Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rogue antivirus? seems to be many things


  • This topic is locked This topic is locked
22 replies to this topic

#1 ZamboFire

ZamboFire

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 21 November 2009 - 07:24 PM

A little over a month ago I had a bad problem with Antivirus Pro 2010, Windows Security Center, something with a blue and white shield icon whose name I can't remember and I believe one other thing as well. I hoped I had finally removed all of them using a combination of Malwarebytes and whatever I could do on my own from online manual removal guides. (Yes, I have unfortunately been messing with the registry myself.) I suspected it was not over but nothing seemed to show up as much of a problem until a few days ago. I had let msconfig go back to default since I turned off a lot when I was having problems in order to try and run removal programs. The infections had disabled task manager, McAfee, system restore, and registry editing at one point.
This past time I had "system defender" suddenly installed on my laptop and malwarebytes turned up over 700 instances of problems related to the registry by something labeled "security.hijack". Spybot S&D found "Fraud.WindowsProtectionSuite" and "Microsoft.Windows.RedirectedHosts" which it couldn't remove until I had run SDFix and HostsXpert following removal instructions I had found on a site.
I've run Malwarebytes and Spybot several times at this point with nothing showing but my laptop is still not behaving right. I get redirected trying to go to sites off google searches and certain sites like the one I use to access my classes at school will freeze up and crash firefox. AIM constantly freezes after signing on as well. I also have not been able to get Internet Explorer on my computer again since the first wave of attacks. Thank you to anyone who will take the time to try and help.


DDS (Ver_09-10-26.01) - NTFSx86
Run by Ren at 15:09:51.95 on Sat 11/21/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.962 [GMT -6:00]

AV: System Defender *On-access scanning enabled* (Updated) {08053888-0E8B-4AAD-A28E-341DD8B29C7B}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: System Defender *enabled* {42886FAB-A7AB-4E1B-B659-67B32F2AB307}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dldtcoms.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Dell V305\dldtmon.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Dell V305\dldtMsdMon.exe
C:\Program Files\DellSupport\DSAgnt.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CallWave\IAM.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ren\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/puccini/start
uSearch Page =
uSearch Bar =
mDefault_Page_URL = hxxp://www.dell4me.com/myway
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: H - No File
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: MyPoints Toolbar 2.0: {89a2510a-b4b6-4683-bec9-1b96700bc7f1} - c:\program files\mypoints toolbar 2.0\Toolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Dell QuickSet] c:\progra~1\dell\quickset\quickset.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [dldtmon.exe] "c:\program files\dell v305\dldtmon.exe"
mRun: [dldtamon] "c:\program files\dell v305\dldtamon.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
StartupFolder: c:\documents and settings\ren\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\callwave.lnk - c:\program files\callwave\IAM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dlbcserv.lnk - c:\program files\dell photo printer 720\dlbcserv.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkID=39204
DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {58fc4c77-71c2-4972-a8cd-78691ad85158} - hxxp://www.worldwinner.com/games/v63/bjattack/bja.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1217956790437
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {a52fbd2b-7ab3-4f6b-90e3-91c772c5d00f} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://crucial.com/controls/cpcScanner.cab
DPF: {ba35b9b8-de9e-47c9-afa7-3c77e3ddfd39} - hxxp://www.worldwinner.com/games/v46/monopoly/monopoly.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
AppInit_DLLs: sofokujo.dll c:\windows\ c:\windows\system32\bufezeza.dll
SSODL: yinemijet - {ad8537c0-b68d-483b-83a6-f0a15ca8b0e0} - c:\windows\system32\hugupapu.dll
SSODL: rujavinet - {494e2888-ae7f-4508-a854-dd2dae7c0401} - c:\windows\system32\hugupapu.dll
SSODL: hawawafot - {55753b49-c3b5-4452-b13d-08fa8bbbed94} - c:\windows\system32\bufezeza.dll
STS: gahurihor: {ad8537c0-b68d-483b-83a6-f0a15ca8b0e0} - c:\windows\system32\hugupapu.dll
STS: kupuhivus: {494e2888-ae7f-4508-a854-dd2dae7c0401} - c:\windows\system32\hugupapu.dll
STS: tokatiluy: {55753b49-c3b5-4452-b13d-08fa8bbbed94} - c:\windows\system32\bufezeza.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli gadibure.dll
IFEO: image file execution options - svchost.exe
IFEO: brastk.exe - svchost.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ren\applic~1\mozilla\firefox\profiles\zni204dd.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\ren\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\ren\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\ren\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {8193F866-B181-4EF7-9229-DC5FCDB369C0} - c:\documents and settings\administrator.dhw1hy71\local settings\application data\{8193F866-B181-4EF7-9229-DC5FCDB369C0}
FF - HiddenExtension: XULRunner: {EB803131-FF7B-4E3D-8F14-56CE5CDF3FA2} - c:\documents and settings\ren\local settings\application data\{EB803131-FF7B-4E3D-8F14-56CE5CDF3FA2}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-11-20 18:29:52 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2009-11-20 18:22:00 0 d-----w- c:\windows\ERUNT
2009-11-20 18:16:52 0 d-----w- C:\SDFix
2009-11-18 04:46:33 0 d-sh--w- c:\documents and settings\ren\PrivacIE
2009-11-18 04:42:25 0 d-sh--w- c:\docume~1\alluse~1\applic~1\5cf1b65
2009-11-15 22:57:47 202072 ----a-r- c:\windows\system32\cpnprt2.cid
2009-11-15 22:57:42 0 d-----w- c:\windows\Cache
2009-11-15 22:57:41 0 d-----w- c:\program files\Coupons
2009-11-14 20:52:22 0 d-sh--w- c:\documents and settings\ren\IETldCache
2009-11-14 20:05:50 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-11-14 20:05:29 0 d-----w- c:\windows\ie8updates
2009-11-14 20:04:45 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-14 20:04:45 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-11-14 19:59:38 0 dc-h--w- c:\windows\ie8

==================== Find3M ====================

2009-10-22 09:19:04 5939712 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-04 05:37:57 691712 ----a-w- c:\windows\is-P80P3.exe
2009-10-02 20:41:28 691712 ----a-w- c:\windows\is-JJ83K.exe
2009-10-02 16:56:15 18929 ----a-w- c:\windows\devybugu.vbs
2009-10-02 16:56:15 18860 ----a-w- c:\windows\system32\tovytifa.pif
2009-10-02 16:56:15 17130 ----a-w- c:\program files\common files\fyhipafax.reg
2009-10-02 16:56:15 17058 ----a-w- c:\windows\ugalyjypo.bat
2009-10-02 16:56:15 16950 ----a-w- c:\program files\common files\ubobi.pif
2009-10-02 16:56:15 15465 ----a-w- c:\windows\system32\nafir.sys
2009-10-02 16:56:15 12935 ----a-w- c:\windows\ujiz.com
2009-10-02 16:56:15 12757 ----a-w- c:\program files\common files\cygyqasyci.vbs
2009-10-02 16:56:15 10288 ----a-w- c:\program files\common files\dyqykeca.dll
2009-10-01 02:38:19 18177 ----a-w- c:\program files\common files\afyxo.lib
2009-10-01 02:38:19 16736 ----a-w- c:\windows\vixetogaf.dat
2009-10-01 02:38:19 14816 ----a-w- c:\program files\common files\omunyzituk.bin
2009-10-01 02:38:19 13637 ----a-w- c:\windows\fahugumih.pif
2009-10-01 02:38:19 12114 ----a-w- c:\windows\system32\osogepore.dat
2009-09-30 23:54:47 19775 ----a-w- c:\program files\common files\izom.lib
2009-09-30 23:54:47 19422 ----a-w- c:\windows\eqenugagu.sys
2009-09-30 23:54:47 19334 ----a-w- c:\program files\common files\bidije.lib
2009-09-30 23:54:47 15457 ----a-w- c:\windows\urivexiga.dll
2009-09-30 23:54:47 13986 ----a-w- c:\windows\keje.scr
2009-09-30 23:54:47 13171 ----a-w- c:\windows\system32\gopyw.dll
2009-09-30 23:46:50 19028 ----a-w- c:\windows\system32\heqigacami.exe
2009-09-30 23:46:50 17744 ----a-w- c:\windows\uregedy.sys
2009-09-30 23:46:50 17616 ----a-w- c:\program files\common files\xolesog.lib
2009-09-30 23:46:50 16526 ----a-w- c:\program files\common files\ihywita.com
2009-09-30 23:46:50 16149 ----a-w- c:\program files\common files\ponar.dl
2009-09-30 23:46:50 15690 ----a-w- c:\windows\heqemiqyxu.vbs
2009-09-30 23:46:50 14065 ----a-w- c:\program files\common files\kezibi.ban
2009-09-30 23:46:50 13767 ----a-w- c:\program files\common files\cajatajy.inf
2009-09-30 23:46:50 10978 ----a-w- c:\program files\common files\kyjaduh.reg
2009-09-30 23:15:00 19375 ----a-w- c:\windows\qanekewaq.bin
2009-09-30 23:15:00 19051 ----a-w- c:\windows\unejynuhe.reg
2009-09-30 23:15:00 18401 ----a-w- c:\windows\system32\humoc.com
2009-09-30 23:15:00 18214 ----a-w- c:\windows\gyweqyxoce.vbs
2009-09-30 23:15:00 17873 ----a-w- c:\windows\system32\ekypo.bin
2009-09-30 23:15:00 14044 ----a-w- c:\windows\system32\xyropym.com
2009-09-30 23:15:00 13947 ----a-w- c:\windows\uvyxuzow.com
2009-09-30 23:15:00 12975 ----a-w- c:\windows\awawodi.reg
2009-09-30 23:15:00 11252 ----a-w- c:\docume~1\alluse~1\applic~1\okokisiz.bat
2009-09-30 23:15:00 10700 ----a-w- c:\windows\system32\uvir.com
2009-09-30 23:15:00 10536 ----a-w- c:\program files\common files\tonyjiwe.bin
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 08:08:21 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2009-08-29 08:08:21 1208832 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-08-29 08:08:20 206848 ------w- c:\windows\system32\dllcache\occache.dll
2009-08-29 08:08:18 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-08-29 08:08:18 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-29 08:08:18 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2009-08-29 08:08:18 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-08-29 08:08:17 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2009-08-29 08:08:16 11069440 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-08-29 08:08:13 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2009-08-29 07:36:24 133120 ------w- c:\windows\system32\dllcache\extmgr.dll
2009-08-29 00:42:52 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 10:35:52 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\dllcache\strmdll.dll
2008-12-10 07:27:48 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008121020081211\index.dat

============= FINISH: 15:17:51.06 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Members
  • 12,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:58 PM

Posted 28 November 2009 - 10:36 AM

Hello,
Do you still desire help? Please outline your current problems and inform me of what you have done since your last post.
Kind regards,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://organdonor.gov/index.html

#3 ZamboFire

ZamboFire
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 28 November 2009 - 04:28 PM

Yes, please. I definitely still need help. All I have done since the last post was try running Spybot S&D and Malwarebytes again, neither of which really turned up anything at all.
Currently, the most noticeable problem is that I cannot run AIM and browsers like firefox do not run properly. Any links I click on from searches take me to random places anywhere from what looks like search results from some odd site to places selling things to porn sites. Sometimes if I am on a page a new tab will randomly open up. Sometimes it just crashes.
I was able to run Internet Explorer if I went a roundabout way of finding and opening it by seeking it out through exploring my computer. It runs super slow (takes about 5 minutes to even open up a window, then even more time before that window is anything more than a white rectangle) and doesn't stay running for long.
Most of the time I am unable to log into my college's system from my computer but I noticed today that it let me briefly before firefox became unresponsive yet again.
This morning a brand new problem occurred when my laptop decided to restart itself without any prompt from myself well I was in the middle of watching something. It hasn't happened again yet and I saw no warning signs or error messages. Everything just started closing and it shut down, much faster than it ever does when I ask it to restart strangely enough. It seemed to reboot from that faster than normal as well actually.
Thank you for the help. I hope the problems are understandable but I will try to clarify anything you are not sure about what I meant.

#4 thcbytes

thcbytes

  • Members
  • 12,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:58 PM

Posted 28 November 2009 - 07:09 PM

Hello,

Let's begin....

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Spybot

It will interfere with the fix!

Additional instructions can be found here if needed.

==========

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

==========

RKill by Grinler

Link #1
Link #2
Link #3
Link #4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.
==========

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

With your next post please provide:

* Please copy and paste all logs in your reply.
* Exehelper log
* Combofix.txt
* How is it running now?
* Your not clean till I alert you of such. Make no changes in your computer until I give you the go ahead please.

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://organdonor.gov/index.html

#5 ZamboFire

ZamboFire
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 30 November 2009 - 12:26 AM

Hello,

The computer doesn't seem to be running any better/differently. Still having problems with AIM and the browsers. Here are the logs:

exeHelper by Raktor
Build 20091122
Run at 20:35:14 on 11/29/09
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--


ComboFix 09-11-29.03 - Ren 11/29/2009 21:13.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1180 [GMT -6:00]
Running from: c:\documents and settings\Ren\Desktop\thcbytes.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator.DHW1HY71\Local Settings\Application Data\{8193F866-B181-4EF7-9229-DC5FCDB369C0}
c:\documents and settings\Administrator.DHW1HY71\Local Settings\Application Data\{8193F866-B181-4EF7-9229-DC5FCDB369C0}\chrome.manifest
c:\documents and settings\Administrator.DHW1HY71\Local Settings\Application Data\{8193F866-B181-4EF7-9229-DC5FCDB369C0}\chrome\content\_cfg.js
c:\documents and settings\Administrator.DHW1HY71\Local Settings\Application Data\{8193F866-B181-4EF7-9229-DC5FCDB369C0}\chrome\content\overlay.xul
c:\documents and settings\Administrator.DHW1HY71\Local Settings\Application Data\{8193F866-B181-4EF7-9229-DC5FCDB369C0}\install.rdf
c:\documents and settings\All Users\Application Data\okokisiz.bat
c:\documents and settings\Ren\Application Data\sawosekej.inf
c:\documents and settings\Ren\Cookies\civafusuc.bat
c:\documents and settings\Ren\Cookies\zuhukubeti.dat
c:\documents and settings\Ren\Local Settings\Application Data\{EB803131-FF7B-4E3D-8F14-56CE5CDF3FA2}
c:\documents and settings\Ren\Local Settings\Application Data\{EB803131-FF7B-4E3D-8F14-56CE5CDF3FA2}\chrome.manifest
c:\documents and settings\Ren\Local Settings\Application Data\{EB803131-FF7B-4E3D-8F14-56CE5CDF3FA2}\chrome\content\_cfg.js
c:\documents and settings\Ren\Local Settings\Application Data\{EB803131-FF7B-4E3D-8F14-56CE5CDF3FA2}\chrome\content\overlay.xul
c:\documents and settings\Ren\Local Settings\Application Data\{EB803131-FF7B-4E3D-8F14-56CE5CDF3FA2}\install.rdf
c:\program files\Common Files\cajatajy.inf
c:\program files\Common Files\cygyqasyci.vbs
c:\program files\Common Files\fyhipafax.reg
c:\program files\Common Files\kyjaduh.reg
c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\windows\awawodi.reg
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\devybugu.vbs
c:\windows\ezypomy.inf
c:\windows\gyweqyxoce.vbs
c:\windows\heqemiqyxu.vbs
c:\windows\keje.scr
c:\windows\puxamyre.inf
c:\windows\system32\bszip.dll
c:\windows\system32\cofivagewa.inf
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\ugalyjypo.bat
c:\windows\unejynuhe.reg
c:\windows\urivexiga.dll
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0cdb-4405-9dbf-1257bb3226ed}
-------\Legacy_{79007602-0cdb-4405-9dbf-1257bb3226ee}


((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 )))))))))))))))))))))))))))))))
.

2009-11-20 18:29 . 2009-11-20 18:29 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2009-11-20 18:22 . 2009-11-20 18:22 -------- d-----w- c:\windows\ERUNT
2009-11-20 18:16 . 2009-11-20 18:58 -------- d-----w- C:\SDFix
2009-11-19 21:48 . 2009-11-19 21:48 -------- d-sh--w- c:\documents and settings\Administrator.DHW1HY71\IETldCache
2009-11-18 04:46 . 2009-11-18 04:46 -------- d-sh--w- c:\documents and settings\Ren\PrivacIE
2009-11-18 04:44 . 2008-05-28 00:50 189952 ----a-w- c:\documents and settings\All Users\Application Data\5cf1b65\BackUp\PowerReg Scheduler.exe
2009-11-18 04:44 . 2009-10-29 23:46 443384 ----a-w- c:\documents and settings\All Users\Application Data\5cf1b65\sqlite3.dll
2009-11-18 04:44 . 2009-10-29 23:46 710136 ----a-w- c:\documents and settings\All Users\Application Data\5cf1b65\mozcrt19.dll
2009-11-18 04:42 . 2009-11-18 04:45 -------- d-sh--w- c:\documents and settings\All Users\Application Data\5cf1b65
2009-11-15 22:57 . 2009-11-15 22:57 -------- d-----w- c:\windows\Cache
2009-11-15 22:57 . 2009-11-15 22:57 -------- d-----w- c:\program files\Coupons
2009-11-14 23:30 . 2009-11-14 23:30 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-14 20:55 . 2009-11-14 20:55 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-11-14 20:52 . 2009-11-14 20:52 -------- d-sh--w- c:\documents and settings\Ren\IETldCache
2009-11-14 20:05 . 2009-10-02 04:44 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-11-14 20:05 . 2009-11-14 20:05 -------- d-----w- c:\windows\ie8updates
2009-11-14 20:04 . 2009-08-29 08:08 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-11-14 20:04 . 2009-08-29 08:08 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-14 19:59 . 2009-11-14 20:03 -------- dc-h--w- c:\windows\ie8
2009-11-11 06:06 . 2009-11-11 06:06 1794456 ----a-w- c:\documents and settings\Ren\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe
2009-11-01 02:33 . 2009-11-01 02:34 -------- d-----w- c:\documents and settings\Ren\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-30 03:25 . 2006-05-14 18:22 -------- d-----w- c:\program files\CallWave
2009-11-30 02:18 . 2005-07-19 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-11-30 02:18 . 2005-07-19 23:59 -------- d-----w- c:\program files\Viewpoint
2009-11-30 00:51 . 2005-10-15 16:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-30 00:48 . 2005-10-15 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-27 20:30 . 2009-01-24 04:53 -------- d-----w- c:\documents and settings\Ren\Application Data\Move Networks
2009-11-22 01:19 . 2009-07-31 04:04 -------- d-----w- c:\program files\MyPoints Toolbar 2.0
2009-11-19 22:57 . 2008-09-29 04:10 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-11-19 09:36 . 2006-11-02 03:55 -------- d-----w- c:\program files\McAfee
2009-11-12 16:44 . 2008-09-03 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-11 06:06 . 2005-07-28 23:44 80480 -c--a-w- c:\documents and settings\Ren\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-11 06:06 . 2009-09-15 22:45 143976 ----a-w- c:\documents and settings\Ren\Application Data\Move Networks\uninstall.exe
2009-11-11 06:06 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\Ren\Application Data\Move Networks\plugins\npqmp071701000002.dll
2009-10-28 16:59 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Ren\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-10-28 16:59 . 2009-10-28 16:59 1407680 ----a-w- c:\documents and settings\Ren\Application Data\Move Networks\MoveMediaPlayerWin_071505000010.exe
2009-10-26 04:53 . 2009-10-26 04:53 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-15 00:50 . 2009-10-15 00:50 97216 ----a-w- c:\documents and settings\Ren\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-10-09 17:56 . 2009-10-01 16:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-09 17:54 . 2006-09-02 01:13 -------- d-----w- c:\program files\FileZilla
2009-10-09 02:08 . 2009-10-02 17:10 744 ----a-w- c:\windows\system32\wininit.dll
2009-10-06 23:33 . 2009-10-06 23:33 -------- d-----w- c:\documents and settings\Administrator.DHW1HY71\Application Data\Malwarebytes
2009-10-06 23:33 . 2009-01-30 20:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-06 21:58 . 2009-10-02 16:37 0 ----a-w- c:\windows\Prahetaped.bin
2009-10-06 21:58 . 2009-10-02 16:37 120 ----a-w- c:\windows\Gkohob.dat
2009-10-04 05:37 . 2009-10-04 05:37 691712 ----a-w- c:\windows\is-P80P3.exe
2009-10-04 01:34 . 2009-10-04 01:34 302 ----a-w- c:\windows\system32\config\systemprofile\Application Data\3175035112\3175035112.bat
2009-10-04 01:34 . 2009-10-04 01:34 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\3175035112
2009-10-02 20:41 . 2009-10-02 20:41 691712 ----a-w- c:\windows\is-JJ83K.exe
2009-10-02 16:56 . 2009-10-02 16:56 18860 ----a-w- c:\windows\system32\tovytifa.pif
2009-10-02 16:56 . 2009-10-02 16:56 16950 ----a-w- c:\program files\Common Files\ubobi.pif
2009-10-02 16:56 . 2009-10-02 16:56 15465 ----a-w- c:\windows\system32\nafir.sys
2009-10-02 16:56 . 2009-10-02 16:56 12935 ----a-w- c:\windows\ujiz.com
2009-10-02 16:56 . 2009-10-02 16:56 10288 ----a-w- c:\program files\Common Files\dyqykeca.dll
2009-10-01 02:38 . 2009-10-01 02:38 18177 ----a-w- c:\program files\Common Files\afyxo.lib
2009-10-01 02:38 . 2009-10-01 02:38 16736 ----a-w- c:\windows\vixetogaf.dat
2009-10-01 02:38 . 2009-10-01 02:38 14816 ----a-w- c:\program files\Common Files\omunyzituk.bin
2009-10-01 02:38 . 2009-10-01 02:38 13637 ----a-w- c:\windows\fahugumih.pif
2009-10-01 02:38 . 2009-10-01 02:38 12114 ----a-w- c:\windows\system32\osogepore.dat
2009-09-30 23:54 . 2009-09-30 23:54 19775 ----a-w- c:\program files\Common Files\izom.lib
2009-09-30 23:54 . 2009-09-30 23:54 19422 ----a-w- c:\windows\eqenugagu.sys
2009-09-30 23:54 . 2009-09-30 23:54 19334 ----a-w- c:\program files\Common Files\bidije.lib
2009-09-30 23:54 . 2009-09-30 23:54 13171 ----a-w- c:\windows\system32\gopyw.dll
2009-09-30 23:46 . 2009-09-30 23:46 19028 ----a-w- c:\windows\system32\heqigacami.exe
2009-09-30 23:46 . 2009-09-30 23:46 17744 ----a-w- c:\windows\uregedy.sys
2009-09-30 23:46 . 2009-09-30 23:46 17616 ----a-w- c:\program files\Common Files\xolesog.lib
2009-09-30 23:46 . 2009-09-30 23:46 16526 ----a-w- c:\program files\Common Files\ihywita.com
2009-09-30 23:46 . 2009-09-30 23:46 16149 ----a-w- c:\program files\Common Files\ponar.dl
2009-09-30 23:46 . 2009-09-30 23:46 14065 ----a-w- c:\program files\Common Files\kezibi.ban
2009-09-30 23:15 . 2009-09-30 23:15 19375 ----a-w- c:\windows\qanekewaq.bin
2009-09-30 23:15 . 2009-09-30 23:15 18401 ----a-w- c:\windows\system32\humoc.com
2009-09-30 23:15 . 2009-09-30 23:15 17873 ----a-w- c:\windows\system32\ekypo.bin
2009-09-30 23:15 . 2009-09-30 23:15 14044 ----a-w- c:\windows\system32\xyropym.com
2009-09-30 23:15 . 2009-09-30 23:15 13947 ----a-w- c:\windows\uvyxuzow.com
2009-09-30 23:15 . 2009-09-30 23:15 10700 ----a-w- c:\windows\system32\uvir.com
2009-09-30 23:15 . 2009-09-30 23:15 10536 ----a-w- c:\program files\Common Files\tonyjiwe.bin
2009-09-21 22:09 . 2009-09-21 22:09 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-16 16:22 . 2007-03-03 19:00 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 16:22 . 2007-03-03 19:00 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 16:22 . 2007-03-03 19:00 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 16:22 . 2007-03-03 19:00 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 16:22 . 2007-03-03 19:00 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-15 22:45 . 2009-09-15 22:45 1686272 ----a-w- c:\documents and settings\Ren\Application Data\Move Networks\MoveMediaPlayerWin_071503000010.exe
2009-09-11 14:18 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-10-02 02:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-10-02 02:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2004-08-10 17:51 58880 ----a-w- c:\windows\system32\msasn1.dll
.

------- Sigcheck -------

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\System32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Toolbar 2.0\Toolbar.dll" [2009-08-15 1358848]

[HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Toolbar 2.0\Toolbar.dll" [2009-08-15 1358848]

[HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-01-31 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-06 339968]
"Dell QuickSet"="c:\progra~1\Dell\QuickSet\quickset.exe" [2005-03-04 606208]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"dldtmon.exe"="c:\program files\Dell V305\dldtmon.exe" [2008-03-20 668912]
"dldtamon"="c:\program files\Dell V305\dldtamon.exe" [2008-03-20 16624]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 49152]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-04-07 496752]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184]

c:\documents and settings\Ren\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2008-5-27 189952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2009-3-16 156784]
CallWave.lnk - c:\program files\CallWave\IAM.exe [2006-5-14 1940544]
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2005-9-14 315392]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=c:\windows\pss\AOL Companion.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\mcafeeantivirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\mcafeefirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Dell V305\\dldtamon.exe"=
"c:\\Program Files\\Dell V305\\frun.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Dell V305\\dldtmon.exe"=
"c:\\WINDOWS\\system32\\dldtcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldtpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldttime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldtjswx.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Dell V305\\dldtlscn.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\MyPoints Toolbar 2.0\\TroubleShooter.exe"=
"c:\\Program Files\\MyPoints Toolbar 2.0\\ToolbarUpdate.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\Apoint\\Apoint.exe"=
"c:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\CallWave\\IAM.exe"=

.
Contents of the 'Scheduled Tasks' folder

2009-09-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-11-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore1ca5a9bdd025b30.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-27 21:34]

2009-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-27 21:34]

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-03 18:22]

2009-05-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-03 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/puccini/start
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Ren\Application Data\Mozilla\Firefox\Profiles\zni204dd.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Ren\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Ren\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-DMXLauncher - c:\program files\Dell\Media Experience\DMXLauncher.exe
SharedTaskScheduler-{ad8537c0-b68d-483b-83a6-f0a15ca8b0e0} - c:\windows\system32\hugupapu.dll
SharedTaskScheduler-{494e2888-ae7f-4508-a854-dd2dae7c0401} - c:\windows\system32\hugupapu.dll
SharedTaskScheduler-{55753b49-c3b5-4452-b13d-08fa8bbbed94} - c:\windows\system32\bufezeza.dll
SSODL-yinemijet-{ad8537c0-b68d-483b-83a6-f0a15ca8b0e0} - c:\windows\system32\hugupapu.dll
SSODL-rujavinet-{494e2888-ae7f-4508-a854-dd2dae7c0401} - c:\windows\system32\hugupapu.dll
SSODL-hawawafot-{55753b49-c3b5-4452-b13d-08fa8bbbed94} - c:\windows\system32\bufezeza.dll
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe
AddRemove-{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD} - c:\program files\Apoint\Uninstap.exe ADDREMOVE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-29 21:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A755170]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74a8852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
NDIS: Intel® PRO/Wireless 2915ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf742bbb0
PacketIndicateHandler -> NDIS.sys @ 0xf7438a21
SendHandler -> NDIS.sys @ 0xf741687b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(968)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'lsass.exe'(1032)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(5084)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\program files\CallWave\CWIdle.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\System32\SCardSvr.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\dldtcoms.exe
c:\program files\McAfee\SiteAdvisor\McSACore.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\wanmpsvc.exe
c:\program files\Dell V305\dldtMsdMon.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\Dell Support Center\gs_agent\dsc.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Apoint\Apntex.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-11-29 22:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-30 04:12

Pre-Run: 13,959,929,856 bytes free
Post-Run: 13,812,420,608 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 0D49ADC958949969BF85EC3AFD04AD92

THANK YOU.

#6 thcbytes

thcbytes

  • Members
  • 12,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:58 PM

Posted 30 November 2009 - 05:19 PM

Well done. :(

Your heavily infected! We need to be very careful. You have a critical system file that needs to be replaced. I will try to replace it with files that are contained on your computer but we might need an install disc. Do you have one?

The computer doesn't seem to be running any better/differently. Still having problems with AIM and the browsers

Are you still getting redirected?

==========

c:\documents and settings\All Users\Application Data\5cf1b65

Is this folder familiar to you?

==========

Download and run Win32kDiag:Next......


Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running. If you are using Vista please right click and run as Admin!
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.
==========

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Viewpoint Manager
Viewpoint Media Player
My Way Search Assistant



Additional instructions can be found here if needed.

==========

:( Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! :)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Mia::
c:\windows\System32\eventlog.dll

SRPeek::
c:\windows\System32\eventlog.dll

File::
c:\documents and settings\All Users\Application Data\5cf1b65\BackUp\PowerReg Scheduler.exe
c:\program files\Coupons
c:\windows\Prahetaped.bin
c:\windows\Gkohob.dat
c:\windows\is-P80P3.exe
c:\windows\is-JJ83K.exe
c:\windows\system32\tovytifa.pif
c:\program files\Common Files\ubobi.pif
c:\windows\system32\nafir.sys
c:\windows\ujiz.com
c:\program files\Common Files\dyqykeca.dll
c:\program files\Common Files\afyxo.lib
c:\windows\vixetogaf.dat
c:\program files\Common Files\omunyzituk.bin
c:\windows\fahugumih.pif
c:\windows\system32\osogepore.dat
c:\program files\Common Files\izom.lib
c:\windows\eqenugagu.sys
c:\program files\Common Files\bidije.lib
c:\windows\system32\gopyw.dll
c:\windows\system32\heqigacami.exe
c:\windows\uregedy.sys
c:\program files\Common Files\xolesog.lib
c:\program files\Common Files\ihywita.com
c:\program files\Common Files\ponar.dl
c:\program files\Common Files\kezibi.ban
c:\windows\qanekewaq.bin
c:\windows\system32\humoc.com
c:\windows\system32\ekypo.bin
c:\windows\system32\xyropym.com
c:\windows\uvyxuzow.com
c:\windows\system32\uvir.com
c:\program files\Common Files\tonyjiwe.bin

Folder::
c:\documents and settings\All Users\Application Data\Viewpoint
c:\program files\Viewpoint
c:\windows\system32\config\systemprofile\Application Data\3175035112

Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=-


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

==========

With your next post please provide:

* Answer to all those questions!
* Win32kDiag.txt
* Log.txt
* Combofix.txt
* Gmer log
* Still getting redirected? Other problems?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://organdonor.gov/index.html

#7 ZamboFire

ZamboFire
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 01 December 2009 - 11:44 PM

I had a feeling this was pretty bad, I'm glad you are still up to the challenge. I'll start out by warning you I couldn't get through everything you asked me to do. It has been a full day project which unfortunately has not produced the desired results. I will go through and answer/post everything you have asked for as best I can up until the combofix part where things went bad. Then I will do my best to tell you everything I tried and what the result of it was. So here it is...

1. I do not have an install disc. I may be able to get one. Does it need to be the one that came with my computer or could I use another persons disc?

2. Yes, I am still getting redirected. This morning when I first started to try and go through the list I searched for something random on Google and clicked the first five links that were given. The first one went to the correct site, the next four did not.

3. No, that folder is not familiar to me.

4.
Running from: C:\Documents and Settings\Ren\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Ren\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP11E.tmp\ZAP11E.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP150.tmp\ZAP150.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP197.tmp\ZAP197.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1C5.tmp\ZAP1C5.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP204.tmp\ZAP204.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E.tmp\ZAP9E.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Cursors\Cursors

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M886903\M886903

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^



Finished!

____________________________________________________________________________________

5.

Volume in drive C has no label.
Volume Serial Number is 5C73-93F2

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 04:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 04:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 04:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ERDNT\cache

04/13/2008 06:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ERDNT\cache

04/13/2008 06:12 PM 407,040 netlogon.dll
2 File(s) 588,288 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 06:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 06:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 06:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 06:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 06:12 PM 407,040 netlogon.dll
2 File(s) 588,288 bytes

Total Files Listed:
10 File(s) 2,464,256 bytes
0 Dir(s) 13,662,633,984 bytes free

_______________________________________________________________________________

6. I removed Viewpoint manager and viewpoint media player per your instructions in the last post. My way search assistant is not present in the list on add/remove programs.


7. This is were I hit a wall. First, something I probably should have mentioned before that I apologize I forgot: I did not seem to successfully disable McAffee when running Combofix. I tried and thought I had, even had followed directions that had been posted online. However, when Combofix went to run it informed me McAfee was still on despite the security center showing it temporarily disabled. Today I was unable to even get the McAfee security center to open.

Next problem: I could not find ComboFix anywhere on my computer. It was not still on my desktop where I had installed it and a search for Combofix and thcbytes (since I renamed it per your instructions) turned up nothing but the log that was produced in the search for combofix. The search for thcbytes had no results.

Next I tried to go back to the links and just get it again. Initially both links were giving me the message that there was an error and I should try saving to a different location (I was trying to save to the desktop).
At this point I restarted my computer. Attempts to use those links at this point resulted in page loading errors. Restarted again.
Now every time I attempted to obtain combofix from those links while using firefox I would get as far as being asked where to save it and once I clicked save the box would disappear and firefox would have "(not responding)" appear in the title bar at the top after trying to click on anything. I would have to use task manager to close it.
After each time two things would appear on my desktop.
1. A "thcbytes.exe.part" file
2. what appeared to be the application "thcbytes" that would show 0 bytes in the properties and would give the message that it was not a valid win32 application when trying to run it.

I tried this many many times. Sometimes restarting my computer or shutting it down and rebooting in between times. I tried clearing all private data between some attempts as well. The results were always the same at this point.

I then tried to open internet explorer. I was pretty much able to do dishes and eat dinner in between the point I had tried to open it and the point that windows actually started opening. The links didn't seem to work at all from IE but I was able to try a couple of times from both links by opening a window and typing in the address of each link into the new IE window. Attempts this way resulted in the error message "cannot copy ComboFix(1) Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use" I had been renaming it to thcbytes for these attempts as well.

At this point the only other thing I could think of was to wait for my roommate and try to use his computer to put it on a thumb drive so I could transfer it to my computer. The first one I was able to get to my desktop but when I moved the CFScript file onto it I would get the error "Some installation files are corrupt. Please download a fresh copy and retry installation" ( I am pretty sure the last word was installation, I was trying to take pictures of the messages so I could tell you exactly what they were but not all the pictures would turn out good.)
The second attempt from the other link would not transfer onto my desktop at all. It gave me some message about not being able to copy it that I did not catch.
I tried to bring the file to the first copy that was still on the thumb drive but received the same message about corrupt files as I did when I tried running it from the desktop.

At this point I have spent a lot of hours trying to complete that step and have absolutely no idea what else to try. I don't know if you will have other ideas to try or if knowing how the computer has responded to all the attempts will give you some insight but this is all I can give you. I did not try to get the gmer log because I was unsure if the other step needed to be completed first in order for it to give the proper results.

#8 thcbytes

thcbytes

  • Members
  • 12,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:58 PM

Posted 02 December 2009 - 10:59 AM

I see what the problem might be. The log was helpful!

Do this....


Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r

==========

Please do this:
  • Click on the Start button, then click on Run...
  • In the empty "Open:" box provided, type cmd and press Enter
    • This will launch a Command Prompt window (looks like DOS).
  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).
    copy c:\windows\ServicePackFiles\i386\eventlog.dll C:\ /y
  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
  • Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
    NOTE: If you didn't get this message, stop and tell me first. Executing The Avenger script (step #3) won't work if the file copy was not successful.
  • Exit the Command Prompt window.
==========

:( Warning to others reading this thread!: The Avenger is a VERY POWERFUL program, and can easily be misused.
Certain misuses of this program can prevent your system from ever starting again.
For this reason, it is strongly recommended to use The Avenger only as directed and under qualified supervision.
We can accept no responsibility for damage caused by misuse of the program.
:(

  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Files to move:C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dllFiles to delete:c:\documents and settings\All Users\Application Data\5cf1b65\BackUp\PowerReg Scheduler.exec:\program files\Couponsc:\windows\Prahetaped.binc:\windows\Gkohob.datc:\windows\is-P80P3.exec:\windows\is-JJ83K.exec:\windows\system32\tovytifa.pifc:\program files\Common Files\ubobi.pifc:\windows\system32\nafir.sysc:\windows\ujiz.comc:\program files\Common Files\dyqykeca.dllc:\program files\Common Files\afyxo.libc:\windows\vixetogaf.datc:\program files\Common Files\omunyzituk.binc:\windows\fahugumih.pifc:\windows\system32\osogepore.datc:\program files\Common Files\izom.libc:\windows\eqenugagu.sysc:\program files\Common Files\bidije.libc:\windows\system32\gopyw.dllc:\windows\system32\heqigacami.exec:\windows\uregedy.sysc:\program files\Common Files\xolesog.libc:\program files\Common Files\ihywita.comc:\program files\Common Files\ponar.dlc:\program files\Common Files\kezibi.banc:\windows\qanekewaq.binc:\windows\system32\humoc.comc:\windows\system32\ekypo.binc:\windows\system32\xyropym.comc:\windows\uvyxuzow.comc:\windows\system32\uvir.comc:\program files\Common Files\tonyjiwe.binFolders to delete:c:\documents and settings\All Users\Application Data\Viewpointc:\program files\Viewpointc:\windows\system32\config\systemprofile\Application Data\3175035112c:\documents and settings\All Users\Application Data\5cf1b65
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.
==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

With your next post please provide:

* Win32kDiag.txt
* Avenger.txt
* Combofix.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://organdonor.gov/index.html

#9 ZamboFire

ZamboFire
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 03 December 2009 - 01:36 AM

I was able to get one done this time. I had the same problems with the file not actually downloading with firefox right from the start and ended up going into safe mode in order to get Win32kDiag to my desktop. The log follows:

Running from: C:\Documents and Settings\Administrator.DHW1HY71\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Administrator.DHW1HY71\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP11E.tmp\ZAP11E.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP11E.tmp\ZAP11E.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP150.tmp\ZAP150.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP150.tmp\ZAP150.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP197.tmp\ZAP197.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP197.tmp\ZAP197.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1C5.tmp\ZAP1C5.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1C5.tmp\ZAP1C5.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP204.tmp\ZAP204.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP204.tmp\ZAP204.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E.tmp\ZAP9E.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E.tmp\ZAP9E.tmp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Cursors\Cursors

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Cursors\Cursors

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M886903\M886903

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M886903\M886903

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\mui\mui

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2



Finished!


I then possibly made a large mistake by continuing in safe mode to the next steps. Copying the file with command prompt went fine. After starting the avenger and executing the contents of what you gave me it rebooted to a blue screen that read:

"A problem has been detected and windows has been shut down to prevent damage to your computer

If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again follow these steps:
Check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers. Check your hard drive to make sure it is properly configured and terminated. Run CHKDSK/F to check for hard drive corruption, and then restart your computer.
Technical Information:
***STOP: 0x0000007B (0xF78A6528, 0xC0000034, 0x00000000, 0x00000000)"

When I restarted I was given an option to run windows normally or from the last known working configuration. I restarted normally and got the same blue screen. I restarted again and selected the option to run from last known working configuration. When the computer booted a log was open in notepad for Avenger but it was entirely blank. I did not want to proceed any further until I knew exactly what to do since I am pretty sure this was not how it should go.

#10 thcbytes

thcbytes

  • Members
  • 12,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:58 PM

Posted 03 December 2009 - 08:21 AM

Bummer!

In the future if you encounter troubles performing the steps I have outlined in the way I have outlined them please STOP and tell me about it! :(

Are you now able to boot into normal mode without a BSOD?
Please post the "blank" Avenger log please.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :file
    C:\WINDOWS\system32\eventlog.dll
    :filefind
    *atapi.sys
    *eventlog.dll
    *NDIS.sys
    *iastor.sys
    *nvata.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Thanks,
~ t

Edited by thcbytes, 03 December 2009 - 09:07 AM.

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://organdonor.gov/index.html

#11 ZamboFire

ZamboFire
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 03 December 2009 - 03:36 PM

I can boot in normal mode as usual now. I have no idea how to post the blank Avenger log since there is nothing to copy and paste. I tried to include it as an attachment a couple of times but when I press upload it tells me I didn't select a file to upload.



Running from: C:\Documents and Settings\Ren\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Ren\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!


SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 14:19 on 03/12/2009 by Ren (Administrator - Elevation successful)

========== file ==========

C:\WINDOWS\system32\eventlog.dll - Unable to find/read file.

========== filefind ==========

Searching for "*atapi.sys"
C:\i386\atapi.sys --a--c 95360 bytes [22:32 03/08/2005] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys --a--c 95360 bytes [06:22 10/12/2008] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [03:51 30/11/2009] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [21:50 04/09/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [03:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys --a--c 95360 bytes [23:47 19/07/2005] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

Searching for "*eventlog.dll"
C:\eventlog.dll --a--- 56320 bytes [06:03 03/12/2009] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\i386\eventlog.dll --a--c 55808 bytes [22:33 03/08/2005] [10:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\Program Files\EarthLink Setup\Windows\WinPOET\NukePoet\WrEventLog.dll -ra--c 114737 bytes [06:50 28/10/1999] [06:50 28/10/1999] BCD39F0D27F0E89DEFE4BA15B7B247AD
C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll --a--c 55808 bytes [06:24 10/12/2008] [10:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll ------ 56320 bytes [21:50 04/09/2008] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656

Searching for "*NDIS.sys"
C:\i386\ndis.sys --a--c 182912 bytes [22:33 03/08/2005] [10:00 04/08/2004] 558635D3AF1C7546D26067D5D9B6959E
C:\WINDOWS\$NtServicePackUninstall$\ndis.sys --a--c 182912 bytes [06:22 10/12/2008] [10:00 04/08/2004] 558635D3AF1C7546D26067D5D9B6959E
C:\WINDOWS\ERDNT\cache\ndis.sys --a--- 182656 bytes [03:51 30/11/2009] [19:20 13/04/2008] 1DF7F42665C94B825322FAE71721130D
C:\WINDOWS\ServicePackFiles\i386\ndis.sys ------ 182656 bytes [21:52 04/09/2008] [19:20 13/04/2008] 1DF7F42665C94B825322FAE71721130D
C:\WINDOWS\system32\drivers\ndis.sys ------ 182656 bytes [17:51 10/08/2004] [19:20 13/04/2008] 1DF7F42665C94B825322FAE71721130D

Searching for "*iastor.sys"
No files found.

Searching for "*nvata.sys"
No files found.

-=End Of File=-




Sorry I didn't follow directions last time.
Thanks.

#12 thcbytes

thcbytes

  • Members
  • 12,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:58 PM

Posted 03 December 2009 - 08:47 PM

No problem. :(

Do this...
  • Start
  • Run
  • Type cmd in the run box and press enter.
  • Copy & paste all of the green bolded below into the Command Prompt box and press enter.
COPY "C:\eventlog.dll" "C:\WINDOWS\system32\eventlog.dll"
  • You will see a "1 file copied" prompt.
  • Type exit
=========

Re-run SystemLook
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :file
    C:\WINDOWS\system32\eventlog.dll
    :filefind
    *eventlog.dll
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

==========

With your next post please provide:

* SystemLook.txt

Thanks,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://organdonor.gov/index.html

#13 ZamboFire

ZamboFire
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 03 December 2009 - 11:03 PM

Finally something seemed to go smoothly. Here are the results:



SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 22:00 on 03/12/2009 by Ren (Administrator - Elevation successful)

========== file ==========

C:\WINDOWS\system32\eventlog.dll - File found and opened.
MD5: 6D4FEB43EE538FC5428CC7F0565AA656
Created at 03:57 on 04/12/2009
Modified at 00:11 on 14/04/2008
Size: 56320 bytes
Attributes: --a---
FileDescription: Event Logging Service
FileVersion: 5.1.2600.5512 (xpsp.080413-2111)
ProductVersion: 5.1.2600.5512
OriginalFilename: Eventlog.DLL
InternalName: Eventlog.DLL
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

========== filefind ==========

Searching for "*eventlog.dll"
C:\eventlog.dll --a--- 56320 bytes [06:03 03/12/2009] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\i386\eventlog.dll --a--c 55808 bytes [22:33 03/08/2005] [10:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\Program Files\EarthLink Setup\Windows\WinPOET\NukePoet\WrEventLog.dll -ra--c 114737 bytes [06:50 28/10/1999] [06:50 28/10/1999] BCD39F0D27F0E89DEFE4BA15B7B247AD
C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll --a--c 55808 bytes [06:24 10/12/2008] [10:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll ------ 56320 bytes [21:50 04/09/2008] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\system32\dllcache\eventlog.dll --a--- 56320 bytes [03:57 04/12/2009] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\system32\eventlog.dll --a--- 56320 bytes [03:57 04/12/2009] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656

-=End Of File=-

#14 thcbytes

thcbytes

  • Members
  • 12,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:58 PM

Posted 03 December 2009 - 11:28 PM

Good! It worked. :(

Let's continue....

:( Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! :)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\documents and settings\All Users\Application Data\5cf1b65\BackUp\PowerReg Scheduler.exe
c:\windows\Prahetaped.bin
c:\windows\Gkohob.dat
c:\windows\is-P80P3.exe
c:\windows\is-JJ83K.exe
c:\windows\system32\tovytifa.pif
c:\program files\Common Files\ubobi.pif
c:\windows\system32\nafir.sys
c:\windows\ujiz.com
c:\program files\Common Files\dyqykeca.dll
c:\program files\Common Files\afyxo.lib
c:\windows\vixetogaf.dat
c:\program files\Common Files\omunyzituk.bin
c:\windows\fahugumih.pif
c:\windows\system32\osogepore.dat
c:\program files\Common Files\izom.lib
c:\windows\eqenugagu.sys
c:\program files\Common Files\bidije.lib
c:\windows\system32\gopyw.dll
c:\windows\system32\heqigacami.exe
c:\windows\uregedy.sys
c:\program files\Common Files\xolesog.lib
c:\program files\Common Files\ihywita.com
c:\program files\Common Files\ponar.dl
c:\program files\Common Files\kezibi.ban
c:\windows\qanekewaq.bin
c:\windows\system32\humoc.com
c:\windows\system32\ekypo.bin
c:\windows\system32\xyropym.com
c:\windows\uvyxuzow.com
c:\windows\system32\uvir.com
c:\program files\Common Files\tonyjiwe.bin

Folder::
c:\program files\Coupons
c:\documents and settings\All Users\Application Data\Viewpoint
c:\program files\Viewpoint
c:\windows\system32\config\systemprofile\Application Data\3175035112
c:\documents and settings\All Users\Application Data\5cf1b65

FCopy::
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

Re-run Gmer and post a log.

==========

With your next post please provide:

* Combofix.txt
* Gmer log
* Are you still getting redirected?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://organdonor.gov/index.html

#15 ZamboFire

ZamboFire
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 04 December 2009 - 12:27 PM

Combofix hit a slight problem and gave me the message "Combofix has detected the presence of rootkit activity and needs to reboot the machine" After I pressed ok it rebooted and automatically continued the scan. Everything seemed to work fine from that point on. It did say it was submitting some malware information for further analysis at the end but it just did that on its own before giving me a log.

ComboFix 09-12-03.04 - Ren 12/04/2009 0:47.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1531 [GMT -6:00]
Running from: c:\documents and settings\Ren\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ren\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active


FILE ::
"c:\documents and settings\All Users\Application Data\5cf1b65\BackUp\PowerReg Scheduler.exe"
"c:\program files\Common Files\afyxo.lib"
"c:\program files\Common Files\bidije.lib"
"c:\program files\Common Files\dyqykeca.dll"
"c:\program files\Common Files\ihywita.com"
"c:\program files\Common Files\izom.lib"
"c:\program files\Common Files\kezibi.ban"
"c:\program files\Common Files\omunyzituk.bin"
"c:\program files\Common Files\ponar.dl"
"c:\program files\Common Files\tonyjiwe.bin"
"c:\program files\Common Files\ubobi.pif"
"c:\program files\Common Files\xolesog.lib"
"c:\windows\eqenugagu.sys"
"c:\windows\fahugumih.pif"
"c:\windows\Gkohob.dat"
"c:\windows\is-JJ83K.exe"
"c:\windows\is-P80P3.exe"
"c:\windows\Prahetaped.bin"
"c:\windows\qanekewaq.bin"
"c:\windows\system32\ekypo.bin"
"c:\windows\system32\gopyw.dll"
"c:\windows\system32\heqigacami.exe"
"c:\windows\system32\humoc.com"
"c:\windows\system32\nafir.sys"
"c:\windows\system32\osogepore.dat"
"c:\windows\system32\tovytifa.pif"
"c:\windows\system32\uvir.com"
"c:\windows\system32\xyropym.com"
"c:\windows\ujiz.com"
"c:\windows\uregedy.sys"
"c:\windows\uvyxuzow.com"
"c:\windows\vixetogaf.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\5cf1b65
c:\documents and settings\All Users\Application Data\5cf1b65\662.mof
c:\documents and settings\All Users\Application Data\5cf1b65\BackUp\America Online 9.0 Tray Icon.lnk
c:\documents and settings\All Users\Application Data\5cf1b65\BackUp\CallWave.lnk
c:\documents and settings\All Users\Application Data\5cf1b65\BackUp\dlbcserv.lnk
c:\documents and settings\All Users\Application Data\5cf1b65\BackUp\McAfee Security Scan.lnk
c:\documents and settings\All Users\Application Data\5cf1b65\BackUp\PowerReg Scheduler.exe
c:\documents and settings\All Users\Application Data\5cf1b65\mozcrt19.dll
c:\documents and settings\All Users\Application Data\5cf1b65\sqlite3.dll
c:\documents and settings\All Users\Application Data\5cf1b65\WSD_APDM.ico
c:\documents and settings\All Users\Application Data\5cf1b65\WSDDSys\vd952342.bd
c:\documents and settings\All Users\Application Data\Viewpoint
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\DynamicSearchTypes.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\featureCommon.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\featureManager.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\global.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\moreManager.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\navigationEvents.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\notificationManager.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\onCloseManager.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\images\inner_bl.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\images\inner_bot.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\images\inner_br.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\images\inner_tl.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\images\inner_top.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\images\inner_tr.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\images\s.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\index.html
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\offline.html
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\offline.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\options.css
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\options.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\options.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\optionsManager.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\optionsWindow.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\pingManager.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\selectorManager.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\selectorManager_util.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\offline\images\close.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\offline\images\frame_bottom.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\offline\images\frame_gradient.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\offline\images\frame_left.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\offline\images\frame_right.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\offline\images\frame_top.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\offline\images\header_back.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\offline\images\icon.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\offline\images\left_gradient.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\offline\images\logo.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\offline\images\offlinemsg.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\offline\images\s.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\offline\index.html
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\tellafriend.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\tellafriend.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\tellafriendWindow.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\buttons\button_glossy.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\buttons\button_glossy_description.txt
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\buttons\button_glossy_dropdown.html
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\buttons\button_glossy_dropdown.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\background.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\background_framed.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\buttonContainer.html
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\buttonContainer.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\contents.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\dialog.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\dialogs.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\dlgIcons.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\dlgIconsLarge.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\field.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\info.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\info.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\message.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\message2.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\message3.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\progress.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\progress.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\progress.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\slideShowDialog.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\titlebar.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dropdowns\dropdown.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dropdowns\dropdown.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dropdowns\dropdowns.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\htmldialog\htmldialog.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\htmldialog\htmldialog.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\list\list.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\listMenu\listMenu.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\listMenu\listMenu.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\listMenu\listMenu.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\notification\notification.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\notification\notification.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\options_menu_button\graphics\viewpoint_logo.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\options_menu_button\options_btn.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\preview\preview.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\preview\preview.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\preview\preview.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\scrollbar\scrollbar.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\scrollbar\scrollbar.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\searchWidget\DefaultSearchOptions.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\searchWidget\search_buttons.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\searchWidget\searchHistory.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\searchWidget\searchhistory.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\searchWidget\searchWidget.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\searchWidget\searchWidget.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\searchWidget\searchWidgetDefinition.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\selectors\selectors.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\selectors\selectors.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\shared_graphics\background.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\shared_graphics\highlight_bottom.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\shared_graphics\highlight_top.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\shared_graphics\popup_cursor.cur
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\shared_graphics\popupmoi.wav
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\shared_graphics\redeye_cursor.cur
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\shared_graphics\size_diagonal1_cursor.cur
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\shared_graphics\size_diagonal2_cursor.cur
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\shared_graphics\size_horizontal_cursor.cur
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\shared_graphics\size_move_cursor.cur
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\shared_graphics\size_vertival_cursor.cur
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\shared_graphics\thumbnail_404.jpg
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\shared_graphics\thumbnail_bookmarks.jpg
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\shared_graphics\thumbnail_search.jpg
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\tray_scroller\tray_scroller.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\tray_scroller\trayScroller.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\utilities.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\ViewBarStringConstants.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\AdvancedOptions\AdvancedOptions.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\AdvancedOptions\AdvancedOptions.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\AdvancedOptions\feature.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\AdvancedOptions\options.html
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\alerts.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\alerts.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\alertsDefinition.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\feature.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\featureDefinition.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\graphics\alerts_icon.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\graphics\alerts_icon.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\graphics\alerts_text.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\graphics\list.html
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\graphics\list.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\graphics\panel_left_bottom.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\graphics\panel_left_top.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\graphics\panel_right_bottom.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\graphics\tray_face.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\options.html
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\bookmarks.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\bookmarks.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\bookmarksDefinition.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\feature.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\featureDefinitions.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\bookmarks_icon.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\bookmarks_icon.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\bookmarks_text.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\button_thumbnail_rollover.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\buttons_bookmarks.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\buttons_folders.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\dog_ear.bmp
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\icon_add.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\icon_expand.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\icon_folder.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\icon_refresh.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\icon_trash.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\securelock.bmp
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\tray_face.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\tray_face_treeview.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\treeIcon_folderClosed.bmp
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\treeIcon_folderOpen.bmp
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\treeIcon_root.bmp
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\options.html
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\treeviewDlg.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\GeneralOptions\feature.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\GeneralOptions\featureDefinition.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\GeneralOptions\GeneralOptions.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\GeneralOptions\GeneralOptions.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\GeneralOptions\graphics\options_icon.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\GeneralOptions\graphics\options_icon.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\GeneralOptions\graphics\options_text.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\GeneralOptions\graphics\traysize_icon.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\GeneralOptions\graphics\traysize_icon.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\GeneralOptions\graphics\traysize_text.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\GeneralOptions\options.html
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\options\images\inner_bl.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\options\images\inner_bot.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\options\images\inner_br.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\options\images\inner_tl.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\options\images\inner_top.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\options\images\inner_tr.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\options\images\s.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\options\options.css
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\options\options.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\photoviewVista\core\feature.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\photoviewVista\core\featureDefinition.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\photoviewVista\core\HTMLFeature.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\photoviewVista\core\HTMLFeature.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\photoviewVista\core\inioptions.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\photoviewVista\core\PhotoViewVista.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\photoviewVista\core\PhotoViewVistaDefinition.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\photoviewVista\graphics\offline.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\photoviewVista\graphics\photoview_icon.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\photoviewVista\graphics\photoview_icon.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\photoviewVista\HTMLFeature.html
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\photoviewVista\includes\default.css
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\photoviewVista\includes\htmlutils.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\photoviewVista\notifier.html
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\photoviewVista\offline.html
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\photoviewVista\options.html
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\popups\feature.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\popups\featureDefinitions.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\popups\graphics\popups_icon.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\popups\graphics\popups_icon.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\popups\graphics\popups_text.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\popups\graphics\tray_face.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\popups\options.html
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\popups\popups.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\popups\popups.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\popups\popups.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\popups\popupsDefinition.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\search\feature.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\search\featureDefinitions.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\search\graphics\arrow_icon.html
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\search\graphics\arrow_icon.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\search\graphics\highlight_icon.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\search\graphics\highlight_icon.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\search\graphics\highlight_text.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\search\graphics\search_icon.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\search\graphics\search_icon.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\search\graphics\search_text.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\search\graphics\tray_face.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\search\options.html
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\search\search.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\search\search.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\search\search.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\search\searchDefinition.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\SelectorEditor\feature.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\SelectorEditor\options.html
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\SelectorEditor\SelectorEditor.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\SelectorEditor\SelectorEditor.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\SkinChooser\feature.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\SkinChooser\options.html
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\SkinChooser\SkinChooser.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\SkinChooser\SkinChooser.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\ThemeTemplates\Custom.jpg
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\ThemeTemplates\Default\defaultSelectors.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\ThemeTemplates\Default\Template.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\ThemeTemplates\Default\Template.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\ThemeTemplates\Default\Template.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\ThemeTemplates\Default\TemplateDefinition.js
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\colorSchemes\backgrounds\Custom.jpg
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\colorSchemes\backgrounds\liberty.jpg
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\colorSchemes\backgrounds\springflowers.jpg
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\colorSchemes\backgrounds\sunflowers.jpg
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\colorSchemes\custom.image
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\colorSchemes\custom2.image
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\colorSchemes\Default.image
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\colorSchemes\Default.scheme
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\colorSchemes\Green.scheme
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\colorSchemes\liberty.image
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\colorSchemes\none.image
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\colorSchemes\Pink.scheme
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\colorSchemes\Purple.scheme
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\colorSchemes\springflowers.image
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\colorSchemes\sunflowers.image
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\colorSchemes\Yellow.scheme
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\graphics\barintro.html
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\graphics\button_dropdown.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\graphics\popupmoi.wav
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\graphics\powered_by_yahoo.bmp
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\graphics\preview.jpg
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\graphics\search_buttons.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\graphics\tellafriend_offline\images\close.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\graphics\tellafriend_offline\images\frame_bottom.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\graphics\tellafriend_offline\images\frame_gradient.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\graphics\tellafriend_offline\images\frame_left.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\graphics\tellafriend_offline\images\frame_right.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\graphics\tellafriend_offline\images\frame_top.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\graphics\tellafriend_offline\images\header_back.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\graphics\tellafriend_offline\images\icon.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\graphics\tellafriend_offline\images\left_gradient.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\graphics\tellafriend_offline\images\logo.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\graphics\tellafriend_offline\images\offlinemsg.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\graphics\tellafriend_offline\images\s.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\graphics\tellafriend_offline\index.html
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\graphics\template_buttons.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\graphics\template_buttons_green.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\graphics\template_buttons_pink.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\graphics\template_buttons_purple.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\graphics\template_buttons_yellow.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\graphics\template_logo.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\graphics\thumbnail_404.jpg
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\graphics\thumbnail_bookmarks.jpg
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\assets\graphics\titlebar.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\default.skin
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\defaultSelectors.js
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\DynamicSearchTypes.js
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Amazon\core\feature.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Amazon\core\featureDefinition.js
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Amazon\core\HTMLFeature.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Amazon\core\HTMLFeature.js
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Amazon\core\HTMLFeature.module
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Amazon\core\HTMLFeatureDefinition.module
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Amazon\core\inioptions.js
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Amazon\core\PersonalizationWrapper.dll
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Amazon\graphics\default_icon.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Amazon\graphics\icons.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Amazon\HTMLFeature.html
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Amazon\includes\default.css
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Amazon\includes\htmlutils.js
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Amazon\notifier.html
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Amazon\offline.html
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\ThemeCustomizer\feature.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\ThemeCustomizer\images\arrow_down.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\ThemeCustomizer\images\arrow_up.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\ThemeCustomizer\images\inner_bl.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\ThemeCustomizer\images\inner_bot.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\ThemeCustomizer\images\inner_br.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\ThemeCustomizer\images\inner_tl.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\ThemeCustomizer\images\inner_top.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\ThemeCustomizer\images\inner_tr.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\ThemeCustomizer\images\s.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\ThemeCustomizer\options.html
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\ThemeCustomizer\ThemeCustomizer.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\ThemeCustomizer\ThemeCustomizer.js
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\ThemeCustomizer\ThemeCustomizer.module
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Weather\core\feature.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Weather\core\featureDefinition.js
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Weather\core\HTMLFeature.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Weather\core\HTMLFeature.js
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Weather\core\HTMLFeature.module
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Weather\core\HTMLFeatureDefinition.module
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Weather\core\inioptions.js
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Weather\graphics\customicon.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Weather\graphics\default_icon.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Weather\graphics\icons.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Weather\HTMLFeature.html
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Weather\includes\default.css
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Weather\includes\htmlutils.js
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Weather\notifier.html
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Weather\offline.html
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\features\Weather\options.html
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\production\automationScripts\All Button States.isa
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\production\automationScripts\button_disabled.isa
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\production\automationScripts\button_down.isa
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\production\automationScripts\button_downover.isa
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\production\automationScripts\button_over.isa
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\production\automationScripts\button_up.isa
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\production\automationScripts\create button states.jsfl
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\production\automationScripts\create interface buttons.jsfl
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\production\automationScripts\CreateColorScheme.jsx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\production\automationScripts\CreateImageScheme.jsx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\production\automationScripts\interface graphics.isa
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\production\automationScripts\ThemeTemplateProcessor.jsx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\production\color_scheme.psd
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\production\imageTemplate.image
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\production\schemeTemplate.scheme
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\production\template_button.psd
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\production\template_interface.psd
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\production\template_themes.psd
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\Template.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\Theme.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Default\Theme.js
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\colorSchemes\backgrounds\Custom.jpg
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\colorSchemes\backgrounds\vista_gray.jpg
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\colorSchemes\Default.image
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\colorSchemes\none.image
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\colorSchemes\Vista_DefaultAero.scheme
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\colorSchemes\Vista_Gray.image
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\colorSchemes\XP_DefaultBlue.scheme
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\colorSchemes\XP_Olive.scheme
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\colorSchemes\XP_Silver.scheme
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\graphics\barintro.html
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\graphics\barintro_images\logo.gif.bmp
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\graphics\buttons_Vista.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\graphics\buttons_Vista_dialogs.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\graphics\buttons_XP.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\graphics\buttons_XP_dialogs.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\graphics\dropdown_Vista_DefaultAero.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\graphics\dropdown_XP_DefaultBlue.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\graphics\dropdown_XP_Olive.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\graphics\dropdown_XP_Silver.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\graphics\popupmoi.wav
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\graphics\preview.jpg
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\graphics\scrollbar_Vista_DefaultAero.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\graphics\scrollbar_XP_DefaultBlue.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\graphics\scrollbar_XP_Olive.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\graphics\scrollbar_XP_Silver.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\graphics\search_buttons.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\graphics\searchfield.bmp
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\graphics\selector_icon.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\graphics\template_logo.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\graphics\thumbnail_404.jpg
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\graphics\thumbnail_bookmarks.jpg
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\graphics\titlebar_Vista_DefaultAero.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\graphics\titlebar_XP_DefaultBlue.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\graphics\titlebar_XP_Olive.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\assets\graphics\titlebar_XP_Silver.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\defaultSelectors.js
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\DynamicSearchTypes.js
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\Amazon\core\feature.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\Amazon\core\featureDefinition.js
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\Amazon\core\HTMLFeature.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\Amazon\core\HTMLFeature.js
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\Amazon\core\HTMLFeature.module
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\Amazon\core\HTMLFeatureDefinition.module
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\Amazon\core\inioptions.js
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\Amazon\core\PersonalizationWrapper.dll
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\Amazon\graphics\default_icon.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\Amazon\graphics\icons.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\Amazon\HTMLFeature.html
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\Amazon\notifier.html
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\Amazon\offline.html
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\options\images\inner_bl.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\options\images\inner_bot.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\options\images\inner_br.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\options\images\inner_tl.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\options\images\inner_top.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\options\images\inner_tr.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\options\images\s.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\options\options.css
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\options\options.js
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\ThemeCustomizer\feature.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\ThemeCustomizer\images\arrow_down.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\ThemeCustomizer\images\arrow_up.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\ThemeCustomizer\images\inner_bl.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\ThemeCustomizer\images\inner_bot.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\ThemeCustomizer\images\inner_br.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\ThemeCustomizer\images\inner_tl.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\ThemeCustomizer\images\inner_top.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\ThemeCustomizer\images\inner_tr.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\ThemeCustomizer\images\s.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\ThemeCustomizer\options.html
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\ThemeCustomizer\ThemeCustomizer.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\ThemeCustomizer\ThemeCustomizer.js
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\ThemeCustomizer\ThemeCustomizer.module
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\Weather\core\feature.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\Weather\core\featureDefinition.js
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\Weather\core\HTMLFeature.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\Weather\core\HTMLFeature.js
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\Weather\core\HTMLFeature.module
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\Weather\core\HTMLFeatureDefinition.module
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\Weather\core\inioptions.js
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\Weather\graphics\customicon.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\Weather\graphics\default_icon.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\Weather\graphics\icons.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\Weather\HTMLFeature.html
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\Weather\includes\default.css
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\Weather\includes\htmlutils.js
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\Weather\notifier.html
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\Weather\offline.html
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\features\Weather\options.html
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\Template.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\Theme.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\Theme.js
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar\3.8.0\ThemesV3\Windows\Windows.skin
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-1054744159.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-1257552095.712536053
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-1476482372.712535979
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-1550700062.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-1675323418.713836840
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-1744624506.713836803
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-1767541886.713836716
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-1792851963.712535981
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-685991849.712535954
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-708065856.713836749
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-732913299.712536002
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-763019087.713836937
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-96559883.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\1461440338.712535953
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\1564877131.712535908
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\385814962.712536011
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\501688438.712536046
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\URLCache.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\-1041161462.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\-1216699398.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\-167467785.712535921
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\-1735078747.713836821
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\-2040853405.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\-378119151.712535947
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\-583022627.712535910
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\-787478019.712535915
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\-982355842.712536070
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\1176327029.713836865
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\1220223377.712535992
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\1247495568.712535999
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\1304666343.712536034
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\346281577.713836896
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\512589962.712536028
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\570073743.713863076
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\768763562.712535994
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\860502393.712536026
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\925975223.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\URLCache.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-1140250495.713836908
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-1149444489.712536068
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-1219180738.713836830
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-1270717649.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-1438713594.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-1610302144.712536009
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-1651440994.712535931
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-1801392204.712535990
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-1817435829.712536059
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-1819899927.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-2034384745.713836872
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-2108356295.712535989
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-243470204.712536022
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-300725744.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-41890203.712536041
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-582640680.712536049
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-668285516.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-72580264.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-764272172.712535942
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\1229517749.712535939
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\1385903037.713836769
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\143415706.712536017
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\1520622600.712535996
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\172992995.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\434599021.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\URLCache.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\-1037005395.713836741
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\-1106322216.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\-1294591352.712536065
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\-1307685966.713836843
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\-1603077681.712535983
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\-1625577909.713836700
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\-1720476204.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\-1799102199.713836711
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\-1877319710.713836793
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\-1926077123.712535997
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\-583862537.712536063
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\-66919675.712536043
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\1071317150.713836906
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\119964245.713836888
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\1382942631.713836864
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\1385887584.713836838
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\1418335590.713836807
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\1669572585.712536032
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\1838517554.712536007
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\2021793278.712535944
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\489659170.712536061
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\581741786.713836754
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\582067880.712535985
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\746857229.713836914
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\770800983.712535978
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\879056853.712535933
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\932053967.712536014
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\980018594.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\URLCache.ini
c:\program files\Common Files\afyxo.lib
c:\program files\Common Files\bidije.lib
c:\program files\Common Files\dyqykeca.dll
c:\program files\Common Files\ihywita.com
c:\program files\Common Files\izom.lib
c:\program files\Common Files\kezibi.ban
c:\program files\Common Files\omunyzituk.bin
c:\program files\Common Files\ponar.dl
c:\program files\Common Files\tonyjiwe.bin
c:\program files\Common Files\ubobi.pif
c:\program files\Common Files\xolesog.lib
c:\program files\Coupons
c:\program files\Coupons\Coupons.com.url
c:\program files\Coupons\uninstall.exe
c:\program files\Coupons\Uninstall\IRIMG1.JPG
c:\program files\Coupons\Uninstall\IRIMG2.JPG
c:\program files\Coupons\Uninstall\IRIMG3.JPG
c:\program files\Coupons\Uninstall\IRIMG4.JPG
c:\program files\Coupons\Uninstall\IRIMG5.JPG
c:\program files\Coupons\Uninstall\IRIMG6.JPG
c:\program files\Coupons\Uninstall\IRIMG7.JPG
c:\program files\Coupons\Uninstall\IRIMG8.JPG
c:\program files\Coupons\Uninstall\uninstall.dat
c:\program files\Coupons\Uninstall\uninstall.xml
c:\program files\Viewpoint
c:\program files\Viewpoint\Viewpoint Toolbar\3.8.0\eula.txt
c:\program files\Viewpoint\Viewpoint Toolbar\3.8.0\Uninstaller.exe
c:\program files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
c:\program files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarSystemInfo.dll
c:\windows\eqenugagu.sys
c:\windows\fahugumih.pif
c:\windows\Gkohob.dat
c:\windows\is-JJ83K.exe
c:\windows\is-P80P3.exe
c:\windows\Prahetaped.bin
c:\windows\qanekewaq.bin
c:\windows\system32\config\systemprofile\Application Data\3175035112
c:\windows\system32\config\systemprofile\Application Data\3175035112\3175035112.bat
c:\windows\system32\config\systemprofile\Application Data\3175035112\3175035112.cfg
c:\windows\system32\Drivers\leenl.sys
c:\windows\system32\ekypo.bin
c:\windows\system32\gopyw.dll
c:\windows\system32\heqigacami.exe
c:\windows\system32\humoc.com
c:\windows\system32\nafir.sys
c:\windows\system32\osogepore.dat
c:\windows\system32\tovytifa.pif
c:\windows\system32\uvir.com
c:\windows\system32\xyropym.com
c:\windows\ujiz.com
c:\windows\uregedy.sys
c:\windows\uvyxuzow.com
c:\windows\vixetogaf.dat

.
--------------- FCopy ---------------

c:\windows\$NtServicePackUninstall$\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2009-11-04 to 2009-12-04 )))))))))))))))))))))))))))))))
.

2009-12-04 03:57 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\eventlog.dll
2009-12-04 03:57 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\dllcache\eventlog.dll
2009-12-03 06:03 . 2008-04-14 00:11 56320 ----a-w- C:\eventlog.dll
2009-11-20 18:29 . 2009-11-20 18:29 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2009-11-20 18:22 . 2009-11-20 18:22 -------- d-----w- c:\windows\ERUNT
2009-11-20 18:16 . 2009-11-20 18:58 -------- d-----w- C:\SDFix
2009-11-19 21:48 . 2009-11-19 21:48 -------- d-sh--w- c:\documents and settings\Administrator.DHW1HY71\IETldCache
2009-11-18 04:46 . 2009-11-18 04:46 -------- d-sh--w- c:\documents and settings\Ren\PrivacIE
2009-11-15 22:57 . 2009-11-15 22:57 -------- d-----w- c:\windows\Cache
2009-11-14 23:30 . 2009-11-14 23:30 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-14 20:55 . 2009-11-14 20:55 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-11-14 20:52 . 2009-11-14 20:52 -------- d-sh--w- c:\documents and settings\Ren\IETldCache
2009-11-14 20:05 . 2009-10-02 04:44 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-11-14 20:05 . 2009-11-14 20:05 -------- d-----w- c:\windows\ie8updates
2009-11-14 20:04 . 2009-08-29 08:08 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-11-14 20:04 . 2009-08-29 08:08 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-14 19:59 . 2009-11-14 20:03 -------- dc-h--w- c:\windows\ie8
2009-11-11 06:06 . 2009-11-11 06:06 1794456 ----a-w- c:\documents and settings\Ren\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-03 05:13 . 2005-12-07 21:32 -------- d-----w- c:\program files\Google
2009-12-01 03:46 . 2006-05-14 18:22 -------- d-----w- c:\program files\CallWave
2009-11-30 00:51 . 2005-10-15 16:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-30 00:48 . 2005-10-15 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-27 20:30 . 2009-01-24 04:53 -------- d-----w- c:\documents and settings\Ren\Application Data\Move Networks
2009-11-22 01:19 . 2009-07-31 04:04 -------- d-----w- c:\program files\MyPoints Toolbar 2.0
2009-11-19 22:57 . 2008-09-29 04:10 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-11-19 09:36 . 2006-11-02 03:55 -------- d-----w- c:\program files\McAfee
2009-11-12 16:44 . 2008-09-03 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-11 06:06 . 2005-07-28 23:44 80480 -c--a-w- c:\documents and settings\Ren\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-11 06:06 . 2009-09-15 22:45 143976 ----a-w- c:\documents and settings\Ren\Application Data\Move Networks\uninstall.exe
2009-11-11 06:06 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\Ren\Application Data\Move Networks\plugins\npqmp071701000002.dll
2009-10-28 16:59 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Ren\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-10-28 16:59 . 2009-10-28 16:59 1407680 ----a-w- c:\documents and settings\Ren\Application Data\Move Networks\MoveMediaPlayerWin_071505000010.exe
2009-10-26 04:53 . 2009-10-26 04:53 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-15 00:50 . 2009-10-15 00:50 97216 ----a-w- c:\documents and settings\Ren\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-10-09 17:56 . 2009-10-01 16:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-09 17:54 . 2006-09-02 01:13 -------- d-----w- c:\program files\FileZilla
2009-10-09 02:08 . 2009-10-02 17:10 744 ----a-w- c:\windows\system32\wininit.dll
2009-10-06 23:33 . 2009-10-06 23:33 -------- d-----w- c:\documents and settings\Administrator.DHW1HY71\Application Data\Malwarebytes
2009-10-06 23:33 . 2009-01-30 20:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-21 22:09 . 2009-09-21 22:09 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-16 16:22 . 2007-03-03 19:00 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 16:22 . 2007-03-03 19:00 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 16:22 . 2007-03-03 19:00 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 16:22 . 2007-03-03 19:00 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 16:22 . 2007-03-03 19:00 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-15 22:45 . 2009-09-15 22:45 1686272 ----a-w- c:\documents and settings\Ren\Application Data\Move Networks\MoveMediaPlayerWin_071503000010.exe
2009-09-11 14:18 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-10-02 02:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-10-02 02:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-11-30_03.37.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 03:59 . 2004-08-04 03:59 95360 c:\windows\system32\dllcache\atapi.sys
+ 2005-07-28 21:04 . 2009-12-04 03:14 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-07-28 21:04 . 2009-11-30 03:31 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-07-28 21:04 . 2009-12-04 03:14 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-07-28 21:04 . 2009-11-30 03:31 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-11-14 23:30 . 2009-11-30 03:31 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-11-14 23:30 . 2009-12-04 03:14 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2005-07-28 21:04 . 2009-11-30 03:31 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2005-07-28 21:04 . 2009-12-04 03:14 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-12-03 05:20 . 2009-12-03 05:20 25214 c:\windows\Installer\{9074AFC0-CFDA-11DE-B484-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe
+ 2009-12-03 05:20 . 2009-12-03 05:20 25214 c:\windows\Installer\{9074AFC0-CFDA-11DE-B484-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2009-12-03 05:20 . 2009-12-03 05:20 25214 c:\windows\Installer\{9074AFC0-CFDA-11DE-B484-005056806466}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2009-12-03 05:20 . 2009-12-03 05:20 25214 c:\windows\Installer\{9074AFC0-CFDA-11DE-B484-005056806466}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2009-12-03 05:20 . 2009-12-03 05:20 25214 c:\windows\Installer\{9074AFC0-CFDA-11DE-B484-005056806466}\googleearth.exe1_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2009-12-03 05:20 . 2009-12-03 05:20 25214 c:\windows\Installer\{9074AFC0-CFDA-11DE-B484-005056806466}\googleearth.exe_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2009-12-03 05:20 . 2009-12-03 05:20 25214 c:\windows\Installer\{9074AFC0-CFDA-11DE-B484-005056806466}\ARPPRODUCTICON.exe
+ 2009-12-03 05:20 . 2009-12-03 05:20 1258496 c:\windows\Installer\107623.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Toolbar 2.0\Toolbar.dll" [2009-08-15 1358848]

[HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Toolbar 2.0\Toolbar.dll" [2009-08-15 1358848]

[HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-01-31 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-06 339968]
"Dell QuickSet"="c:\progra~1\Dell\QuickSet\quickset.exe" [2005-03-04 606208]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"dldtmon.exe"="c:\program files\Dell V305\dldtmon.exe" [2008-03-20 668912]
"dldtamon"="c:\program files\Dell V305\dldtamon.exe" [2008-03-20 16624]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 49152]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-04-07 496752]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 135168]

c:\documents and settings\Ren\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2008-5-27 189952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2009-3-16 156784]
CallWave.lnk - c:\program files\CallWave\IAM.exe [2006-5-14 1940544]
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2005-9-14 315392]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=c:\windows\pss\AOL Companion.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\mcafeeantivirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\mcafeefirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Dell V305\\dldtamon.exe"=
"c:\\Program Files\\Dell V305\\frun.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Dell V305\\dldtmon.exe"=
"c:\\WINDOWS\\system32\\dldtcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldtpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldttime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldtjswx.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Dell V305\\dldtlscn.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\MyPoints Toolbar 2.0\\TroubleShooter.exe"=
"c:\\Program Files\\MyPoints Toolbar 2.0\\ToolbarUpdate.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\Apoint\\Apoint.exe"=
"c:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\CallWave\\IAM.exe"=

R2 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe -service --> c:\windows\system32\dldtcoms.exe -service [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/28/2008 9:46 PM 93320]
S2 0117561258623492mcinstcleanup;McAfee Application Installer Cleanup (0117561258623492);c:\windows\TEMP\011756~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\011756~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 dldtCATSCustConnectService;dldtCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldtserv.exe [8/7/2008 3:36 PM 99568]
S2 gupdate1c9af23e48f6f60;Google Update Service (gupdate1c9af23e48f6f60);c:\program files\Google\Update\GoogleUpdate.exe [3/27/2009 3:35 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2009-09-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore1ca5a9bdd025b30.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-27 21:34]

2009-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-27 21:34]

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-03 18:22]

2009-05-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-03 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/puccini/start
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Ren\Application Data\Mozilla\Firefox\Profiles\zni204dd.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Ren\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Ren\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Coupon Printer for Windows4.0 - c:\program files\Coupons\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-04 01:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2009-12-04 01:08
ComboFix-quarantined-files.txt 2009-12-04 07:07
ComboFix2.txt 2009-11-30 04:14

Pre-Run: 13,829,005,312 bytes free
Post-Run: 13,782,290,432 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - A9751D26D66E50DFE32344F5F84DCAEC


============================================================================

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-04 11:22:09
Windows 5.1.2600 Service Pack 3
Running: ww67nyfg.exe; Driver: C:\DOCUME~1\Ren\LOCALS~1\Temp\fxroapog.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB71CA78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB71CA738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB71CA74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB71CA7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB71CA710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB71CA724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB71CA79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB71CA776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB71CA762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB71CA7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB71CA7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB71CA7B4]
Code \??\C:\DOCUME~1\Ren\LOCALS~1\Temp\catchme.sys pIofCallDriver
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP B71CA7B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056F600 5 Bytes JMP B71CA78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 80570441 5 Bytes JMP B71CA766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805741D0 5 Bytes JMP B71CA714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 8057457F 7 Bytes JMP B71CA7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80578606 5 Bytes JMP B71CA7E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80578A81 7 Bytes JMP B71CA7CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 80581030 7 Bytes JMP B71CA750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805836B0 5 Bytes JMP B71CA7FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058B58D 5 Bytes JMP B71CA728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP B71CA73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DD47 5 Bytes JMP B71CA77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text atapi.sys!ZwSetSystemPowerState + FFE6FCD1 F74A23DC 2 Bytes [B0, D4] {MOV AL, 0xd4}
.text atapi.sys!ZwSetSystemPowerState + FFE6FD12 F74A241D 2 Bytes [84, D4] {TEST AH, DL}
.text atapi.sys!ZwSetSystemPowerState + FFE6FD2C F74A2437 2 Bytes [9C, D4]
.text atapi.sys!ZwSetSystemPowerState + FFE6FD74 F74A247F 2 Bytes [C8, DF]
.text atapi.sys!ZwSetSystemPowerState + FFE6FD8B F74A2496 2 Bytes [84, D4] {TEST AH, DL}
.text ...
? C:\DOCUME~1\Ren\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0F7C
.text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0067
.text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD004A
.text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0039
.text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0FB2
.text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD0F3A
.text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD008C
.text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD0F18
.text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD0F29
.text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD00D6
.text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0FA1
.text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD000A
.text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0F6B
.text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0FCD
.text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD0FDE
.text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD00A7
.text C:\WINDOWS\system32\svchost.exe[532] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0093002C
.text C:\WINDOWS\system32\svchost.exe[532] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0093006C
.text C:\WINDOWS\system32\svchost.exe[532] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0093001B
.text C:\WINDOWS\system32\svchost.exe[532] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[532] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930FAF
.text C:\WINDOWS\system32\svchost.exe[532] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FE5
.text C:\WINDOWS\system32\svchost.exe[532] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00930FC0
.text C:\WINDOWS\system32\svchost.exe[532] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B3, 88] {MOV BL, 0x88}
.text C:\WINDOWS\system32\svchost.exe[532] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930047
.text C:\WINDOWS\system32\svchost.exe[532] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920073
.text C:\WINDOWS\system32\svchost.exe[532] msvcrt.dll!system 77C293C7 5 Bytes JMP 0092004E
.text C:\WINDOWS\system32\svchost.exe[532] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920022
.text C:\WINDOWS\system32\svchost.exe[532] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\svchost.exe[532] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920033
.text C:\WINDOWS\system32\svchost.exe[532] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920011
.text C:\WINDOWS\system32\svchost.exe[532] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\svchost.exe[532] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00900FDE
.text C:\WINDOWS\system32\svchost.exe[532] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00900014
.text C:\WINDOWS\system32\svchost.exe[532] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00900FC3
.text C:\WINDOWS\system32\svchost.exe[532] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910000
.text C:\WINDOWS\system32\services.exe[1004] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[1004] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0007009A
.text C:\WINDOWS\system32\services.exe[1004] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070089
.text C:\WINDOWS\system32\services.exe[1004] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070062
.text C:\WINDOWS\system32\services.exe[1004] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[1004] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070FAF
.text C:\WINDOWS\system32\services.exe[1004] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 000700D2
.text C:\WINDOWS\system32\services.exe[1004] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F8A
.text C:\WINDOWS\system32\services.exe[1004] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700ED
.text C:\WINDOWS\system32\services.exe[1004] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F54
.text C:\WINDOWS\system32\services.exe[1004] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000700FE
.text C:\WINDOWS\system32\services.exe[1004] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[1004] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[1004] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 000700B5
.text C:\WINDOWS\system32\services.exe[1004] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070FC0
.text C:\WINDOWS\system32\services.exe[1004] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070FDB
.text C:\WINDOWS\system32\services.exe[1004] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070F79
.text C:\WINDOWS\system32\services.exe[1004] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060025
.text C:\WINDOWS\system32\services.exe[1004] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060F8D
.text C:\WINDOWS\system32\services.exe[1004] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0006000A
.text C:\WINDOWS\system32\services.exe[1004] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FDE
.text C:\WINDOWS\system32\services.exe[1004] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060054
.text C:\WINDOWS\system32\services.exe[1004] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[1004] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00060FA8
.text C:\WINDOWS\system32\services.exe[1004] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [26, 88]
.text C:\WINDOWS\system32\services.exe[1004] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060FB9
.text C:\WINDOWS\system32\services.exe[1004] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0005004C
.text C:\WINDOWS\system32\services.exe[1004] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FB7
.text C:\WINDOWS\system32\services.exe[1004] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0005000C
.text C:\WINDOWS\system32\services.exe[1004] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[1004] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050027
.text C:\WINDOWS\system32\services.exe[1004] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050FD2
.text C:\WINDOWS\system32\services.exe[1004] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF008E
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF007D
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF006C
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0FB9
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF00BF
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF0F77
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF0F30
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF0F4B
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF0F1F
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF0FCA
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF001B
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF0F88
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0047
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF0036
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF0F5C
.text C:\WINDOWS\system32\lsass.exe[1016] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE0011
.text C:\WINDOWS\system32\lsass.exe[1016] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE0F80
.text C:\WINDOWS\system32\lsass.exe[1016] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE0FC0
.text C:\WINDOWS\system32\lsass.exe[1016] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\lsass.exe[1016] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE0F9B
.text C:\WINDOWS\system32\lsass.exe[1016] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\system32\lsass.exe[1016] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BE0033
.text C:\WINDOWS\system32\lsass.exe[1016] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE0022
.text C:\WINDOWS\system32\lsass.exe[1016] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BD0FBE
.text C:\WINDOWS\system32\lsass.exe[1016] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BD0049
.text C:\WINDOWS\system32\lsass.exe[1016] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BD001D
.text C:\WINDOWS\system32\lsass.exe[1016] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\lsass.exe[1016] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BD0038
.text C:\WINDOWS\system32\lsass.exe[1016] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\lsass.exe[1016] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BC0FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1040] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1040] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FD0FE5
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FD0F50
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FD0F61
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FD0F72
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FD002F
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FD0F9E
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FD0F24
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FD0076
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FD0EE7
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FD0EF8
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FD0ECC
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FD0F8D
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FD0FD4
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FD0F3F
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FD000A
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FD0FB9
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FD0F13
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FC0FCA
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FC0051
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FC001B
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FC0FE5
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FC0040
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FC0000
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FC0F9E
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1C, 89] {SBB AL, 0x89}
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FC0FAF
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FB0FA6
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FB0FB7
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FB0027
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FB0000
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FB0FD2
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FB0FEF
.text C:\WINDOWS\system32\svchost.exe[1220] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FA0FE5
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EC0000
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EC0F8B
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EC0F9C
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EC0080
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EC0065
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EC0040
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EC00C9
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EC00B8
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EC0F55
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EC0F66
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EC0109
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EC0FC3
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EC0FE5
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EC009B
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EC002F
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EC0FD4
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EC00DA
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EB0FC3
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EB0F86
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EB0FD4
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EB0FEF
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EB0F97
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EB000A
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00EB0FA8
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [0B, 89]
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EB002F
.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EA0F8D
.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EA0022
.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EA0FC3
.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EA0FEF
.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EA0FB2
.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EA0FDE
.text C:\WINDOWS\system32\svchost.exe[1288] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E90FEF
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02C90000
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02C9007D
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02C90F7E
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02C90F8F
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02C90058
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02C90036
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02C900A2
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02C90F50
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02C900E9
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02C900CE
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02C90F35
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02C90047
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02C90FEF
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02C90F6D
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02C90FCA
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02C9001B
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02C900BD
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02C80FDB
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02C80065
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02C8002C
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02C8001B
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02C80FA8
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02C80000
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02C80FB9
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes CALL C89FEDE7
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02C80FCA
.text C:\WINDOWS\System32\svchost.exe[1452] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02BB004E
.text C:\WINDOWS\System32\svchost.exe[1452] msvcrt.dll!system 77C293C7 5 Bytes JMP 02BB0FC3
.text C:\WINDOWS\System32\svchost.exe[1452] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02BB0033
.text C:\WINDOWS\System32\svchost.exe[1452] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02BB0FEF
.text C:\WINDOWS\System32\svchost.exe[1452] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02BB0FDE
.text C:\WINDOWS\System32\svchost.exe[1452] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02BB0018
.text C:\WINDOWS\System32\svchost.exe[1452] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02AF0000
.text C:\WINDOWS\System32\svchost.exe[1452] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02AE0FEF
.text C:\WINDOWS\System32\svchost.exe[1452] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02AE0014
.text C:\WINDOWS\System32\svchost.exe[1452] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02AE0FDE
.text C:\WINDOWS\System32\svchost.exe[1452] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02AE0FCD
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008B0000
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008B0F70
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008B0065
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008B0054
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008B0F97
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008B0FB9
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008B0F38
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008B0080
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008B0F1D
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008B00B6
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008B00C7
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008B0FA8
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008B001B
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008B0F55
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008B0FCA
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008B0FE5
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008B009B
.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008A000A
.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008A0047
.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008A0FB9
.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008A0FD4
.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008A0F8A
.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008A0FEF
.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 008A002C
.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008A001B
.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00890FB9
.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!system 77C293C7 5 Bytes JMP 0089003A
.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00890FDE
.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0089000C
.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00890029
.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00890FEF
.text C:\WINDOWS\system32\svchost.exe[1740] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00740FEF
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009C0000
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009C00A1
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009C0FAC
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009C007A
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009C0069
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009C0044
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009C0F6D
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009C0F8A
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009C0F30
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009C0F4B
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009C00EE
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009C0FBD
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009C0011
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009C0F9B
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009C0033
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009C0022
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009C0F5C
.text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009B0FDB
.text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009B0FAC
.text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009B0022
.text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009B0011
.text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009B0069
.text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009B0000
.text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 009B0058
.text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009B0047
.text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009A0042
.text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!system 77C293C7 5 Bytes JMP 009A0FB7
.text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009A0FD2
.text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009A0000
.text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009A0027
.text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009A0FE3
.text C:\WINDOWS\system32\svchost.exe[1900] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00990FEF
.text C:\WINDOWS\system32\svchost.exe[2376] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[2376] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC0051
.text C:\WINDOWS\system32\svchost.exe[2376] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC0F66
.text C:\WINDOWS\system32\svchost.exe[2376] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC0F83
.text C:\WINDOWS\system32\svchost.exe[2376] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC0F9E
.text C:\WINDOWS\system32\svchost.exe[2376] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC0FAF
.text C:\WINDOWS\system32\svchost.exe[2376] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC0093
.text C:\WINDOWS\system32\svchost.exe[2376] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC0F41
.text C:\WINDOWS\system32\svchost.exe[2376] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC0F30
.text C:\WINDOWS\system32\svchost.exe[2376] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC00BF
.text C:\WINDOWS\system32\svchost.exe[2376] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BC00E4
.text C:\WINDOWS\system32\svchost.exe[2376] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BC0036
.text C:\WINDOWS\system32\svchost.exe[2376] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BC000A
.text C:\WINDOWS\system32\svchost.exe[2376] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BC006C
.text C:\WINDOWS\system32\svchost.exe[2376] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BC0FC0
.text C:\WINDOWS\system32\svchost.exe[2376] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BC001B
.text C:\WINDOWS\system32\svchost.exe[2376] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BC00A4
.text C:\WINDOWS\system32\svchost.exe[2376] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BB0025
.text C:\WINDOWS\system32\svchost.exe[2376] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BB006C
.text C:\WINDOWS\system32\svchost.exe[2376] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BB0FD4
.text C:\WINDOWS\system32\svchost.exe[2376] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BB0FE5
.text C:\WINDOWS\system32\svchost.exe[2376] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BB005B
.text C:\WINDOWS\system32\svchost.exe[2376] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[2376] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BB0040
.text C:\WINDOWS\system32\svchost.exe[2376] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BB0FB9
.text C:\WINDOWS\system32\svchost.exe[2376] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BA0049
.text C:\WINDOWS\system32\svchost.exe[2376] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BA0038
.text C:\WINDOWS\system32\svchost.exe[2376] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BA0FE3
.text C:\WINDOWS\system32\svchost.exe[2376] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[2376] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BA0FC8
.text C:\WINDOWS\system32\svchost.exe[2376] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BA001D
.text C:\WINDOWS\explorer.exe[3496] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\explorer.exe[3496] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F52
.text C:\WINDOWS\explorer.exe[3496] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0047
.text C:\WINDOWS\explorer.exe[3496] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F79
.text C:\WINDOWS\explorer.exe[3496] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0036
.text C:\WINDOWS\explorer.exe[3496] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\explorer.exe[3496] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A007D
.text C:\WINDOWS\explorer.exe[3496] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A006C
.text C:\WINDOWS\explorer.exe[3496] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0EFF
.text C:\WINDOWS\explorer.exe[3496] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F10
.text C:\WINDOWS\explorer.exe[3496] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00BD
.text C:\WINDOWS\explorer.exe[3496] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A001B
.text C:\WINDOWS\explorer.exe[3496] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\explorer.exe[3496] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F41
.text C:\WINDOWS\explorer.exe[3496] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\explorer.exe[3496] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FCA
.text C:\WINDOWS\explorer.exe[3496] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A008E
.text C:\WINDOWS\explorer.exe[3496] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FEF
.text C:\WINDOWS\explorer.exe[3496] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290FC0
.text C:\WINDOWS\explorer.exe[3496] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290036
.text C:\WINDOWS\explorer.exe[3496] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290025
.text C:\WINDOWS\explorer.exe[3496] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0029007D
.text C:\WINDOWS\explorer.exe[3496] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0029000A
.text C:\WINDOWS\explorer.exe[3496] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0029006C
.text C:\WINDOWS\explorer.exe[3496] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0029005B
.text C:\WINDOWS\explorer.exe[3496] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0FA6
.text C:\WINDOWS\explorer.exe[3496] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0027
.text C:\WINDOWS\explorer.exe[3496] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FC1
.text C:\WINDOWS\explorer.exe[3496] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\explorer.exe[3496] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0016
.text C:\WINDOWS\explorer.exe[3496] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0FD2
.text C:\WINDOWS\explorer.exe[3496] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\explorer.exe[3496] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002C000A
.text C:\WINDOWS\explorer.exe[3496] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002C0FD4
.text C:\WINDOWS\explorer.exe[3496] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 002C001B
.text C:\WINDOWS\explorer.exe[3496] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DB000A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[ntoskrnl.exe!RtlInitUnicodeString] A5F35918
IAT atapi.sys[ntoskrnl.exe!swprintf] 0202C766
IAT atapi.sys[ntoskrnl.exe!KeSetEvent] 00388300
IAT atapi.sys[ntoskrnl.exe!IoCreateSymbolicLink] 000080B9
IAT atapi.sys[ntoskrnl.exe!IoGetConfigurationInformation] 047A8D00
IAT atapi.sys[ntoskrnl.exe!IoDeleteSymbolicLink] 0242C766
IAT atapi.sys[ntoskrnl.exe!MmFreeMappingAddress] 0C740200
IAT atapi.sys[ntoskrnl.exe!IoFreeErrorLogEntry] A5F3308B
IAT atapi.sys[ntoskrnl.exe!IoDisconnectInterrupt] 0204C281
IAT atapi.sys[ntoskrnl.exe!MmUnmapIoSpace] 1EEB0000
IAT atapi.sys[ntoskrnl.exe!ObReferenceObjectByPointer] ABF3C033
IAT atapi.sys[ntoskrnl.exe!IofCompleteRequest] 02428B66
IAT atapi.sys[ntoskrnl.exe!RtlCompareUnicodeString] 00043D66
IAT atapi.sys[ntoskrnl.exe!IofCallDriver] B70F0876
IAT atapi.sys[ntoskrnl.exe!MmAllocateMappingAddress] 04C083C0
IAT atapi.sys[ntoskrnl.exe!IoAllocateErrorLogEntry] 086A03EB
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] 8BD00358
IAT atapi.sys[ntoskrnl.exe!IoDetachDevice] C7661045
IAT atapi.sys[ntoskrnl.exe!KeWaitForSingleObject] 83000202
IAT atapi.sys[ntoskrnl.exe!KeInitializeEvent] B9000478
IAT atapi.sys[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 00000080
IAT atapi.sys[ntoskrnl.exe!RtlInitAnsiString] 66047A8D
IAT atapi.sys[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 000242C7
IAT atapi.sys[ntoskrnl.exe!IoQueueWorkItem] 8B077402
IAT atapi.sys[ntoskrnl.exe!MmMapIoSpace] A5F30470
IAT atapi.sys[ntoskrnl.exe!IoInvalidateDeviceRelations] C03304EB
IAT atapi.sys[ntoskrnl.exe!IoReportDetectedDevice] 458BABF3
IAT atapi.sys[ntoskrnl.exe!IoReportResourceForDetection] 0C70FF08
IAT atapi.sys[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] D55815FF
IAT atapi.sys[ntoskrnl.exe!NlsMbCodePageTag] 4589F74A
IAT atapi.sys[ntoskrnl.exe!PoRequestPowerIrp] 40BE0F08
IAT atapi.sys[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 50006A30
IAT atapi.sys[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] D63815FF
IAT atapi.sys[ntoskrnl.exe!sprintf] F08BF74A
IAT atapi.sys[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 03BFF685
IAT atapi.sys[ntoskrnl.exe!ObfDereferenceObject] 75000001
IAT atapi.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] 1045C709
IAT atapi.sys[ntoskrnl.exe!IoInvalidateDeviceState] C000009A
IAT atapi.sys[ntoskrnl.exe!ZwClose] 468B58EB
IAT atapi.sys[ntoskrnl.exe!ObReferenceObjectByHandle] 0C5E8960
IAT atapi.sys[ntoskrnl.exe!ZwCreateDirectoryObject] 500846C7
IAT atapi.sys[ntoskrnl.exe!IoBuildSynchronousFsdRequest] C7000000
IAT atapi.sys[ntoskrnl.exe!PoStartNextPowerIrp] 00BB1846
IAT atapi.sys[ntoskrnl.exe!PoCallDriver] 6083C000
IAT atapi.sys[ntoskrnl.exe!IoCreateDevice] E88300E0
IAT atapi.sys[ntoskrnl.exe!IoAllocateDriverObjectExtension] 0E00C624
IAT atapi.sys[ntoskrnl.exe!RtlQueryRegistryValues] 440840C7
IAT atapi.sys[ntoskrnl.exe!ZwOpenKey] C7000004
IAT atapi.sys[ntoskrnl.exe!RtlFreeUnicodeString] C0000C40
IAT atapi.sys[ntoskrnl.exe!IoStartTimer] 468B0032
IAT atapi.sys[ntoskrnl.exe!KeInitializeTimer] 3C668360
IAT atapi.sys[ntoskrnl.exe!IoInitializeTimer] 24E88300
IAT atapi.sys[ntoskrnl.exe!KeInitializeDpc] 04448B8D
IAT atapi.sys[ntoskrnl.exe!KeInitializeSpinLock] 48890000
IAT atapi.sys[ntoskrnl.exe!IoInitializeIrp] 084D8B20
IAT atapi.sys[ntoskrnl.exe!ZwCreateKey] 40C7D68B
IAT atapi.sys[ntoskrnl.exe!RtlAppendUnicodeStringToString] 4ACF821C
IAT atapi.sys[ntoskrnl.exe!RtlIntegerToUnicodeString] 0340C6F7
IAT atapi.sys[ntoskrnl.exe!ZwSetValueKey] F815FFE0
IAT atapi.sys[ntoskrnl.exe!KeInsertQueueDpc] 89F74AD4
IAT atapi.sys[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 4D8B107D
IAT atapi.sys[ntoskrnl.exe!IoStartPacket] 5415FF08
IAT atapi.sys[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 83F74AD5
IAT atapi.sys[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 7D00107D
IAT atapi.sys[ntoskrnl.exe!IoFreeMdl] 107D3919
IAT atapi.sys[ntoskrnl.exe!MmUnlockPages] F6851474
IAT atapi.sys[ntoskrnl.exe!IoWriteErrorLogEntry] FF560774
IAT atapi.sys[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 4AD65415
IAT atapi.sys[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 53006AF7
IAT atapi.sys[ntoskrnl.exe!MmUnmapReservedMapping] D65015FF
IAT atapi.sys[ntoskrnl.exe!KeSynchronizeExecution] 5E5FF74A
IAT atapi.sys[ntoskrnl.exe!IoStartNextPacket] 5B10458B
IAT atapi.sys[ntoskrnl.exe!KeBugCheckEx] 0014C25D
IAT atapi.sys[ntoskrnl.exe!KeRemoveDeviceQueue] 00000000
IAT atapi.sys[ntoskrnl.exe!KeSetTimer] 00000000
IAT atapi.sys[ntoskrnl.exe!KeCancelTimer] 00000000
IAT atapi.sys[ntoskrnl.exe!_allmul] 00000000
IAT atapi.sys[ntoskrnl.exe!MmProbeAndLockPages] 00000000
IAT atapi.sys[ntoskrnl.exe!_except_handler3] 00000000
IAT atapi.sys[ntoskrnl.exe!PoSetPowerState] [806EF0B8] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!IoOpenDeviceRegistryKey] [806F4644] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!RtlWriteRegistryValue] [806EF2A4] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!_aulldiv] [806EF000] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!strstr] [806EF070] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!_strupr] [806F3314] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!KeQuerySystemTime] [806F33E0] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!IoWMIRegistrationControl] [806F3D98] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!KeTickCount] [806EF0E0] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [806F467C] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!IoDeleteDevice] [806F4650] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!ExAllocatePoolWithTag] [806F46F4] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!IoAllocateWorkItem] [806F46AC] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!IoAllocateIrp] 00000000
IAT atapi.sys[ntoskrnl.exe!IoAllocateMdl] [F79895C8] \WINDOWS\system32\DRIVERS\WMILIB.SYS (WMILIB WMI support library Dll/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!MmBuildMdlForNonPagedPool] [F7989300] \WINDOWS\system32\DRIVERS\WMILIB.SYS (WMILIB WMI support library Dll/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!MmLockPagableDataSection] 00000000
IAT atapi.sys[ntoskrnl.exe!IoGetDriverObjectExtension] [804D92A7] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!MmUnlockPagableImageSection] [804F0970] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!ExFreePoolWithTag] [804E3996] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!IoFreeIrp] [805A9C9B] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!IoFreeWorkItem] [805AA02D] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!InitSafeBootMode] [805C5BA9] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!RtlCompareMemory] [80624749] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!RtlCopyUnicodeString] [8052E14B] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!memmove] [805C8430] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!MmHighestUserAddress] [80508F24] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[HAL.dll!KfAcquireSpinLock] 89000004
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] 144D8B08
IAT atapi.sys[HAL.dll!KeGetCurrentIrql] 8B044889
IAT atapi.sys[HAL.dll!KfRaiseIrql] 4889184D
IAT atapi.sys[HAL.dll!KfLowerIrql] 10458B08
IAT atapi.sys[HAL.dll!HalGetInterruptVector] 654103C7
IAT atapi.sys[HAL.dll!HalTranslateBusAddress] 43C74369
IAT atapi.sys[HAL.dll!KeStallExecutionProcessor] 54535F04
IAT atapi.sys[HAL.dll!KfReleaseSpinLock] 0843C74D
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] 00000444
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] 030C43C7
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] 8D000000
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] C7661053
IAT atapi.sys[WMILIB.SYS!WmiSystemControl] 140242C7
IAT atapi.sys[WMILIB.SYS!WmiCompleteRequest] 8D056A00

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat B3B6AD20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyiecmfxni@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyiecmfxni@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyiecmfxni@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyiecmfxni@imagepath \systemroot\system32\drivers\gasfkyamaxfmyg.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyiecmfxni\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyiecmfxni\main@aid 20124
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyiecmfxni\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyiecmfxni\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyiecmfxni\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyiecmfxni\main\injector@* gasfkywsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyiecmfxni\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyiecmfxni\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyiecmfxni\[email protected] \systemroot\system32\drivers\gasfkyamaxfmyg.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyiecmfxni\[email protected] \systemroot\system32\gasfkyjwwoufvm.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyiecmfxni\[email protected] \systemroot\system32\gasfkymwwdqgdc.dat
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyiecmfxni\[email protected] \systemroot\system32\gasfkyxekqpmmb.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyiecmfxni\[email protected] \systemroot\system32\gasfkymxodqlto.dat
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 35
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256

---- EOF - GMER 1.0.15 ----


I actually do not appear to be getting redirected anymore.
Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users