View Full Version : Malware Removal Problems
dwhit110
2009-07-24, 01:56
Hi, I'm having some technical issues that I'm hoping someone here can help me with.
I'm running Windows XP on a Dell Inspiron 8600. I have McAfee on my computer which has told me that I have a Trojan named Vundo on my machine (that it can't remove).
I did a little bit of research and what I have kind of sounds like Vundo. I can't click on links when I search for stuff on Google or Yahoo or I get sent to some weird 3rd party site that it's the link I clicked. iExplorer will also sometimes run in the background and show ads or play weird audio files.
I downloaded VundoFix and tried to get rid of it with that, but the program did now find any instances of Vundo.
I read the information that has been posted on this forum and tried to download both Spybot and HiJack this, but once I download them I can't get them to open... I looked into this a little bit and brought up my Task List and it shows that those files are running, but I can't get their windows to open or anything.
Can someone help me out here and get me started on the road so I can grab a HiJack this report and start to figure out what's wrong with my machine?
Thanks.
Sorry... typo... that should read that VundoFix did NOT find any instances of Vundo.
Hi,
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.
dwhit110
2009-07-24, 22:22
Thanks for the response. Attached are the DDS reports. I'm having issues attaching the GMER. I get the error message that "Your file of 106.8 KB bytes exceeds the forum's limit of 48.8 KB for this filetype. " and when I try to just cut and paste it here I get the message that "The text that you have entered is too long (109586 characters). Please shorten it to 64000 characters long."
Please advise. Thanks.
dwhit110
2009-07-24, 22:25
On second thought, I split the GMER into two response below... Let me know if there's a different way you'd like me to get it to you.
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-24 15:23:37
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF23A322B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xF23A31AB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF23A3255]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF23A31BF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF23A31EB]
Code 86C86290 ZwEnumerateKey
Code 86C86740 ZwFlushInstructionCache
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF23A327F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF23A3197]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF23A323F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF23A31D5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF23A3201]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF23A3217]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF23A3295]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF23A3269]
Code 86C860F6 IofCallDriver
Code 86C85DF6 IofCompleteRequest
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code 86C86D35 ZwSaveKey
Code 86C870BD ZwSaveKeyEx
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!ZwSaveKey 804DD6E8 5 Bytes JMP 86C86D3A
.text ntoskrnl.exe!ZwSaveKeyEx 804DD6FC 5 Bytes JMP 86C870C2
.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 86C860FB
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 86C85DFB
.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP F23A326D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D59 5 Bytes JMP F23A319B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056CDC0 5 Bytes JMP F23A322F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 8057065D 5 Bytes JMP F23A31AF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP 86C86294
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571CB1 7 Bytes JMP F23A3243 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80572889 7 Bytes JMP F23A3205 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805736E6 5 Bytes JMP F23A3299 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573B61 7 Bytes JMP F23A3283 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 86C86744
PAGE ntoskrnl.exe!ZwTerminateProcess 805822EC 5 Bytes JMP F23A321B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D5C 7 Bytes JMP F23A31EF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 805952CA 7 Bytes JMP F23A31C3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP F23A3259 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064E77C 7 Bytes JMP F23A31D9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Java\jre6\bin\jqs.exe[240] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 008B000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[240] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 008C000A
.text C:\WINDOWS\Explorer.EXE[356] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00E2000A
.text C:\WINDOWS\Explorer.EXE[356] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00E3000A
.text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02AB0000
.text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02AB0F6F
.text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02AB0F8A
.text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02AB0058
.text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02AB0F9B
.text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02AB0FB6
.text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02AB0F4A
.text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02AB009C
.text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02AB0F14
.text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02AB00B7
.text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02AB00C8
.text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02AB003D
.text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02AB0011
.text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02AB007F
.text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02AB0022
.text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02AB0FDB
.text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02AB0F39
.text C:\WINDOWS\Explorer.EXE[356] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01D1001B
.text C:\WINDOWS\Explorer.EXE[356] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01D1007D
.text C:\WINDOWS\Explorer.EXE[356] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01D10FCA
.text C:\WINDOWS\Explorer.EXE[356] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01D1000A
.text C:\WINDOWS\Explorer.EXE[356] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01D1006C
.text C:\WINDOWS\Explorer.EXE[356] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01D10FEF
.text C:\WINDOWS\Explorer.EXE[356] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01D10051
.text C:\WINDOWS\Explorer.EXE[356] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01D10036
.text C:\WINDOWS\Explorer.EXE[356] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01D00FB0
.text C:\WINDOWS\Explorer.EXE[356] msvcrt.dll!system 77C293C7 5 Bytes JMP 01D0003B
.text C:\WINDOWS\Explorer.EXE[356] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01D00FC1
.text C:\WINDOWS\Explorer.EXE[356] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01D00FE3
.text C:\WINDOWS\Explorer.EXE[356] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01D00020
.text C:\WINDOWS\Explorer.EXE[356] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01D00FD2
.text C:\WINDOWS\Explorer.EXE[356] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 01DA000A
.text C:\WINDOWS\Explorer.EXE[356] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 01DA001B
.text C:\WINDOWS\Explorer.EXE[356] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 01DA0040
.text C:\WINDOWS\Explorer.EXE[356] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 01DA005B
.text C:\WINDOWS\Explorer.EXE[356] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01CF0FE5
.text C:\WINDOWS\system32\ctfmon.exe[640] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00B0000A
.text C:\WINDOWS\system32\ctfmon.exe[640] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00B1000A
.text C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0085000A
.text C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0086000A
.text C:\WINDOWS\system32\services.exe[908] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0085000A
.text C:\WINDOWS\system32\services.exe[908] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0086000A
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01490FEF
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01490065
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01490054
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01490F70
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01490F8D
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01490FB2
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01490091
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!GetStartupInfoA 7C801EF2 3 Bytes JMP 01490080
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!GetStartupInfoA + 4 7C801EF6 1 Byte [84]
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 014900C7
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01490F2E
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01490F09
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0149002F
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01490FDE
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01490F55
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01490014
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01490FC3
.text C:\WINDOWS\system32\services.exe[908] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 014900AC
.text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060FCA
.text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060F8D
.text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FDB
.text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0006001B
.text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0006004A
.text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0006000A
.text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00060F9E
.text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [26, 88]
.text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060FB9
.text C:\WINDOWS\system32\services.exe[908] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0005005F
.text C:\WINDOWS\system32\services.exe[908] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FD4
.text C:\WINDOWS\system32\services.exe[908] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050029
.text C:\WINDOWS\system32\services.exe[908] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[908] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050044
.text C:\WINDOWS\system32\services.exe[908] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050018
.text C:\WINDOWS\system32\services.exe[908] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\services.exe[908] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[908] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[908] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00070FDE
.text C:\WINDOWS\system32\services.exe[908] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\lsass.exe[920] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0090000A
.text C:\WINDOWS\system32\lsass.exe[920] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01550000
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01550F66
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01550F77
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01550F94
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01550FA5
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01550FDB
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01550F1D
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01550F3A
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01550EDD
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01550076
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01550091
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01550FCA
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0155001B
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01550F4B
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01550047
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0155002C
.text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01550F02
.text C:\WINDOWS\system32\lsass.exe[920] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01530FB9
.text C:\WINDOWS\system32\lsass.exe[920] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01530076
.text C:\WINDOWS\system32\lsass.exe[920] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01530FD4
.text C:\WINDOWS\system32\lsass.exe[920] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01530FE5
.text C:\WINDOWS\system32\lsass.exe[920] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01530065
.text C:\WINDOWS\system32\lsass.exe[920] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01530000
.text C:\WINDOWS\system32\lsass.exe[920] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01530040
.text C:\WINDOWS\system32\lsass.exe[920] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0153002F
.text C:\WINDOWS\system32\lsass.exe[920] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0152007A
.text C:\WINDOWS\system32\lsass.exe[920] msvcrt.dll!system 77C293C7 5 Bytes JMP 0152005F
.text C:\WINDOWS\system32\lsass.exe[920] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01520029
.text C:\WINDOWS\system32\lsass.exe[920] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01520000
.text C:\WINDOWS\system32\lsass.exe[920] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01520044
.text C:\WINDOWS\system32\lsass.exe[920] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01520FEF
.text C:\WINDOWS\system32\lsass.exe[920] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01510000
.text C:\WINDOWS\system32\lsass.exe[920] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 0154000A
.text C:\WINDOWS\system32\lsass.exe[920] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 01540FEF
.text C:\WINDOWS\system32\lsass.exe[920] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 01540FDE
.text C:\WINDOWS\system32\lsass.exe[920] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 01540FCD
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02D40FEF
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02D40F5C
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02D40F6D
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02D40F94
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02D40047
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02D40FA5
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02D40F29
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02D40F3A
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02D40EFD
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02D4008C
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02D400A7
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02D4002C
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02D4000A
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02D40F4B
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02D4001B
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02D40FD4
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02D40F0E
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0162001B
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0162005B
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01620FCA
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01620FE5
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01620F94
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01620000
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01620036
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01620FAF
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01610FB4
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!system 77C293C7 5 Bytes JMP 01610FD9
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0161002E
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0161000C
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01610049
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0161001D
.text C:\WINDOWS\system32\svchost.exe[1080] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01600FEF
.text C:\WINDOWS\system32\svchost.exe[1080] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 01630FE5
.text C:\WINDOWS\system32\svchost.exe[1080] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 0163000A
.text C:\WINDOWS\system32\svchost.exe[1080] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 0163001B
.text C:\WINDOWS\system32\svchost.exe[1080] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 0163002C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1140] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 009A000A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1140] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 009B000A
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 016F0000
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 016F0089
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 016F006E
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 016F0F94
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 016F0047
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 016F0FC0
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 016F0F5E
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 016F0F79
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 016F0F21
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 016F0F3C
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 016F0F10
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 016F0FA5
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 016F0FEF
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 016F009A
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 016F002C
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 016F001B
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 016F0F4D
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 014D003D
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 014D006C
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 014D0022
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 014D0011
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 014D0FAF
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 014D0000
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 014D0FCA
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [6D, 89]
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 014D0FDB
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 014C0F8B
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!system 77C293C7 5 Bytes JMP 014C0FA6
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 014C000C
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_open 77C2F566 5 Bytes JMP 014C0FEF
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 014C0FB7
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 014C0FD2
.text C:\WINDOWS\system32\svchost.exe[1188] WS2_32.dll!socket 71AB4211 5 Bytes JMP 014B000A
.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 016E0FE5
.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 016E0000
.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 016E0FD4
.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 016E0025
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03330FEF
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03330F80
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0333007F
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0333006E
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03330051
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03330FB9
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03330F2D
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03330F48
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03330EF0
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03330F0B
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 033300AE
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03330040
.text
dwhit110
2009-07-24, 22:27
C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0333000A
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03330F6F
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03330025
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03330FD4
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03330F1C
.text C:\WINDOWS\System32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03310051
.text C:\WINDOWS\System32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03310FAF
.text C:\WINDOWS\System32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03310040
.text C:\WINDOWS\System32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03310025
.text C:\WINDOWS\System32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0331006C
.text C:\WINDOWS\System32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0331000A
.text C:\WINDOWS\System32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03310FD4
.text C:\WINDOWS\System32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [51, 8B]
.text C:\WINDOWS\System32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03310FE5
.text C:\WINDOWS\System32\svchost.exe[1232] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03300FC3
.text C:\WINDOWS\System32\svchost.exe[1232] msvcrt.dll!system 77C293C7 5 Bytes JMP 03300FD4
.text C:\WINDOWS\System32\svchost.exe[1232] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03300029
.text C:\WINDOWS\System32\svchost.exe[1232] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0330000C
.text C:\WINDOWS\System32\svchost.exe[1232] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0330003A
.text C:\WINDOWS\System32\svchost.exe[1232] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03300FEF
.text C:\WINDOWS\System32\svchost.exe[1232] WS2_32.dll!socket 71AB4211 5 Bytes JMP 021F0FEF
.text C:\WINDOWS\System32\svchost.exe[1232] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 03320FE5
.text C:\WINDOWS\System32\svchost.exe[1232] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 03320FCA
.text C:\WINDOWS\System32\svchost.exe[1232] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 03320FAF
.text C:\WINDOWS\System32\svchost.exe[1232] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 03320F94
.text C:\Program Files\iTunes\iTunesHelper.exe[1280] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00F6000A
.text C:\Program Files\iTunes\iTunesHelper.exe[1280] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00F7000A
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01010FE5
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01010040
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01010F4B
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01010F66
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0101002F
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01010F9E
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01010F02
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01010F1F
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01010EF1
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01010080
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01010ED6
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01010F8D
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01010FD4
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01010F30
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01010FAF
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01010000
.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01010065
.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FD002C
.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FD0062
.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FD0FDB
.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FD0011
.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FD0051
.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FD0000
.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FD0FAF
.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1D, 89]
.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FD0FC0
.text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FC0044
.text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FC0033
.text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FC0018
.text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FC0FEF
.text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FC0FC3
.text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FC0FDE
.text C:\WINDOWS\System32\svchost.exe[1292] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D10000
.text C:\WINDOWS\System32\svchost.exe[1292] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\System32\svchost.exe[1292] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00FF0FDE
.text C:\WINDOWS\System32\svchost.exe[1292] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00FF0FCD
.text C:\WINDOWS\System32\svchost.exe[1292] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00FF0FB2
.text C:\Program Files\Java\jre6\bin\jusched.exe[1336] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00F1000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1336] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00F2000A
.text C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE[1400] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00CC000A
.text C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE[1400] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00CD000A
.text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[1412] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00CF000A
.text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[1412] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00D0000A
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F70FE5
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F70F37
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F70F48
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F70F6F
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F70F80
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F70011
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F70F0B
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F70047
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F70093
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F70EFA
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F70EDF
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F7002C
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F70FD4
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F70F1C
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F70000
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F70FB9
.text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F70078
.text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F50025
.text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F50047
.text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F50FD4
.text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F50FE5
.text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F50F8A
.text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F50000
.text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F50036
.text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F50FB9
.text C:\WINDOWS\System32\svchost.exe[1448] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F40FC1
.text C:\WINDOWS\System32\svchost.exe[1448] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F40042
.text C:\WINDOWS\System32\svchost.exe[1448] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F40FD2
.text C:\WINDOWS\System32\svchost.exe[1448] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F40000
.text C:\WINDOWS\System32\svchost.exe[1448] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F40027
.text C:\WINDOWS\System32\svchost.exe[1448] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F40FE3
.text C:\WINDOWS\System32\svchost.exe[1448] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D10000
.text C:\WINDOWS\System32\svchost.exe[1448] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\System32\svchost.exe[1448] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00F60FDE
.text C:\WINDOWS\System32\svchost.exe[1448] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00F60FCD
.text C:\WINDOWS\System32\svchost.exe[1448] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00F60014
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1564] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00D0000A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1564] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00D1000A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1644] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 008E000A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1644] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 008F000A
.text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00B9000A
.text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00BA000A
.text C:\Program Files\McAfee\Common Framework\McTray.exe[1812] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00CE000A
.text C:\Program Files\McAfee\Common Framework\McTray.exe[1812] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00CF000A
.text C:\WINDOWS\system32\ZCfgSvc.exe[2012] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0131000A
.text C:\WINDOWS\system32\ZCfgSvc.exe[2012] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0132000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A6000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00A7000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 022D0FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 022D0F81
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 022D006C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 022D0F92
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 022D005B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 022D0040
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 022D0F70
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 022D00B8
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!CreateProcessW 7C802336 1 Byte [E9]
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 022D0F3A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 022D0F5F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 022D00F8
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 022D0FB9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 022D000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 022D0091
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 022D002F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 022D0FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 022D00DD
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 022B0FC0
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 022B0F6F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 022B0FD1
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 022B0011
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 022B0F80
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 022B0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 022B002C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 022B0FA5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 022A0F9C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] msvcrt.dll!system 77C293C7 5 Bytes JMP 022A0027
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 022A0FD2
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] msvcrt.dll!_open 77C2F566 5 Bytes JMP 022A0FE3
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 022A0FB7
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 022A000C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02290FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 022C0FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 022C0FDE
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 022C0FC3
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 022C0FB2
.text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[2256] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 008A000A
.text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[2256] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 008B000A
.text C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe[2320] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0081000A
.text C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe[2320] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0082000A
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2484] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00D0000A
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2484] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00D1000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00AA000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00AB000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01750000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01750F74
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01750F8F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01750069
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01750FAC
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01750FC7
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0175008E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01750F52
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 017500BA
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 017500A9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 017500CB
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01750058
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01750011
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01750F63
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0175003D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0175002C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01750F2B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0173000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0173003D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01730FB9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01730FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0173002C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01730FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01730F8A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [93, 89]
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0173001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01720FA6
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] msvcrt.dll!system 77C293C7 5 Bytes JMP 01720FB7
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01720FE3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01720000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01720FC8
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0172001D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01710FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 01740000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 0174001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 01740036
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 01740FDB
.text C:\WINDOWS\System32\RegSrvc.exe[2652] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00AC000A
.text C:\WINDOWS\System32\RegSrvc.exe[2652] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00AD000A
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01330FEF
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01330F3D
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01330028
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01330F5A
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01330F75
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01330FAB
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01330F07
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01330F18
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01330EF6
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0133008F
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 013300AA
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01330F86
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01330FDE
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreatePipe 7C81D83F 1 Byte [E9]
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01330043
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01330FBC
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01330FCD
.text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0133006A
.text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FF0FB2
.text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FF0F61
.text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FF0FC3
.text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FF0FDE
.text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FF0F7C
.text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FF001E
.text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FF0FA1
.text C:\WINDOWS\System32\svchost.exe[2788] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FD0038
.text C:\WINDOWS\System32\svchost.exe[2788] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FD0FAD
.text C:\WINDOWS\System32\svchost.exe[2788] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FD001D
.text C:\WINDOWS\System32\svchost.exe[2788] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FD0000
.text C:\WINDOWS\System32\svchost.exe[2788] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FD0FC8
.text C:\WINDOWS\System32\svchost.exe[2788] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FD0FE3
.text C:\WINDOWS\System32\svchost.exe[2788] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FC000A
.text C:\WINDOWS\System32\svchost.exe[2788] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 01320FEF
.text C:\WINDOWS\System32\svchost.exe[2788] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 01320FDE
.text C:\WINDOWS\System32\svchost.exe[2788] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 01320FCD
.text C:\WINDOWS\System32\svchost.exe[2788] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 01320FBC
.text C:\Program Files\Mozilla Firefox\firefox.exe[3228] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00B2000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3228] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00B3000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3228] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 00A52306 c:\windows\system32\gasesowo.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[3228] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C52230
.text C:\Program Files\Mozilla Firefox\firefox.exe[3228] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00C52070
.text C:\Program Files\Mozilla Firefox\firefox.exe[3228] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C52050
.text C:\Program Files\iPod\bin\iPodService.exe[3772] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00AD000A
.text C:\Program Files\iPod\bin\iPodService.exe[3772] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00AE000A
.text C:\Documents and Settings\whitmyer.BWW-LAP-DEL-069\Desktop\crcdpben.exe[5056] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00DB000A
.text C:\Documents and Settings\whitmyer.BWW-LAP-DEL-069\Desktop\crcdpben.exe[5056] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00DC000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00EE000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00EF000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00290000
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0029006E
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0029005D
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00290F83
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00290F94
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0029002F
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0029007F
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00290F37
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00290F01
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00290F1C
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00290EDC
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00290040
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00290FE5
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 015A2306 c:\windows\system32\gasesowo.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00290F54
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00290FB9
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00290FCA
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0029009A
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00380FB2
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00380054
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00380FC3
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00380FDE
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00380F97
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00380FEF
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00380039
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00380028
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 408BF341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 40A5178F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 40A51710 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 40A51754 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 40A5169C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 40A516D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 40A517CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 408E16B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00390FBC
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] msvcrt.dll!system 77C293C7 5 Bytes JMP 00390047
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00390022
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00390000
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00390FD7
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00390011
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C72230
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C50FEF
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 015A286C c:\windows\system32\gasesowo.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C72050
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C72030
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] WININET.dll!HttpAddRequestHeadersA 7805FB4D 5 Bytes JMP 012D000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 01090FEF
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 01090FD4
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 01090000
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 01090011
.text C:\Program Files\Internet Explorer\Iexplore.exe[6000] WININET.dll!HttpAddRequestHeadersW 780CD14D 5 Bytes JMP 013E000A
dwhit110
2009-07-24, 22:27
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- Processes - GMER 1.0.15 ----
Library \\?\globalroot\systemroot\system32\UACeoawmsbsridvkwo.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [356] 0x00F20000
Library \\?\globalroot\systemroot\system32\UACeoawmsbsridvkwo.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1080] 0x03230000
Library \\?\globalroot\systemroot\system32\UACeoawmsbsridvkwo.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1188] 0x00C50000
Library \\?\globalroot\systemroot\system32\UACeoawmsbsridvkwo.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1232] 0x00C50000
Library \\?\globalroot\systemroot\system32\UACeoawmsbsridvkwo.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1292] 0x00C50000
Library \\?\globalroot\systemroot\system32\UACeoawmsbsridvkwo.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1448] 0x00C50000
Library \\?\globalroot\systemroot\system32\UACeoawmsbsridvkwo.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [2788] 0x00C50000
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR
---- EOF - GMER 1.0.15 ----
Hi again,
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds.txt log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
dwhit110
2009-07-25, 01:05
I can install ComboFix, but I can't get it to open on my computer, just like I couldn't get Spybot to open (whether in normal or safe modes).
Please advise.
dwhit110
2009-07-25, 02:41
Ok, false alarm. I re-downloaded ComboFix and was able to run it. I attached one of the files that you requested...When ComboFix finished running it told me to go to C:\ComboFix to recover the log but that folder appears empty to me, so not sure if this is all that you need or if there's anything else.
Please post fresh dds.txt file contents too (re-run DDS).
dwhit110
2009-07-25, 19:50
Here are the new DDS reports. How are things looking?
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
LimeWire
I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
After that:
Uninstall Ad-Aware SE Personal since it's not supported anymore.
Open notepad and copy/paste the text in the quotebox below into it:
File::
c:\windows\bf23567.dat
c:\windows\system32\rejovodu.dll
c:\windows\system32\joruzobe.dll
c:\windows\system32\gezoveyo.dll
c:\windows\system32\kifabibu.dll
c:\windows\system32\nenosivu.dll
Folder::
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire
c:\program files\LimeWire
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPMf704a7b2"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"113:TCP"=-
"27668:TCP"=-
"27668:UDP"=-
RegNull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B5607D2B-B46E-B3F4-9048AFCC28FF5FA4}\{C05554A6-FBA2-C228-B971EB90057D401E}\{5FF68CF8-794F-D6E5-5439F075104F0A49}*]
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Uninstall old Adobe Reader versions and get the latest one (9.1 + update 9.1.2 for it) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 14 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version. Uncheck MSN toolbar if it's offered there.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
dwhit110
2009-07-27, 02:52
Here are the requested files... The CF log is too big to attach so I cut and pasted it below. How are things looking? Awaiting your next instructions...
ComboFix 09-07-25.08 - whitmyer 07/26/2009 14:13.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.563 [GMT -4:00]
Running from: c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Desktop\ComboFix2.exe
Command switches used :: c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active
FILE ::
"c:\windows\bf23567.dat"
"c:\windows\system32\gezoveyo.dll"
"c:\windows\system32\joruzobe.dll"
"c:\windows\system32\kifabibu.dll"
"c:\windows\system32\nenosivu.dll"
"c:\windows\system32\rejovodu.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xul-v2.0b2.4-do-not-remove
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\AccessibleMarshal.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\chrome\branding.jar
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\chrome\branding.manifest
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\chrome\classic.jar
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\chrome\classic.manifest
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\chrome\comm.jar
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\chrome\comm.manifest
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\chrome\en-US.jar
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\chrome\en-US.manifest
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\chrome\limewire.jar
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\chrome\limewire.manifest
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\chrome\pippki.jar
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\chrome\pippki.manifest
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\chrome\toolkit.jar
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\chrome\toolkit.manifest
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\accessibility-msaa.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\accessibility.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\alerts.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\appshell.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\appshell_modal.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\appshell_modal.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\appstartup.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\auth.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\autocomplete.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\autoconfig.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\autoconfig.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\caps.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\chardet.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\chrome.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\commandhandler.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\commandlines.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\composer.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\content_base.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\content_html.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\content_htmldoc.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\content_xmldoc.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\content_xslt.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\content_xtf.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\contentprefs.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\cookie.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\directory.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\docshell_base.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\dom.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\dom_base.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\dom_canvas.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\dom_core.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\dom_css.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\dom_events.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\dom_html.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\dom_json.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\dom_loadsave.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\dom_offline.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\dom_range.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\dom_sidebar.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\dom_storage.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\dom_stylesheets.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\dom_svg.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\dom_traversal.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\dom_views.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\dom_xbl.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\dom_xpath.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\dom_xul.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\downloads.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\editor.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\embed_base.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\extensions.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\exthandler.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\exthelper.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\fastfind.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\FeedProcessor.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\feeds.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\find.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\gfx.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\htmlparser.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\imgicon.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\imglib2.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\inspector.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\intl.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\jar.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\jsconsole-clhandler.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\jsdservice.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\layout_base.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\layout_printing.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\layout_xul.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\layout_xul_tree.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\locale.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\loginmgr.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\lwbrk.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\mimetype.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\mozbrwsr.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\mozfind.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\necko.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\necko_about.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\necko_cache.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\necko_cookie.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\necko_dns.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\necko_file.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\necko_ftp.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\necko_http.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\necko_res.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\necko_socket.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\necko_strconv.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\necko_viewsource.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\nsAddonRepository.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\nsBadCertHandler.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\nsBlocklistService.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\nsContentDispatchChooser.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\nsContentPrefService.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\nsDefaultCLH.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\nsDictionary.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\nsDownloadManagerUI.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\nsExtensionManager.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\nsHandlerService.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\nsHelperAppDlg.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\nsLivemarkService.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\nsLoginInfo.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\nsLoginManager.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\nsLoginManagerPrompter.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\nsPostUpdateWin.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\nsProgressDialog.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\nsProxyAutoConfig.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\nsResetPref.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\nsTaggingService.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\nsTryToClose.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\nsUpdateService.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\nsURLFormatter.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\nsWebHandlerApp.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\nsXmlRpcClient.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\nsXULAppInstall.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\oji.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\parentalcontrols.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\pipboot.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\pipboot.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\pipnss.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\pipnss.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\pippki.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\pippki.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\places.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\plugin.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\pluginGlue.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\pref.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\prefetch.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\profile.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\proxyObject.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\rdf.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\satchel.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\saxparser.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\shistory.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\spellchecker.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\storage-Legacy.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\storage.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\toolkitprofile.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\transformiix.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\txEXSLTRegExFunctions.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\txmgr.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\txtsvc.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\uconv.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\unicharutil.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\universalchardet.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\update.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\uriloader.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\urlformatter.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\webBrowser_core.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\webbrowserpersist.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\webshell_idls.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\websrvcs.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\widget.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\windowds.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\windowwatcher.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\xml-rpc.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\xmlextras.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\xpcom_base.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\xpcom_components.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\xpcom_ds.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\xpcom_io.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\xpcom_system.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\xpcom_thread.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\xpcom_xpti.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\xpconnect.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\xpinstall.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\xulapp.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\xulapp_setup.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\xuldoc.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\xultmpl.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\xulutil.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\components\zipwriter.xpt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\crashreporter.exe
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\crashreporter.ini
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\defaults\autoconfig\platform.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\defaults\autoconfig\prefcalls.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\defaults\pref\xulrunner.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\defaults\profile\chrome\userChrome-example.css
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\defaults\profile\chrome\userContent-example.css
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\defaults\profile\localstore.rdf
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userChrome-example.css
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userContent-example.css
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\localstore.rdf
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\dependentlibs.list
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\dictionaries\en-US.aff
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\dictionaries\en-US.dic
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\freebl3.chk
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\freebl3.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\greprefs\all.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\greprefs\security-prefs.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\greprefs\xpinstall.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\IA2Marshal.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\javaxpcom.jar
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\javaxpcomglue.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\js3250.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\LICENSE
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\modules\debug.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\modules\DownloadUtils.jsm
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\modules\ISO8601DateUtils.jsm
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\modules\JSON.jsm
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\modules\Microformats.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\modules\PluralForm.jsm
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\modules\utils.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\modules\XPCOMUtils.jsm
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\mozctl.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\mozctlx.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\MSVCP71.DLL
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\msvcr71.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\nspr4.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\nss3.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\nssckbi.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\nssdbm3.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\nssutil3.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\platform.ini
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\plc4.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\plds4.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\plugins\npnul32.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\README.txt
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\arrow.gif
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\arrowd.gif
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\broken-image.gif
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\charsetalias.properties
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\charsetData.properties
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\contenteditable.css
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\designmode.css
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\dtd\mathml.dtd
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\dtd\xhtml11.dtd
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\EditorOverride.css
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Latin1.properties
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Special.properties
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Symbols.properties
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\entityTables\htmlEntityVersions.properties
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\entityTables\mathml20.properties
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\entityTables\transliterate.properties
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfont.properties
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontStandardSymbolsL.properties
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSTIXNonUnicode.properties
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSTIXSize1.properties
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSymbol.properties
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontUnicode.properties
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\forms.css
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\grabber.gif
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\hiddenWindow.html
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\html.css
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\html\folder.png
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\langGroups.properties
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\language.properties
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\loading-image.gif
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\mathml.css
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\quirk.css
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\svg.css
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after-active.gif
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after-hover.gif
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after.gif
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before-active.gif
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before-hover.gif
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before.gif
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after-active.gif
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after-hover.gif
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after.gif
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before-active.gif
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before-hover.gif
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before.gif
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\table-remove-column-active.gif
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\table-remove-column-hover.gif
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\table-remove-column.gif
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\table-remove-row-active.gif
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\table-remove-row-hover.gif
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\table-remove-row.gif
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\ua.css
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\viewsource.css
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\res\wincharset.properties
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\smime3.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\softokn3.chk
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\softokn3.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\sqlite3.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\ssl3.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\updater.exe
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\version.properties
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\xpcom.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\xpcshell.exe
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\xpicleanup.exe
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\xpidl.exe
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\xpt_dump.exe
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\xpt_link.exe
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\xul.dll
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\xulrunner-stub.exe
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\browser\xulrunner\xulrunner.exe
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\createtimes.cache
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\downloads.dat
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\fileurns.bak
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\fileurns.cache
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\installation.props
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\library.dat
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\library5.dat
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\limewire.props
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\mojito.props
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\mozilla-profile\.autoreg
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_001_
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_002_
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_003_
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_MAP_
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\mozilla-profile\Cache\27F0EFC1d01
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\mozilla-profile\Cache\3816C1E5d01
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\mozilla-profile\Cache\7973F814d01
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\mozilla-profile\Cache\7BD6A121d01
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\mozilla-profile\Cache\AE98BDF9d01
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\mozilla-profile\Cache\BAFF9A9Bd01
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\mozilla-profile\cert8.db
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\mozilla-profile\compreg.dat
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\mozilla-profile\cookies.sqlite
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\mozilla-profile\downloads.sqlite
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\mozilla-profile\extensions.cache
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\mozilla-profile\extensions.ini
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\mozilla-profile\history.dat
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\mozilla-profile\key3.db
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\mozilla-profile\permissions.sqlite
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\mozilla-profile\places.sqlite-journal
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\mozilla-profile\places.sqlite
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\mozilla-profile\pluginreg.dat
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\mozilla-profile\prefs.js
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\mozilla-profile\secmod.db
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\mozilla-profile\XPC.mfl
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\mozilla-profile\xpti.dat
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\promotion\promodb.lck
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\promotion\promodb.log
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\questions.props
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\simpp.xml
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\tables.props
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\version.xml
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\versions.props
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\xml\data\application.sxml3
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\xml\data\audio.sxml3
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\LimeWire\xml\data\video.sxml3
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Desktop\DCI Madison Scouts-1988
c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Desktop\DCI Madison Scouts-1988
c:\windows\bf23567.dat
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\gezoveyo.dll
c:\windows\system32\joruzobe.dll
c:\windows\system32\kifabibu.dll
c:\windows\system32\nenosivu.dll
c:\windows\system32\rejovodu.dll
c:\windows\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job
c:\windows\system32\proquota.exe . . . is missing!!
.
((((((((((((((((((((((((( Files Created from 2009-06-26 to 2009-07-26 )))))))))))))))))))))))))))))))
.
2009-07-23 16:52 . 2009-07-23 16:52 -------- d-----w- C:\VundoFix Backups
2009-07-19 05:46 . 2009-07-22 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\15175054
2009-07-16 06:14 . 2009-07-16 17:42 -------- d-----w- c:\documents and settings\All Users\Application Data\11432194
2009-07-14 22:40 . 2009-07-15 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\11378684
2009-07-14 00:31 . 2009-07-14 01:47 -------- d-----w- c:\documents and settings\All Users\Application Data\18254144
2009-07-14 00:05 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-13 23:38 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-13 23:19 . 2009-07-13 23:19 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-13 23:19 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-07-13 23:18 . 2009-07-13 23:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-13 05:04 . 2009-07-26 18:13 -------- d-----w- C:\QUARANTINE
2009-07-13 04:21 . 2009-07-13 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-13 04:21 . 2009-07-13 04:21 -------- d-----w- c:\program files\Common Files\Cisco Systems
2009-07-13 04:21 . 2007-10-25 19:06 1495552 ----a-w- c:\windows\system32\epoPGPsdk.dll
2009-07-13 04:20 . 2009-01-28 00:50 73512 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-07-13 04:20 . 2009-01-28 00:50 65000 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2009-07-13 04:20 . 2009-01-28 00:50 34408 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-07-13 04:20 . 2009-01-28 00:50 52168 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2009-07-13 04:20 . 2009-01-28 00:50 177864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-13 04:20 . 2009-07-13 04:21 -------- d-----w- c:\program files\McAfee
2009-07-13 04:20 . 2009-07-13 04:20 -------- d-----w- c:\program files\Common Files\McAfee
2009-07-07 01:28 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-07 01:28 . 2009-07-07 01:28 -------- d-----w- c:\program files\Avira
2009-07-07 00:50 . 2009-07-07 11:54 -------- d-----w- c:\documents and settings\All Users\Application Data\12940654
2009-06-30 04:24 . 2009-06-30 04:32 1915520 ----a-w- c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-06-28 21:32 . 2009-06-28 21:31 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-28 21:31 . 2009-06-28 21:31 152576 ----a-w- c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-06-28 20:39 . 2009-06-28 20:39 -------- d-----w- c:\program files\Microsoft Works
2009-06-28 20:38 . 2009-06-28 20:38 -------- d-----w- c:\program files\Microsoft.NET
2009-06-28 20:36 . 2009-06-28 20:36 -------- d-----w- c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Local Settings\Application Data\Microsoft Help
2009-06-28 20:36 . 2009-07-07 03:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-28 20:35 . 2009-06-28 20:35 -------- d--h--r- C:\MSOCache
2009-06-28 16:56 . 2009-06-28 20:42 -------- d-----w- c:\windows\ShellNew
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-26 18:04 . 2004-10-14 13:18 -------- d-----w- c:\program files\Lavasoft
2009-07-26 18:04 . 2004-10-14 13:18 -------- d-----w- c:\documents and settings\User\Application Data\Lavasoft
2009-07-23 18:50 . 2007-07-19 15:00 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-07-23 18:28 . 2004-07-01 13:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-23 02:06 . 2009-01-20 17:05 -------- d-----w- c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\Viewpoint
2009-07-23 02:06 . 2004-12-03 18:31 -------- d-----w- c:\program files\Viewpoint
2009-07-23 02:04 . 2009-02-03 05:38 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-14 23:20 . 2004-12-02 19:38 -------- d-----w- c:\program files\Google
2009-07-14 22:45 . 2009-02-02 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-08 03:28 . 2009-06-10 03:10 -------- d-----w- c:\program files\Poker Crusher
2009-07-06 02:01 . 2004-07-01 12:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-30 04:27 . 2009-01-20 16:59 26544 ----a-w- c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-28 21:31 . 2005-01-21 21:23 -------- d-----w- c:\program files\Java
2009-06-26 01:38 . 2007-08-03 20:25 -------- d-----w- c:\program files\Bodog Poker
2009-06-19 03:57 . 2009-06-19 03:57 -------- d-----w- c:\program files\iTunes
2009-06-19 03:57 . 2009-06-19 03:57 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-19 03:57 . 2009-06-19 03:57 -------- d-----w- c:\program files\iPod
2009-06-19 03:56 . 2007-08-27 15:02 -------- d-----w- c:\program files\Common Files\Apple
2009-06-19 03:55 . 2009-06-19 03:55 -------- d-----w- c:\program files\Bonjour
2009-06-19 03:54 . 2009-06-19 03:53 -------- d-----w- c:\program files\QuickTime
2009-06-19 03:52 . 2007-08-24 02:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-10 03:10 . 2009-06-10 03:10 147 ----a-w- c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Local Settings\Application Data\fusioncache.dat
2009-06-07 18:50 . 2004-07-01 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-07 18:43 . 2009-01-20 16:59 -------- d-----w- c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\Gtek
2009-06-07 18:43 . 2007-07-23 01:42 -------- d--ha-w- c:\documents and settings\All Users\Application Data\GTek
2009-06-05 17:57 . 2009-06-05 17:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-05 15:42 . 2009-06-19 03:51 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 15:42 . 2008-08-04 04:32 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-22 02:04 . 2009-05-22 02:04 127877 ----a-w- c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\Move Networks\uninstall.exe
2009-05-22 02:04 . 2009-05-01 06:30 4183416 ----a-w- c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\Move Networks\plugins\npqmp071500000347.dll
2009-05-22 02:04 . 2009-05-22 02:03 1685856 ----a-w- c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\Move Networks\MoveMediaPlayerWin_071500000347.exe
2009-05-19 05:36 . 2009-06-20 16:34 2884832 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\vwpt.exe
2009-05-19 05:36 . 2009-06-20 16:34 28 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\unregister.bat
2009-05-19 05:36 . 2009-06-20 16:34 1484856 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\toolbar.exe
2009-05-19 05:36 . 2009-06-20 16:34 25 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\register.bat
2009-05-19 05:36 . 2009-06-20 16:34 97072 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\bsetutil.exe
2009-05-19 05:36 . 2009-06-20 16:34 142040 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\alsetup.exe
2009-05-19 05:36 . 2009-06-20 16:34 30512 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\Uninstaller.exe
2009-05-19 05:36 . 2009-06-20 16:34 111920 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\AOLSearch.dll
2009-05-07 15:32 . 2003-07-16 16:26 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 06:30 . 2009-05-01 06:30 97144 ----a-w- c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-04-29 04:56 . 2004-08-24 00:32 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2005-02-14 14:15 . 2005-02-14 14:13 12846248 ----a-w- c:\program files\QuickTimeFullInstaller.exe
2005-01-21 21:21 . 2005-01-21 21:21 1418296 ----a-w- c:\program files\j2re-1_4_2_06-windows-i586-p-iftw.exe
2004-12-03 18:30 . 2004-12-03 18:30 4465296 ----a-w- c:\program files\Install_AIM.exe
2004-12-02 19:38 . 2004-12-02 19:38 476304 ----a-w- c:\program files\GoogleToolbarInstaller.exe
2009-07-24 18:59 . 2008-12-08 15:07 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2006-01-31 17:55 . 2006-01-31 17:55 28672 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2006-01-31 17:55 . 2006-01-31 17:55 98304 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-07-24_23.24.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-26 18:29 . 2009-07-26 18:29 16384 c:\windows\Temp\Perflib_Perfdata_f4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-13 68856]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-01-03 50528]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-19 86016]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-28 136600]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-01-28 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 2247]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-01-13 20:17 110592 ----a-w- c:\windows\system32\LgNotify.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"4130:UDP"= 4130:UDP:Windows Media Format SDK (wmplayer.exe)
"4135:UDP"= 4135:UDP:Windows Media Format SDK (wmplayer.exe)
"4134:UDP"= 4134:UDP:Windows Media Format SDK (wmplayer.exe)
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/13/2009 7:38 PM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1029456]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S3 Usp.rtncf;Usp.rtncf; [x]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
2009-07-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
2009-07-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {E825ADDE-1FE2-11D3-B869-00C0DFE01947} - hxxps://mb.brandz.com/controls/brandz99.exe
FF - ProfilePath - c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\Mozilla\Firefox\Profiles\idqm2oed.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\documents and settings\whitmyer.BWW-LAP-DEL-069\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-26 14:30
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(856)
c:\windows\System32\LgNotify.dll
- - - - - - - > 'explorer.exe'(3596)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP3\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\RegSrvc.exe
c:\windows\system32\ZCfgSvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-07-26 14:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-26 18:40
ComboFix2.txt 2009-07-24 23:34
Pre-Run: 29,119,418,368 bytes free
Post-Run: 29,341,495,296 bytes free
603 --- E O F --- 2009-07-09 12:58
Hi,
Some things left to be done.
Install update 9.1.2 (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) for your Adobe Reader.
Go Start > Run and copy/paste the following single-line command into the Run box and click OK:
cmd /c PEV -l %systemdrive%\proquota.exe >Log.txt&Log.txt&del Log.txt
A Notepad file will open. Post the contents of Log.txt in your next reply.
dwhit110
2009-07-28, 06:23
Here you go
Hi again,
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply.
___
Open notepad and copy/paste the text in the quotebox below into it:
FCopy::
C:\WINDOWS\ServicePackFiles\i386\proquota.exe | c:\windows\system32\proquota.exe
C:\WINDOWS\ServicePackFiles\i386\proquota.exe | c:\windows\system32\dllcache\proquota.exe
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix2.exe
Then post the resultant log & a fresh dds.txt log.
dwhit110
2009-07-29, 06:15
Here you go. How's it looking?
Hi,
That looks quite good but did you get a report from MBAM? Could you post it as well?
dwhit110
2009-07-30, 01:20
Whoops, my fault. I was having trouble getting the file I copied from my first Malware scan to paste, so I ran it again and pulled another log. Here it is.
Hi,
Delete C:\Documents and Settings\User\results.txt file.
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now copy-paste Combofix2 /u in the runbox and click OK
Next we remove some other used tools.
Please download OTC (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.
Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
You may delete DDS too.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free (http://www.tallemu.com/free-firewall-protection-software.html) or Comodo Firewall Pro (http://www.personalfirewall.comodo.com/download_firewall.html#fw3.0) (If you choose Comodo: Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and install firewall ONLY!). Both providers have support forums that help with configuration related questions.
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.