First of all I sincerely apologize for using the lame title to my prior posting. It was my first time using this forum, I really didn?t know it was wrong to request help on the title line. It won?t happen again :)))
On to my possessed computer: All the websites I go to show an ?Error on page? message at the bottom left. Most important, I cannot seem to be able to check for Microsoft updates. I have downloaded and used most spyware programs I can think of. I was able to remove quite a few worms, spyware, Trojans, etc. My antivirus is up to date but I also tried to get an on-line scan by the programs suggested on these forums and none of them work, they simply don?t allow me to get it done.
When I try to run the ?Windows Defender? It gives me a message that says ?Application failed to initialize: 0x800106ba A problem caused Windows Defender service stop?
I also found over 900 MB of unknown files in my ?download?, ?shared? and ?incomplete? folders. I have done a lot of cleaning but I just can get this PC to work properly.
After reading some of the posts here I have done additional things to my computer.
I downloaded, installed and am currently running Zone Alarm.
I also run CCleaner, but only deleted things I felt confident about, so things such as in the ?System? folders I did not touch.
When I try to set a system restore, I get a blank window. It seems that nothing associated with Microsoft updates is working.
Also I should mention that when I restart my computer it sets itself back to March 2007.
When I start the internet Explorer I always get a second page which opens up to random websites.
When I go to IE/ Help/About I get a window that states ?An error has occurred in the script on this page", the descriptions (line, char, error, etc) are all blank; in order to close this little message window I must click on the X about 50 times.
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:09:00 AM, on 3/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
IMPORTANT! You have a backdoor trojan on your computer that allows an attacker to access your computer from a remote area! It then sends information such as credit card numbers, passwords, account details and other personal information back to the attacker. I would strongly advise you to alert your bank or any other organizations required IMMEDIATELY and change your private information if you have used the Internet for commercial or business matters, this is urgent, as important information may have already been leaked out!
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
Dear Ltangel,
Thank you for taking your time to help me, I really appreciate it :)
Please look at the files you requested :
MAIN.TXT
Deckard's System Scanner v20071014.68
Run by Betty on 2008-03-21 11:17:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
-- Last 5 Restore Point(s) --
123: 2008-03-21 10:13:35 UTC - RP123 - Deckard's System Scanner Restore Point
122: 2008-03-21 09:52:50 UTC - RP122 - System Checkpoint
121: 2008-03-20 09:33:57 UTC - RP121 - System Checkpoint
120: 2007-03-19 16:58:51 UTC - RP120 - Installed Windows XP Windows Script.
119: 2008-03-19 13:46:27 UTC - RP119 - Installed Windows Defender
-- First Restore Point --
1: 2008-03-17 22:42:21 UTC - RP1 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as Betty.exe) -----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:17:59 AM, on 3/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
-- End of Deckard's System Scanner: finished at 2008-03-21 11:18:34 ------------
EXTRA.TXT
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Intel(R) Core(TM)2 Duo CPU E6750 @ 2.66GHz
CPU 1: Intel(R) Core(TM)2 Duo CPU E6750 @ 2.66GHz
Percentage of Memory in Use: 22%
Physical Memory (total/avail): 2047.23 MiB / 1580.03 MiB
Pagefile Memory (total/avail): 3943.72 MiB / 3613.48 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1946.85 MiB
C: is Fixed (NTFS) - 147.03 GiB total, 126.44 GiB free.
D: is Fixed (NTFS) - 225.58 GiB total, 194.48 GiB free.
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)
Y: is CDROM (No Media)
Event Record #/Type2460 / Error
Event Submitted/Written: 03/21/2008 11:16:48 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00011639.
Processing media-specific event for [dss.exe!ws!]
Event Record #/Type2459 / Error
Event Submitted/Written: 03/21/2008 11:14:46 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00010f83.
Processing media-specific event for [dss.exe!ws!]
Event Record #/Type2457 / Error
Event Submitted/Written: 03/21/2008 07:52:31 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16608, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Event Record #/Type2449 / Error
Event Submitted/Written: 03/20/2008 07:30:43 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application ahijackthis.exe, version 2.0.0.2, faulting module ssttt.dll, version 0.0.0.0, fault address 0x00061bf3.
Processing media-specific event for [ahijackthis.exe!ws!]
Event Record #/Type2448 / Error
Event Submitted/Written: 03/20/2008 07:28:13 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application hijackthis.exe, version 2.0.0.2, faulting module ssttt.dll, version 0.0.0.0, fault address 0x00061bf3.
Processing media-specific event for [hijackthis.exe!ws!]
-- System Event Log ------------------------------------------------------------
Event Record #/Type2956 / Warning
Event Submitted/Written: 03/21/2008 07:51:34 AM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 0019DBB06964. The IP address being used is 169.254.213.254.
Event Record #/Type2955 / Warning
Event Submitted/Written: 03/21/2008 07:51:28 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0019DBB06964. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.
Event Record #/Type2954 / Warning
Event Submitted/Written: 03/21/2008 07:51:00 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0019DBB06964. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.
Event Record #/Type2933 / Warning
Event Submitted/Written: 03/21/2008 07:49:08 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0019DBB06964. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.
Event Record #/Type2865 / Warning
Event Submitted/Written: 03/20/2008 04:09:54 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0019DBB06964. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.
-- End of Deckard's System Scanner: finished at 2008-03-21 11:18:34 ------------
Thanks for posting the logs required, please be patient while I review the logs. Meanwhile, please do not download anything or visit any other sites other than the forums here. Also, please do not attempt to fix anything with HijackThis.
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
[*]Please, never rename Combofix unless instructed.
[*]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. -----------------------------------------------------------
[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts [*]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[*]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
ComboFix 08-03-20.5 - Betty 2008-03-21 12:56:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1643 [GMT 1:00]
Running from: C:\Documents and Settings\Betty\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! .
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Contents of the 'Scheduled Tasks' folder
"2007-03-20 02:30:05 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.ex
- C:\Program Files\RegistrySmart
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-21 13:02:11
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\qomlmjg.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2008-03-21 13:03:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-21 12:03:47
.
2008-03-19 08:00:28 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:04:19 PM, on 3/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Please read the entire instructions before commencing and ask any questions you may have before carrying them out.
Disable Avast antivirus
We need to temporarily disable Avast as it may interfere with some of the tools we are using for the fix. To disable it, please right click on the avast! icon in system tray and choose (Stop On-Access Protection).
Please download VundoFix.exe to your desktop
[*]Double-click VundoFix.exe to run it.
[*]Click the Scan for Vundo button.
[*]Once it's done scanning, click the Remove Vundo button.
[*]You will receive a prompt asking if you want to remove the files, click YES [*]Once you click yes, your desktop will go blank as it starts removing Vundo.
[*]When completed, it will prompt that it will reboot your computer, click OK.
[*]Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
1. Download and install SUPERAntiSpyware and double-click the icon on your desktop to run it.
2. It will ask if you want to update the program definitions, click Yes.
3. Under Configuration and Preferences, click the Preferences button.
4. Click the Scanning Control tab.
5. Under Scanner Options make sure the following are checked:
1. Close browsers before scanning
2. Scan for tracking cookies
3. Terminate memory threats before quarantining. 4. Please leave the others unchecked.
5. Click the Close button to leave the control center screen.
6. On the main screen, under Scan for Harmful Software click Scan your computer.
7. On the left checkC:\Fixed Drive.
8. On the right, under Complete Scan, choose Perform Complete Scan.
9. Click Next to start the scan. Please be patient while it scans your computer.
10. After the scan is complete a summary box will appear. Click OK.
11. Make sure everything in the white box has a check next to it, then click Next.
12. It will quarantine what it found and if it asks if you want to reboot, click Yes.
13. To retrieve the removal information for me please do the following:
1. After reboot, double-click the SUPERAntispyware icon on your desktop.
2. Click Preferences. Click the Statistics/Logs tab.
3. Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
4. It will open in your default text editor (such as Notepad/Wordpad).
5. Please highlight everything in the notepad, then right-click and choose copy.
14. Click close and close again to exit the program.
15. Save the log information on your desktop.
After my last reboot, I was not able to start Windows ?Normally? After unsuccessfully trying for 3 times I started in ?Safe mode?, and re-started once again, this time effectively.
I received an error message stating; Error loading C:\windows\system323\bufunmelle.dll does not exist.
VundoFix.exe came up with ?No files to be removed?
Here are the other logs, and thanks so much for your patience:
Adware.Tracking Cookie
C:\Documents and Settings\Betty\Cookies\betty@atdmt[2].txt
C:\Documents and Settings\Betty\Cookies\betty@sale.antispywaresuite[1].txt
C:\Documents and Settings\Betty\Cookies\betty@affiliate.wordtracker[2].txt
C:\Documents and Settings\Betty\Cookies\betty@sale.trustedantivirus[1].txt
C:\Documents and Settings\Betty\Cookies\betty@antispywaresuite[1].txt
C:\Documents and Settings\Betty\Cookies\betty@ad.zanox[1].txt
C:\Documents and Settings\Betty\Cookies\betty@trustedantivirus[1].txt
C:\Documents and Settings\Betty\Cookies\betty@adnetserver[3].txt
C:\Documents and Settings\Betty\Cookies\betty@doubleclick[3].txt
C:\Documents and Settings\Betty\Cookies\betty@stats.1stmarketingtraffic[1].txt
C:\Documents and Settings\Betty\Cookies\betty@adnetserver[2].txt
C:\Documents and Settings\Betty\Cookies\betty@ads.digital5media[1].txt
C:\Documents and Settings\Betty\Cookies\betty@apmebf[2].txt
C:\Documents and Settings\Betty\Cookies\betty@doubleclick[2].txt
C:\Documents and Settings\Betty\Cookies\betty@komtrack[2].txt
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:27:52 PM, on 3/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Looks like you have a very nasty vundo infection. :( We'll use a stronger tool to remove it. Anyway, I still see Avast in your HijackThis log, did you disable it according to my instructions? If not please disable Avast before continuing with the removal process. Also, did you rename HijackThis.exe to n-ice.exe? If you didn't, please rename it back to Betty.exe.
NB: Please read the entire instructions before commencing them. It is vital that you carry out each step with care and not miss out or misunderstand any step. Please ask if you have trouble understanding any part of the instructions.
Disable Avast antivirus
We need to temporarily disable Avast as it may interfere with some of the tools we are using for the fix. To disable it, please right click on the avast! icon in system tray and choose (Stop On-Access Protection).
* Download VirtumundoBegone to your desktop.
* Run VirtumundoBeGone.exe and follow the instructions. Do not worry if you see a BLUE SCREEN "Fatal Error" Message, this is normal and expected.
* When it has finished, reboot.
* It will create a log on your desktop called VBG.TXT.
Now close all windows/browsers except HijackThis, and click on "Fix Checked". Close HijackThis and reboot into safe mode. (Tap F8 before windows starts)
In safe mode, please do the following:
1. Go to Add or Remove Programs in Control Panel, and remove the following programs (if present):
DNA
BitTorrent
Using Windows Explorer, please search and delete the following folders/files (if present):
Dear Ltangel,
I am so glad to see you again!! :))) I was so worried because tomorrow morning I will be going away for 2 weeks and didn't want you to think I was ignoring you.
I followed your instructions, as closely as possible, there were some files I could not find and / or delete as follow:
. I always get the message that the page is done but with errors.
. When going into the Afterdawn website it is painfully slow.
Here are my logs:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:43:19 AM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Ah, so you'll be away for two weeks? Alright, I'll try to finish fixing your computer today. How long more can you stay?
You did the exact right thing to delete C:\WINDOWS\system32\qomlmjg.dll.vir. The .vir was there because VirtumundoBegone renamed it. :)
Alright, VirtumundoBegone got rid of some vundo files, but there are still some persistent ones. We'll download another tool to solve this problem. We'll close to closing this issue. :)
[*] Save it to your desktop.
[*] Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
[*]Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
[*] Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
[*]Click the red Moveit! button.
[*]A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
[*]Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
1. Click the Scan your PC button
2. A new window will open, click the Check Now button
3. Enter your Country, State/Province and e-mail address and click send
4. Select Home User
5. Click the Scan Now button
8. Allow any installation of ActiveX component(s)
9. It will start downloading the files it requires for the scan (Note: It may take a while)
10. When done, click on My Computer
11. When the scan completes, click the See Report button, then save it to desktop. Post the contents of the ActiveScan report on here.
I will be here as long as you can help me. Thank you :))) When I said I am leaving tomorrow morning, I meant "Sunday" morning.
First: I keep getting a Microsoft Visual C++ Runtime Library window which states:
Buffer overrun detected!
Program C:\Windows\Explorer.exe
A buffer overrun has been detected which has corrupted the program?s internal state. The program cannot safely continue execution and must be terminated.
I don?t really notice anything happening when I click YES except that my task bar hides and comes back up (I have the bar set for auto-hide)
After restarting I got 2 additional RUNDLL messages:
1. Error loading C:\windows\system32\bqcxkvkq.dll
The specified module could not be found and
2. Error loading C:\windows\system32\bastjsio.dll
The specified module could not be found.
When I go on the internet I keep getting some messages which are attached to the page (I am not sure I am explaining this correctly) it is not a pop-up window. They have symbols of bugs and state messages that my antivirus is out of date. The only way I get rid of them is by refreshing the page.
As with all online antivirus detectors I have tried so far, I cannot seem to run Panda, nothing happens when I click on ?Scan your PC? Except for the error in page message.
Therefore I don?t have that log :(((((
Here are the other ones:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:57:45 PM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B678C203-23EB-42C2-AE1B-F2A67A87E5FB} - C:\WINDOWS\system32\pmnnl.dll
O2 - BHO: {0741e8a5-e647-d2da-e9b4-4db83ba78a2e} - {e2a87ab3-8bd4-4b9e-ad2d-746e5a8e1470} - C:\WINDOWS\system32\iscmlxap.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [4051595e] rundll32.exe "C:\WINDOWS\system32\bastjsio.dll",b
O4 - HKLM\..\Run: [BM43626ac2] Rundll32.exe "C:\WINDOWS\system32\bqcxkvkq.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsof...b?1200211951812 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/...ows-i586-jc.cab O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/sh...ash/swflash.cab O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)
--
End of file - 7081 bytes
DllUnregisterServer procedure not found in C:\WINDOWS\system32\bastjsio.dll
C:\WINDOWS\system32\bastjsio.dll NOT unregistered.
C:\WINDOWS\system32\bastjsio.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\bqcxkvkq.dll
C:\WINDOWS\system32\bqcxkvkq.dll NOT unregistered.
C:\WINDOWS\system32\bqcxkvkq.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\pmnnl.dll
C:\WINDOWS\system32\pmnnl.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\pmnnl.dll scheduled to be moved on reboot.
[Custom Input]
< C:\WINDOWS\system32\ummrbxoj.dll >
File/Folder C:\WINDOWS\system32\ummrbxoj.dll not found.
< C:\WINDOWS\system32\nnnkklj.dll >
File/Folder C:\WINDOWS\system32\nnnkklj.dll not found.
OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03222008_124447
Something hidden seems to be putting all the malicious files back into your computer.
Enable show hidden folders and files
1) Please go to Control Panel>Appearance and Themes>Folder Options and go under "View" tab.
2) Then under "Hidden Files and Folders" please select "Show hidden files and folders" and UNcheck "Hide extentions for known file types".
3) Click Apply and close Control panel.
Rerun Deckard's System Scan
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
IMPORTANT! You have a backdoor trojan on your computer that allows an attacker to access your computer from a remote area! It then sends information such as credit card numbers, passwords, account details and other personal information back to the attacker. I would strongly advise you to alert your bank or any other organizations required IMMEDIATELY and change your private information if you have used the Internet for commercial or business matters, this is urgent, as important information may have already been leaked out!
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
Go!
~Ltangel~
Do you see it now? You might have removed it, if you have please follow the instructions again here and give me a DSS log.
So sorry, I forgot Deckards had a nick name (DSS) :)
Here is the log
Deckard's System Scanner v20071014.68
Run by Betty on 2008-03-22 14:00:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Betty.exe) -----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:00:52 PM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Dear Ltangel,
First good news, The IE is performing much faster than before :)))
Since I couldn't find the "xing shared" file, I tried to perform a search and got a message "Can not perform search, a file that is required to run search companion cannot be found"
Here is my log:
ComboFix 08-03-20.5 - Betty 2008-03-22 14:40:23.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1688 [GMT 1:00]
Running from: C:\Documents and Settings\Betty\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Betty\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\!KillBox
C:\!KillBox\jncixdct.dll ( 1)
C:\!KillBox\Logs\kb.log
C:\!KillBox\mloiotut.dll
C:\!KillBox\qomlmjg.dll ( 2)
C:\!KillBox\qomlmjg.dll
C:\!KillBox\qomlmjg.dll( 2)
C:\!KillBox\skeysw.exe
C:\Documents and Settings\Betty\Application Data\Comma Separated Values (Windows).ADR\
C:\Documents and Settings\Betty\Application Data\DNA
C:\Documents and Settings\Betty\Application Data\DNA\dht.dat
C:\Documents and Settings\Betty\Application Data\DNA\dht.dat.old
C:\Documents and Settings\Betty\Application Data\DNA\resume.dat
C:\Documents and Settings\Betty\Application Data\DNA\resume.dat.old
C:\Documents and Settings\Betty\Application Data\DNA\settings.dat
C:\Documents and Settings\Betty\Application Data\DNA\settings.dat.old
C:\Documents and Settings\Betty\Application Data\LimeWire
C:\Documents and Settings\Betty\Application Data\LimeWire\.NetworkShare\LimeWireWin4.16.6.exe
C:\Documents and Settings\Betty\Application Data\LimeWire\410splashpro.png
C:\Documents and Settings\Betty\Application Data\LimeWire\createtimes.cache
C:\Documents and Settings\Betty\Application Data\LimeWire\fileurns.bak
C:\Documents and Settings\Betty\Application Data\LimeWire\fileurns.cache
C:\Documents and Settings\Betty\Application Data\LimeWire\filters.props
C:\Documents and Settings\Betty\Application Data\LimeWire\gnutella.net
C:\Documents and Settings\Betty\Application Data\LimeWire\installation.props
C:\Documents and Settings\Betty\Application Data\LimeWire\library.dat
C:\Documents and Settings\Betty\Application Data\LimeWire\limewire.props
C:\Documents and Settings\Betty\Application Data\LimeWire\pub1.key
C:\Documents and Settings\Betty\Application Data\LimeWire\public.key
C:\Documents and Settings\Betty\Application Data\LimeWire\questions.props
C:\Documents and Settings\Betty\Application Data\LimeWire\simpp.xml
C:\Documents and Settings\Betty\Application Data\LimeWire\spam.dat
C:\Documents and Settings\Betty\Application Data\LimeWire\tables.props
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\black_theme.lwtp
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\black_theme\01_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\black_theme\02_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\black_theme\03_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\black_theme\04_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\black_theme\05_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\black_theme\chat.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\black_theme\dir_closed.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\black_theme\dir_open.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\black_theme\forward_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\black_theme\forward_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\black_theme\kill.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\black_theme\kill_on.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\black_theme\lime.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\black_theme\logo.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\black_theme\notsearching.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\black_theme\pause_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\black_theme\pause_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\black_theme\play_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\black_theme\play_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\black_theme\question.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\black_theme\rewind_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\black_theme\rewind_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\black_theme\searching.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\black_theme\splash.png
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\black_theme\stop_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\black_theme\stop_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\black_theme\theme.txt
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\black_theme\warning.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\classic_theme.lwtp
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\classic_theme\01_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\classic_theme\02_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\classic_theme\03_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\classic_theme\04_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\classic_theme\05_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\classic_theme\chat.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\classic_theme\dir_closed.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\classic_theme\dir_open.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\classic_theme\forward_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\classic_theme\forward_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\classic_theme\kill.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\classic_theme\logo.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\classic_theme\notsearching.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\classic_theme\pause_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\classic_theme\pause_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\classic_theme\play_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\classic_theme\play_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\classic_theme\question.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\classic_theme\rewind_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\classic_theme\rewind_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\classic_theme\search.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\classic_theme\searching.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\classic_theme\splash.png
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\classic_theme\stop_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\classic_theme\stop_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\classic_theme\theme.txt
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\classic_theme\warning.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewire_theme.lwtp
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewire_theme\01_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewire_theme\02_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewire_theme\03_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewire_theme\04_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewire_theme\05_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewire_theme\chat.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewire_theme\dir_closed.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewire_theme\dir_open.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewire_theme\forward_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewire_theme\forward_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewire_theme\kill.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewire_theme\kill_on.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewire_theme\lime.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewire_theme\logo.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewire_theme\notsearching.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewire_theme\pause_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewire_theme\pause_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewire_theme\play_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewire_theme\play_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewire_theme\question.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewire_theme\rewind_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewire_theme\rewind_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewire_theme\searching.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewire_theme\splash.png
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewire_theme\stop_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewire_theme\stop_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewire_theme\theme.txt
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewire_theme\warning.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewirePro_theme.lwtp
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewirePro_theme\01_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewirePro_theme\02_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewirePro_theme\03_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewirePro_theme\04_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewirePro_theme\05_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewirePro_theme\chat.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewirePro_theme\dir_closed.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewirePro_theme\dir_open.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewirePro_theme\forward_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewirePro_theme\forward_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewirePro_theme\kill.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewirePro_theme\kill_on.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewirePro_theme\lime.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewirePro_theme\logo.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewirePro_theme\notsearching.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewirePro_theme\pause_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewirePro_theme\pause_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewirePro_theme\play_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewirePro_theme\play_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewirePro_theme\question.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewirePro_theme\rewind_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewirePro_theme\rewind_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewirePro_theme\searching.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewirePro_theme\splash.png
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewirePro_theme\stop_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewirePro_theme\stop_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewirePro_theme\theme.txt
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\limewirePro_theme\warning.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\other_theme.lwtp
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\other_theme\01_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\other_theme\02_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\other_theme\03_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\other_theme\04_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\other_theme\05_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\other_theme\chat.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\other_theme\forward_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\other_theme\forward_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\other_theme\kill.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\other_theme\kill_on.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\other_theme\logo.png
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\other_theme\notsearching.png
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\other_theme\pause_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\other_theme\pause_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\other_theme\play_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\other_theme\play_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\other_theme\question.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\other_theme\rewind_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\other_theme\rewind_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\other_theme\searching.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\other_theme\splash.png
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\other_theme\stop_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\other_theme\stop_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\other_theme\theme.txt
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\other_theme\warning.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\windows_theme.lwtp
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\windows_theme\01_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\windows_theme\02_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\windows_theme\03_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\windows_theme\04_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\windows_theme\05_star.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\windows_theme\chat.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\windows_theme\forward_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\windows_theme\kill.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\windows_theme\kill_on.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\windows_theme\logo.png
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\windows_theme\notsearching.png
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\windows_theme\pause_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\windows_theme\play_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\windows_theme\play_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\windows_theme\question.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\windows_theme\searching.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\windows_theme\splash.png
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\windows_theme\stop_up.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\windows_theme\theme.txt
C:\Documents and Settings\Betty\Application Data\LimeWire\themes\windows_theme\warning.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\ttree.cache
C:\Documents and Settings\Betty\Application Data\LimeWire\update.xml
C:\Documents and Settings\Betty\Application Data\LimeWire\version.key
C:\Documents and Settings\Betty\Application Data\LimeWire\version.xml
C:\Documents and Settings\Betty\Application Data\LimeWire\xml\data\application.sxml
C:\Documents and Settings\Betty\Application Data\LimeWire\xml\data\audio.sxml
C:\Documents and Settings\Betty\Application Data\LimeWire\xml\data\delete_me
C:\Documents and Settings\Betty\Application Data\LimeWire\xml\data\video.sxml
C:\Documents and Settings\Betty\Application Data\LimeWire\xml\misc\application.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\xml\misc\audio.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\xml\misc\document.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\xml\misc\image.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\xml\misc\video.gif
C:\Documents and Settings\Betty\Application Data\LimeWire\xml\schemas\application.xsd
C:\Documents and Settings\Betty\Application Data\LimeWire\xml\schemas\audio.xsd
C:\Documents and Settings\Betty\Application Data\LimeWire\xml\schemas\document.xsd
C:\Documents and Settings\Betty\Application Data\LimeWire\xml\schemas\image.xsd
C:\Documents and Settings\Betty\Application Data\LimeWire\xml\schemas\video.xsd
C:\Documents and Settings\Betty\Application Data\Personal Address Book.ADR\
C:\IRCap
C:\IRCap\Crack\779b31484656d7207ff1d8e2c7a5ac1f896.zip
C:\IRCap\Crack\keygen.exe
C:\IRCap\Crack\XBiNX.nfo
C:\IRCap\mirc62.exe
C:\Program Files\Common Files\xing shared
C:\Program Files\Common Files\xing shared\mpeg encode\xmencmp3.dll
C:\VundoFix Backups
C:\VundoFix Backups\aacgptld.dll.bad
C:\VundoFix Backups\dltpgcaa.ini.bad
C:\VundoFix Backups\mllml.dll.bad
C:\VundoFix Backups\pmnlj.dll.bad
C:\VundoFix Backups\ssttt.dll.bad
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\lnnmp.ini
C:\WINDOWS\system32\lnnmp.ini2
C:\WINDOWS\system32\pmnnl.dll
C:\WINDOWS\system32\stutv.ini2
C:\WINDOWS\system32\wdkcepyq.dll
.
((((((((((((((((((((((((( Files Created from 2008-02-22 to 2008-03-22 )))))))))))))))))))))))))))))))
.
