AppData\Roaming\lowsec

14/08/2009 22:52 <DIR> .
14/08/2009 22:52 <DIR> ..
14/08/2009 22:52 21,984 local.ds
11/08/2009 23:58 0 user.ds
2 File(s) 21,984 bytes

Total Files Listed:
2 File(s) 21,984 bytes
2 Dir(s) 75,187,212,288 bytes free


Dave

[tetonbob]

Interesting...Mbam usually targets and removes that folder. It is an indicator of infostealer infection previously mentioned. We'll remove it using ComboFix, as there are other items I want to address at the same time.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

I see some remnants of Limewire and utorrent. I'm going to remove them with the following script, as it seems you've already wisely uninstalled them.

1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
2. Open notepad and copy/paste the text in the quotebox below into it:
   
   
   Quote:

   Folder::
   c:\users\Dave\AppData\Roaming\lowsec
   c:\users\Dave\AppData\Roaming\uTorrent
   c:\users\Dave\AppData\Roaming\LimeWire
   Registry::
   [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
   "TCP Query User{0B288A6F-68EB-41A5-B3D9-79654FD07900}c:\\program files\\limewire\\limewire.exe"=-
   "UDP Query User{5EBCD7BB-A024-4A08-9A58-AF867CCDF378}c:\\program files\\limewire\\limewire.exe"=-
   

   Save this as CFScript.txt
   
   
   
   
   Referring to the picture above, drag CFScript.txt into ComboFix.exe
   
   
   
3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
4. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
5. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   
   ---------------------------------------------------------------------------------------------

[davybhoy]

Here is the new ComboFix log:

ComboFix 09-08-10.06 - Dave 17/08/2009 23:15.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2037.1002 [GMT 1:00]
Running from: c:\users\Dave\Desktop\ComFx.exe
Command switches used :: c:\users\Dave\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Dave\AppData\Roaming\LimeWire
c:\users\Dave\AppData\Roaming\LimeWire\active.mojito
c:\users\Dave\AppData\Roaming\LimeWire\browser\xul-v2.0b2.4-do-not-remove
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\AccessibleMarshal.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\chrome\branding.jar
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\chrome\branding.manifest
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\chrome\classic.jar
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\chrome\classic.manifest
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\chrome\comm.jar
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\chrome\comm.manifest
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\chrome\en-US.jar
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\chrome\en-US.manifest
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\chrome\limewire.jar
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\chrome\limewire.manifest
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\chrome\pippki.jar
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\chrome\pippki.manifest
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\chrome\toolkit.jar
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\chrome\toolkit.manifest
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\accessibility-msaa.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\accessibility.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\alerts.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\appshell.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\appshell_modal.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\appshell_modal.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\appstartup.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\auth.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\autocomplete.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\autoconfig.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\autoconfig.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\caps.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\chardet.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\chrome.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\commandhandler.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\commandlines.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\composer.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\content_base.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\content_html.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\content_htmldoc.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\content_xmldoc.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\content_xslt.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\content_xtf.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\contentprefs.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\cookie.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\directory.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\docshell_base.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\dom.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_base.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_canvas.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_core.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_css.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_events.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_html.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_json.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_loadsave.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_offline.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_range.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_sidebar.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_storage.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_stylesheets.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_svg.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_traversal.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_views.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_xbl.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_xpath.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\dom_xul.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\downloads.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\editor.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\embed_base.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\extensions.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\exthandler.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\exthelper.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\fastfind.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\FeedProcessor.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\feeds.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\find.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\gfx.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\htmlparser.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\imgicon.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\imglib2.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\inspector.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\intl.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\jar.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\jsconsole-clhandler.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\jsdservice.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\layout_base.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\layout_printing.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\layout_xul.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\layout_xul_tree.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\locale.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\loginmgr.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\lwbrk.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\mimetype.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\mozbrwsr.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\mozfind.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\necko.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_about.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_cache.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_cookie.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_dns.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_file.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_ftp.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_http.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_res.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_socket.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_strconv.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\necko_viewsource.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\nsAddonRepository.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\nsBadCertHandler.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\nsBlocklistService.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\nsContentDispatchChooser.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\nsContentPrefService.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\nsDefaultCLH.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\nsDictionary.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\nsDownloadManagerUI.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\nsExtensionManager.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\nsHandlerService.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\nsHelperAppDlg.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\nsLivemarkService.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\nsLoginInfo.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\nsLoginManager.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\nsLoginManagerPrompter.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\nsPostUpdateWin.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\nsProgressDialog.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\nsProxyAutoConfig.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\nsResetPref.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\nsTaggingService.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\nsTryToClose.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\nsUpdateService.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\nsURLFormatter.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\nsWebHandlerApp.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\nsXmlRpcClient.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\nsXULAppInstall.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\oji.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\parentalcontrols.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\pipboot.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\pipboot.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\pipnss.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\pipnss.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\pippki.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\pippki.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\places.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\plugin.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\pluginGlue.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\pref.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\prefetch.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\profile.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\proxyObject.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\rdf.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\satchel.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\saxparser.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\shistory.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\spellchecker.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\storage-Legacy.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\storage.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\toolkitprofile.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\transformiix.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\txEXSLTRegExFunctions.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\txmgr.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\txtsvc.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\uconv.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\unicharutil.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\universalchardet.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\update.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\uriloader.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\urlformatter.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\webBrowser_core.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\webbrowserpersist.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\webshell_idls.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\websrvcs.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\widget.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\windowds.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\windowwatcher.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\xml-rpc.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\xmlextras.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\xpcom_base.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\xpcom_components.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\xpcom_ds.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\xpcom_io.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\xpcom_system.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\xpcom_thread.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\xpcom_xpti.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\xpconnect.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\xpinstall.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\xulapp.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\xulapp_setup.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\xuldoc.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\xultmpl.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\xulutil.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\components\zipwriter.xpt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\crashreporter.exe
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\crashreporter.ini
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\defaults\autoconfig\platform.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\defaults\autoconfig\prefcalls.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\defaults\pref\xulrunner.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\defaults\profile\chrome\userChrome-example.css
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\defaults\profile\chrome\userContent-example.css
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\defaults\profile\localstore.rdf
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userChrome-example.css
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userContent-example.css
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\defaults\profile\US\localstore.rdf
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\dependentlibs.list
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\dictionaries\en-US.aff
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\dictionaries\en-US.dic
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\freebl3.chk
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\freebl3.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\greprefs\all.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\greprefs\security-prefs.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\greprefs\xpinstall.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\IA2Marshal.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\javaxpcom.jar
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\javaxpcomglue.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\js3250.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\LICENSE
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\modules\debug.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\modules\DownloadUtils.jsm
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\modules\ISO8601DateUtils.jsm
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\modules\JSON.jsm
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\modules\Microformats.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\modules\PluralForm.jsm
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\modules\utils.js
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\modules\XPCOMUtils.jsm
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\mozctl.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\mozctlx.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\MSVCP71.DLL
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\msvcr71.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\nspr4.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\nss3.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\nssckbi.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\nssdbm3.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\nssutil3.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\platform.ini
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\plc4.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\plds4.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\plugins\npnul32.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\README.txt
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\arrow.gif
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\arrowd.gif
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\broken-image.gif
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\charsetalias.properties
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\charsetData.properties
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\contenteditable.css
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\designmode.css
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\dtd\mathml.dtd
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\dtd\xhtml11.dtd
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\EditorOverride.css
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\entityTables\html40Latin1.properties
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\entityTables\html40Special.properties
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\entityTables\html40Symbols.properties
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\entityTables\htmlEntityVersions.properties
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\entityTables\mathml20.properties
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\entityTables\transliterate.properties
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\fonts\mathfont.properties
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\fonts\mathfontStandardSymbolsL.properties
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\fonts\mathfontSTIXNonUnicode.properties
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\fonts\mathfontSTIXSize1.properties
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\fonts\mathfontSymbol.properties
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\fonts\mathfontUnicode.properties
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\forms.css
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\grabber.gif
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\hiddenWindow.html
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\html.css
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\html\folder.png
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\langGroups.properties
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\language.properties
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\loading-image.gif
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\mathml.css
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\quirk.css
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\svg.css
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-column-after-active.gif
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-column-after-hover.gif
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-column-after.gif
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-column-before-active.gif
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-column-before-hover.gif
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-column-before.gif
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-row-after-active.gif
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-row-after-hover.gif
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-row-after.gif
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-row-before-active.gif
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-row-before-hover.gif
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\table-add-row-before.gif
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\table-remove-column-active.gif
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\table-remove-column-hover.gif
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\table-remove-column.gif
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\table-remove-row-active.gif
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\table-remove-row-hover.gif
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\table-remove-row.gif
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\ua.css
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\viewsource.css
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\res\wincharset.properties
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\smime3.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\softokn3.chk
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\softokn3.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\sqlite3.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\ssl3.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\updater.exe
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\version.properties
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\xpcom.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\xpcshell.exe
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\xpicleanup.exe
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\xpidl.exe
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\xpt_dump.exe
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\xpt_link.exe
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\xul.dll
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\xulrunner-stub.exe
c:\users\Dave\AppData\Roaming\LimeWire\browser\xulrunner\xulrunner.exe
c:\users\Dave\AppData\Roaming\LimeWire\certificate\limewire.keystore
c:\users\Dave\AppData\Roaming\LimeWire\createtimes.cache
c:\users\Dave\AppData\Roaming\LimeWire\downloads.dat
c:\users\Dave\AppData\Roaming\LimeWire\fileurns.cache
c:\users\Dave\AppData\Roaming\LimeWire\gnutella.net
c:\users\Dave\AppData\Roaming\LimeWire\installation.props
c:\users\Dave\AppData\Roaming\LimeWire\library.dat
c:\users\Dave\AppData\Roaming\LimeWire\library5.dat
c:\users\Dave\AppData\Roaming\LimeWire\limewire.props
c:\users\Dave\AppData\Roaming\LimeWire\lock
c:\users\Dave\AppData\Roaming\LimeWire\mojito.props
c:\users\Dave\AppData\Roaming\LimeWire\mozilla-profile\.autoreg
c:\users\Dave\AppData\Roaming\LimeWire\mozilla-profile\Cache\_CACHE_001_
c:\users\Dave\AppData\Roaming\LimeWire\mozilla-profile\Cache\_CACHE_002_
c:\users\Dave\AppData\Roaming\LimeWire\mozilla-profile\Cache\_CACHE_003_
c:\users\Dave\AppData\Roaming\LimeWire\mozilla-profile\Cache\_CACHE_MAP_
c:\users\Dave\AppData\Roaming\LimeWire\mozilla-profile\Cache\04DF0396d01
c:\users\Dave\AppData\Roaming\LimeWire\mozilla-profile\Cache\30B5DE57d01
c:\users\Dave\AppData\Roaming\LimeWire\mozilla-profile\Cache\4C4B6535d01
c:\users\Dave\AppData\Roaming\LimeWire\mozilla-profile\Cache\7BD6A121d01
c:\users\Dave\AppData\Roaming\LimeWire\mozilla-profile\Cache\98E79480d01
c:\users\Dave\AppData\Roaming\LimeWire\mozilla-profile\Cache\AE98BDFBd01
c:\users\Dave\AppData\Roaming\LimeWire\mozilla-profile\Cache\BAFF9A8Ed01
c:\users\Dave\AppData\Roaming\LimeWire\mozilla-profile\cert8.db
c:\users\Dave\AppData\Roaming\LimeWire\mozilla-profile\compreg.dat
c:\users\Dave\AppData\Roaming\LimeWire\mozilla-profile\cookies.sqlite
c:\users\Dave\AppData\Roaming\LimeWire\mozilla-profile\downloads.sqlite
c:\users\Dave\AppData\Roaming\LimeWire\mozilla-profile\extensions.cache
c:\users\Dave\AppData\Roaming\LimeWire\mozilla-profile\extensions.ini
c:\users\Dave\AppData\Roaming\LimeWire\mozilla-profile\history.dat
c:\users\Dave\AppData\Roaming\LimeWire\mozilla-profile\key3.db
c:\users\Dave\AppData\Roaming\LimeWire\mozilla-profile\permissions.sqlite
c:\users\Dave\AppData\Roaming\LimeWire\mozilla-profile\places.sqlite-journal
c:\users\Dave\AppData\Roaming\LimeWire\mozilla-profile\places.sqlite
c:\users\Dave\AppData\Roaming\LimeWire\mozilla-profile\pluginreg.dat
c:\users\Dave\AppData\Roaming\LimeWire\mozilla-profile\prefs.js
c:\users\Dave\AppData\Roaming\LimeWire\mozilla-profile\secmod.db
c:\users\Dave\AppData\Roaming\LimeWire\mozilla-profile\XPC.mfl
c:\users\Dave\AppData\Roaming\LimeWire\mozilla-profile\xpti.dat
c:\users\Dave\AppData\Roaming\LimeWire\player.props
c:\users\Dave\AppData\Roaming\LimeWire\promotion\promodb.backup
c:\users\Dave\AppData\Roaming\LimeWire\promotion\promodb.data
c:\users\Dave\AppData\Roaming\LimeWire\promotion\promodb.properties
c:\users\Dave\AppData\Roaming\LimeWire\promotion\promodb.script
c:\users\Dave\AppData\Roaming\LimeWire\questions.props
c:\users\Dave\AppData\Roaming\LimeWire\responses.cache
c:\users\Dave\AppData\Roaming\LimeWire\simpp.xml
c:\users\Dave\AppData\Roaming\LimeWire\spam.dat
c:\users\Dave\AppData\Roaming\LimeWire\tables.props
c:\users\Dave\AppData\Roaming\LimeWire\ttdata.cache
c:\users\Dave\AppData\Roaming\LimeWire\ttroot.cache
c:\users\Dave\AppData\Roaming\LimeWire\version.xml
c:\users\Dave\AppData\Roaming\LimeWire\versions.props
c:\users\Dave\AppData\Roaming\LimeWire\xml\data\audio.sxml3
c:\users\Dave\AppData\Roaming\LimeWire\xml\data\video.sxml3
c:\users\Dave\AppData\Roaming\lowsec
c:\users\Dave\AppData\Roaming\lowsec\local.ds
c:\users\Dave\AppData\Roaming\lowsec\user.ds
c:\users\Dave\AppData\Roaming\uTorrent
c:\users\Dave\AppData\Roaming\uTorrent\dht.dat
c:\users\Dave\AppData\Roaming\uTorrent\dht.dat.new
c:\users\Dave\AppData\Roaming\uTorrent\dht.dat.old
c:\users\Dave\AppData\Roaming\uTorrent\resume.dat
c:\users\Dave\AppData\Roaming\uTorrent\resume.dat.old
c:\users\Dave\AppData\Roaming\uTorrent\rss.dat
c:\users\Dave\AppData\Roaming\uTorrent\rss.dat.new
c:\users\Dave\AppData\Roaming\uTorrent\rss.dat.old
c:\users\Dave\AppData\Roaming\uTorrent\settings.dat
c:\users\Dave\AppData\Roaming\uTorrent\settings.dat.old
c:\users\Dave\AppData\Roaming\uTorrent\State.of.Play.2009.DVDRip.XviD-AMIABLE.torrent
c:\users\Dave\AppData\Roaming\uTorrent\The.Hangover.DVDSCR.XviD-xSCR.torrent


.
((((((((((((((((((((((((( Files Created from 2009-07-17 to 2009-08-17 )))))))))))))))))))))))))))))))
.

2009-08-17 22:20 . 2009-08-17 22:20 -------- d-----w- c:\users\Dave\AppData\Local\temp
2009-08-17 22:20 . 2009-08-17 22:20 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-08-17 22:20 . 2009-08-17 22:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-17 21:36 . 2009-08-17 21:36 -------- d-----w- c:\users\Dave\AppData\Roaming\Malwarebytes
2009-08-17 21:36 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-17 21:36 . 2009-08-17 21:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-17 21:36 . 2009-08-17 21:36 -------- d-----w- c:\programdata\Malwarebytes
2009-08-17 21:36 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-14 08:58 . 2009-08-14 08:58 -------- d-----w- c:\users\Dave\AppData\Roaming\CyberLink
2009-08-12 20:41 . 2008-04-26 08:26 891448 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-12 20:41 . 2008-04-05 03:34 15360 ----a-w- c:\windows\system32\pacerprf.dll
2009-08-12 20:41 . 2008-04-05 01:21 72192 ----a-w- c:\windows\system32\drivers\pacer.sys
2009-08-12 20:41 . 2009-07-17 14:35 71680 ----a-w- c:\windows\system32\atl.dll
2009-08-12 20:41 . 2009-06-10 12:12 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-12 05:53 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-12 05:45 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-12 05:44 . 2009-08-12 05:44 -------- dc-h--w- c:\programdata\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-12 05:44 . 2009-07-08 17:28 2920112 -c--a-w- c:\programdata\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-08-12 05:43 . 2009-08-12 05:45 -------- d-----w- c:\programdata\Lavasoft
2009-08-12 05:43 . 2009-08-12 05:43 -------- d-----w- c:\program files\Lavasoft
2009-08-11 17:05 . 2009-08-11 17:05 -------- d-----w- C:\PerfLogs
2009-08-11 16:35 . 2009-08-11 16:35 -------- d-----w- c:\users\Dave\AppData\Roaming\AdobeUM
2009-08-11 16:35 . 2009-08-11 16:35 -------- d-----w- c:\users\Dave\AppData\Local\Adobe
2009-08-11 12:01 . 2008-01-19 07:36 1541120 ----a-w- c:\windows\system32\onex.dll
2009-08-11 12:01 . 2008-01-19 07:33 2623488 ----a-w- c:\windows\system32\SLsvc.exe
2009-08-11 11:59 . 2008-01-19 07:36 347648 ----a-w- c:\windows\system32\wbem\wbemess.dll
2009-08-11 11:58 . 2008-01-19 07:36 189952 ----a-w- c:\windows\system32\winmm.dll
2009-08-11 11:57 . 2008-01-19 07:41 21560 ----a-w- c:\windows\system32\kdusb.dll
2009-08-11 11:56 . 2008-01-19 07:36 175616 ----a-w- c:\windows\system32\syncui.dll
2009-08-11 11:55 . 2008-01-19 07:36 77824 ----a-w- c:\windows\system32\odbccr32.dll
2009-08-10 11:18 . 2009-08-15 15:03 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-10 08:31 . 2009-08-11 23:33 -------- d-----w- c:\users\Dave\AppData\Local\Apple Computer
2009-08-10 08:27 . 2009-08-10 08:27 -------- d-----w- c:\programdata\Apple
2009-08-10 06:05 . 2009-08-10 06:05 -------- d-----w- C:\Poker
2009-08-09 22:40 . 2009-08-11 23:29 -------- d-----w- c:\users\Dave\AppData\Roaming\vlc
2009-08-09 22:37 . 2009-08-09 22:37 -------- d-----w- c:\program files\VideoLAN
2009-08-09 22:25 . 2008-09-16 19:23 168448 ----a-w- c:\windows\system32\unrar.dll
2009-08-09 22:25 . 2009-05-29 21:37 205824 ----a-w- c:\windows\system32\xvidvfw.dll
2009-08-09 22:25 . 2009-05-29 21:31 881664 ----a-w- c:\windows\system32\xvidcore.dll
2009-08-09 22:25 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2009-08-09 22:25 . 2009-05-01 21:02 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-08-09 22:25 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\divx.dll
2009-08-09 22:25 . 2008-11-06 16:37 3596288 ----a-w- c:\windows\system32\qt-dx331.dll
2009-08-09 22:25 . 2009-06-02 16:11 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-08-09 22:25 . 2009-08-09 22:25 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-08-09 22:07 . 2009-08-09 22:07 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-08-09 22:07 . 2009-08-09 22:07 -------- d-----w- c:\program files\Java
2009-08-09 18:56 . 2009-08-17 19:34 -------- d-----w- c:\users\Dave\AppData\Roaming\Xfire
2009-08-09 18:56 . 2009-08-13 05:16 -------- d-----w- c:\programdata\Xfire
2009-08-09 18:56 . 2009-08-09 18:56 -------- d-----w- c:\program files\Xfire
2009-08-08 17:10 . 2009-08-08 17:10 269312 ----a-w- c:\windows\system32\es.dll
2009-08-08 08:24 . 2009-08-08 08:24 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-07 20:37 . 2009-08-07 20:37 61440 ----a-w- c:\windows\system32\winipsec.dll
2009-08-07 20:37 . 2009-08-07 20:37 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2009-08-07 20:37 . 2009-08-07 20:37 28672 ----a-w- c:\windows\system32\FwRemoteSvr.dll
2009-08-07 20:37 . 2009-08-07 20:37 272896 ----a-w- c:\windows\system32\polstore.dll
2009-08-07 20:34 . 2009-08-07 20:34 94720 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-08-07 20:34 . 2009-08-07 20:34 241152 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-08-07 20:34 . 2009-08-07 20:34 160768 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-08-07 20:26 . 2009-08-07 20:26 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-08-07 20:26 . 2009-08-07 20:26 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-07 20:20 . 2009-08-07 20:20 2033152 ----a-w- c:\windows\system32\win32k.sys
2009-08-07 20:19 . 2009-08-07 20:19 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-08-07 20:19 . 2009-08-07 20:19 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-08-07 20:19 . 2009-08-07 20:19 34304 ----a-w- c:\windows\system32\atmlib.dll
2009-08-07 20:19 . 2009-08-07 20:19 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-08-07 20:19 . 2009-08-07 20:19 23552 ----a-w- c:\windows\system32\lpk.dll
2009-08-07 20:19 . 2009-08-07 20:19 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-08-07 20:15 . 2009-08-07 20:15 376832 ----a-w- c:\windows\system32\winhttp.dll
2009-08-07 20:12 . 2009-08-07 20:12 296960 ----a-w- c:\windows\system32\gdi32.dll
2009-08-07 20:10 . 2009-08-07 20:10 212480 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-08-07 20:08 . 2009-08-07 20:08 562176 ----a-w- c:\windows\system32\msdtcprx.dll
2009-08-07 20:08 . 2009-08-07 20:08 38912 ----a-w- c:\windows\system32\xolehlp.dll
2009-08-07 20:02 . 2009-08-07 20:02 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-07 20:02 . 2009-08-07 20:02 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-07 20:02 . 2009-08-07 20:02 1695744 ----a-w- c:\windows\system32\gameux.dll
2009-08-07 20:00 . 2009-08-07 20:00 303616 ----a-w- c:\windows\system32\wmpeffects.dll
2009-08-07 19:59 . 2009-08-07 19:59 2048 ----a-w- c:\windows\system32\msxml3r.dll
2009-08-07 19:59 . 2009-08-07 19:59 1191936 ----a-w- c:\windows\system32\msxml3.dll
2009-08-07 19:45 . 2009-08-07 19:45 636928 ----a-w- c:\windows\system32\localspl.dll
2009-08-07 19:36 . 2009-08-07 19:36 2927104 ----a-w- c:\windows\explorer.exe
2009-08-07 19:20 . 2009-08-07 19:20 1793536 ----a-w- c:\windows\system32\NlsLexicons0045.dll
2009-08-07 19:20 . 2009-08-07 19:20 1808896 ----a-w- c:\windows\system32\NlsLexicons0046.dll
2009-08-07 19:20 . 2009-08-07 19:20 1411072 ----a-w- c:\windows\system32\NlsLexicons0047.dll
2009-08-07 19:20 . 2009-08-07 19:20 1558016 ----a-w- c:\windows\system32\NlsLexicons0049.dll
2009-08-07 19:20 . 2009-08-07 19:20 1236992 ----a-w- c:\windows\system32\NlsLexicons0020.dll
2009-08-07 19:20 . 2009-08-07 19:20 1782272 ----a-w- c:\windows\system32\NlsLexicons0039.dll
2009-08-07 19:20 . 2009-08-07 19:20 2136064 ----a-w- c:\windows\system32\NlsLexicons0021.dll
2009-08-07 19:19 . 2009-08-07 19:19 5499904 ----a-w- c:\windows\system32\NlsLexicons0022.dll
2009-08-07 19:19 . 2009-08-07 19:19 7964672 ----a-w- c:\windows\system32\NlsLexicons0024.dll
2009-08-07 19:19 . 2009-08-07 19:19 5791232 ----a-w- c:\windows\system32\NlsLexicons0026.dll
2009-08-07 19:19 . 2009-08-07 19:19 6224896 ----a-w- c:\windows\system32\NlsLexicons0027.dll
2009-08-07 19:19 . 2009-08-07 19:19 4175872 ----a-w- c:\windows\system32\NlsLexicons0010.dll
2009-08-07 19:19 . 2009-08-07 19:19 2466816 ----a-w- c:\windows\system32\NlsLexicons0011.dll
2009-08-07 19:19 . 2009-08-07 19:19 4981248 ----a-w- c:\windows\system32\NlsLexicons0013.dll
2009-08-07 19:19 . 2009-08-07 19:19 3331072 ----a-w- c:\windows\system32\NlsLexicons0018.dll
2009-08-07 19:19 . 2009-08-07 19:19 6781440 ----a-w- c:\windows\system32\NlsLexicons0019.dll
2009-08-07 19:18 . 2009-08-07 19:18 11722752 ----a-w- c:\windows\system32\NlsLexicons0001.dll
2009-08-07 19:18 . 2009-08-07 19:18 4164096 ----a-w- c:\windows\system32\NlsLexicons0002.dll
2009-08-07 19:18 . 2009-08-07 19:18 1452544 ----a-w- c:\windows\system32\NlsLexicons0003.dll
2009-08-07 19:18 . 2009-08-07 19:18 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2009-08-07 19:18 . 2009-08-07 19:18 2644480 ----a-w- c:\windows\system32\NlsLexicons0009.dll
2009-08-07 19:18 . 2009-08-07 19:18 3419136 ----a-w- c:\windows\system32\NlsLexicons004a.dll
2009-08-07 19:18 . 2009-08-07 19:18 1702912 ----a-w- c:\windows\system32\NlsLexicons004b.dll
2009-08-07 19:18 . 2009-08-07 19:18 4093440 ----a-w- c:\windows\system32\NlsLexicons004c.dll
2009-08-07 19:18 . 2009-08-07 19:18 1972736 ----a-w- c:\windows\system32\NlsLexicons004e.dll
2009-08-07 19:18 . 2009-08-07 19:18 4045824 ----a-w- c:\windows\system32\NlsLexicons003e.dll
2009-08-07 19:18 . 2009-08-07 19:18 4096 ----a-w- c:\windows\system32\NlsLexicons002a.dll
2009-08-07 19:18 . 2009-08-07 19:18 6014976 ----a-w- c:\windows\system32\NlsLexicons001a.dll
2009-08-07 19:17 . 2009-08-07 19:17 6585856 ----a-w- c:\windows\system32\NlsLexicons001b.dll
2009-08-07 19:17 . 2009-08-07 19:17 6346240 ----a-w- c:\windows\system32\NlsLexicons001d.dll
2009-08-07 19:17 . 2009-08-07 19:17 9892864 ----a-w- c:\windows\system32\NlsLexicons000a.dll
2009-08-07 19:17 . 2009-08-07 19:17 6237696 ----a-w- c:\windows\system32\NlsLexicons000c.dll
2009-08-07 19:17 . 2009-08-07 19:17 1722368 ----a-w- c:\windows\system32\NlsLexicons000d.dll
2009-08-07 19:17 . 2009-08-07 19:17 5654528 ----a-w- c:\windows\system32\NlsLexicons000f.dll
2009-08-07 19:17 . 2009-08-07 19:17 4616192 ----a-w- c:\windows\system32\NlsLexicons0414.dll
2009-08-07 19:17 . 2009-08-07 19:17 5090816 ----a-w- c:\windows\system32\NlsLexicons0416.dll
2009-08-07 19:17 . 2009-08-07 19:17 5031936 ----a-w- c:\windows\system32\NlsLexicons0816.dll
2009-08-07 19:08 . 2009-08-07 19:08 6656 ----a-w- c:\windows\system32\kbd106n.dll
2009-08-07 19:08 . 2009-08-07 19:08 927288 ----a-w- c:\windows\system32\winresume.exe
2009-08-07 19:08 . 2009-08-07 19:08 988216 ----a-w- c:\windows\system32\winload.exe
2009-08-07 19:08 . 2009-08-07 19:08 40960 ----a-w- c:\windows\system32\srclient.dll
2009-08-07 19:08 . 2009-08-07 19:08 378368 ----a-w- c:\windows\system32\srcore.dll
2009-08-07 19:08 . 2009-08-07 19:08 318464 ----a-w- c:\windows\system32\rstrui.exe
2009-08-07 19:08 . 2009-08-07 19:08 14848 ----a-w- c:\windows\system32\srdelayed.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-14 08:58 . 2007-06-14 00:29 -------- d-----w- c:\programdata\CyberLink
2009-08-12 21:01 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-11 17:13 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-08-11 17:13 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-08-11 17:13 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-08-11 17:13 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-08-11 17:13 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-08-11 17:13 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-08-11 17:05 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-08-11 16:53 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2009-08-11 16:53 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2009-08-10 08:31 . 2009-08-10 08:31 -------- d-----w- c:\users\Dave\AppData\Roaming\Apple Computer
2009-08-10 08:31 . 2009-08-10 08:31 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-10 08:31 . 2009-08-10 08:31 -------- d-----w- c:\program files\iTunes
2009-08-10 08:31 . 2009-08-10 08:31 -------- d-----w- c:\program files\iPod
2009-08-10 08:31 . 2009-08-10 08:27 -------- d-----w- c:\program files\Common Files\Apple
2009-08-10 08:31 . 2009-08-10 08:29 -------- d-----w- c:\programdata\Apple Computer
2009-08-10 08:30 . 2009-08-10 08:30 -------- d-----w- c:\program files\Bonjour
2009-08-10 08:30 . 2009-08-10 08:29 -------- d-----w- c:\program files\QuickTime
2009-08-10 08:29 . 2009-08-10 08:29 -------- d-----w- c:\program files\Apple Software Update
2009-08-07 19:05 . 2009-08-07 19:05 551424 ----a-w- c:\windows\system32\rpcss.dll
2009-08-07 18:56 . 2009-08-07 18:56 72704 ----a-w- c:\windows\system32\admparse.dll
2009-08-07 18:56 . 2009-08-07 18:56 827904 ----a-w- c:\windows\system32\wininet.dll
2009-08-07 18:56 . 2009-08-07 18:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-07 18:56 . 2009-08-07 18:56 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-08-07 18:56 . 2009-08-07 18:56 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-14 13:00 . 2009-08-12 20:40 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 12:59 . 2009-08-12 20:40 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-14 12:58 . 2009-08-12 20:40 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-14 10:59 . 2009-08-12 20:40 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-13 13:22 . 2009-07-13 13:22 75048 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-06-10 12:07 . 2009-08-12 20:40 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-06-04 12:34 . 2009-08-12 20:40 2066432 ----a-w- c:\windows\system32\mstscax.dll
2007-03-07 12:54 . 2007-03-07 12:54 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-08-17_21.09.09 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-11-06 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-11-06 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-11-06 81920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 815104]
"Keyboard Manager Utility"="c:\program files\Keyboard Manager\Manager Utility\KeyboardManager.exe" [2007-01-11 1359872]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-07 2000152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-09 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

c:\users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2009-7-24 3191696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{1B73EE88-4F7A-43BB-8042-113A66691A1F}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{8E038C9E-A763-4122-A8D7-C4B553673276}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{5F365C61-1136-4ED9-AE87-DE932DC90DEF}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"TCP Query User{76BEC04D-5730-45FB-97EA-8CAD4D43DA86}c:\\program files\\xfire\\xfire.exe"= UDP:c:\program files\xfire\xfire.exe:Xfire
"UDP Query User{93A64BD9-A71B-458F-AF67-E69E4EB86DD9}c:\\program files\\xfire\\xfire.exe"= TCP:c:\program files\xfire\xfire.exe:Xfire
"{CBE9CDA2-88CB-4DC3-BF7A-75D4DB431F97}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{2AA95F0C-DA8B-47EC-A0D7-F83D7800F576}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{F445CF40-7926-4506-88D3-9EE971376E89}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{C2E7DA6A-5100-4656-AEA1-DF572F7F6F84}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{524EC277-5CF9-4ACD-BD37-D56389DF1E0A}c:\\windows\\explorer.exe"= UDP:c:\windows\explorer.exe:Windows Explorer
"UDP Query User{2967A633-B9CB-4EF3-B8A3-6B32CFB6ADA7}c:\\windows\\explorer.exe"= TCP:c:\windows\explorer.exe:Windows Explorer

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [12/08/2009 06:45 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [07/08/2009 18:21 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [07/08/2009 18:21 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [07/08/2009 18:21 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [07/08/2009 18:21 297752]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1029456]
.
Contents of the 'Scheduled Tasks' folder

2009-08-12 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\1o9gh5yo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-17 23:20
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\Dave\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-08-17 23:22
ComboFix-quarantined-files.txt 2009-08-17 22:22
ComboFix2.txt 2009-08-17 21:10

Pre-Run: 75,186,135,040 bytes free
Post-Run: 75,160,801,280 bytes free

690 --- E O F --- 2009-08-12 21:04


Dave

[tetonbob]

Good job.

Your Java is out of date.

Java(TM) 6 Update 11 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

• On the General tab, under Temporary Internet Files, click the Settings button.
• Next, click on the Delete Files button
• There are two options in the window to clear the cache - Leave BOTH Checked
  • Applications and Applets
    Trace and Log Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Temporary Files Window
• Click OK to leave the Java Control Panel.

===============================

Please run this online scan to help look for remnants.

Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
• Copy and paste that log as a reply to this topic and also let me know how things are now.

[davybhoy]

The log didn't really say much:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK

The scan said it found 1 infection although it says it was from my WilliamHill poker setup?

I would need to wait a few days to see if everything is working ok because sometimes it went a few days without anything popping up and then I would get 3 or 4 virus alerts in the space of 2 hours.

Dave

[tetonbob]

Something might not be working right with the Eset online scanner, there should be more information in the log. I'll look into it.

In the meantime, please try this online scan instead.

Perform an online scan with Panda ActiveScan

• Click on Scan Your PC Now
• A "pop up" window will appear, or a new tab will open.
• Click on Register
• Choose the option you like most, but we recommend the Free Registration.
• Click on Register
• Enter your e-mail address, and create a password.
• Select "I do not want to receive any type of information". (unless you want to receive such information)
• Click on Send
• Confirm registration, and continue by entering your user name and password, then click on Enter
• Select Full Scan, then Click on Scan Now
• Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
• If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
• Please ignore the offer to buy the program. Click on Export To
  
• Export the log and save it to your desktop.
• Please attach the contents of that log to your reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

[davybhoy]

Hi and sorry for the delay, it got late and I feel asleep. Hee is the Panda log:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-08-18 12:01:15
PROTECTIONS: 3
MALWARE: 7
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AVG Anti-Virus Free 8.5 Yes Yes
AVG Anti-Virus Free 8.5 No Yes
Windows Defender 1.1.1505.0 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Cookies\dave@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Cookies\Low\dave@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Cookies\Low\dave@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Cookies\dave@atdmt[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Cookies\Low\dave@com[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Cookies\dave@apmebf[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Cookies\dave@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Cookies\dave@bs.serving-sys[1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Cookies\dave@ads.pointroll[2].txt
;===================================================================================================================================================================================
SUSPECTS
Sent Location }��)`�F�9

;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description }��)`�F�9

;===================================================================================================================================================================================
;===================================================================================================================================================================================


Dave

[tetonbob]

These are cookies.

Cookies are nothing to be worried about. They get installed on your computer everytime you visit any webpage. Now some of those are good cookies that get installed for ease of use for next time you visit the same page, but some cookies are spyware used for tracking users surfing habits.

Most of those cookies are third party cookies that can be blocked:

In Firefox go to Tools > Options > Privacy > Cookies

Click Exceptions, identify the site you want to block, and click on Block.

In IE go to Tools > Internet Options > Privacy and click on Advanced in the Privacy tab

Now put a check next to "Override automatic cookie handling"

Set first party cookies to Accept and third party cookies to Block

Also put a check to "Always allow session cookies" OK your way out.

This won't prevent all bad cookies from being installed, but will reduce the amount.

Also there is another program you can use.

Spywareblaster Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restricts the actions of potentially unwanted sites in Internet Explorer.

You can read more about cookies at the Cookie Concept

You can tidy up with this tool:

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------------------------------------------------------------------------------

Let me know in a day or so how the machine is, I'll have final instructions.

[davybhoy]

It says in your post that ATF Cleaner is for XP amd Windows 2000 only. I am running Vista, should I run it anyway?

Dave

[tetonbob]

Sorry, forgot it was Vista.

ATF-Cleaner can be used on Vista, though even the author's site has seemingly conflicting info

http://www.atribune.org/index.php?op...d=25&Itemid=25

Quote:

Notes for Windows Vista users:

On Windows Vista that "Windows Temp" is disabled, to empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator"
Prefetch has been disabled on Windows Vista. As I'm not sure the effects that emptying prefetch on Windows Vista will have for the time being it I won't enable that function.