Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

search results lead to spam sites


  • This topic is locked This topic is locked
23 replies to this topic

#1 Moglee

Moglee

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 04 November 2009 - 04:13 PM

If I do a search with Google or Yahoo, they are the only ones I have tried, the results are fine and normal, however if I click on a link it redirects to cc3search. I have scanned with McAfee, Adaware and Spybot, Spybot removed 2 trojans and everything worked fine, but on restart the problem returned. The Safari browser is unaffected.
I have run the DDS program but the root repeal would not run.

DDS (Ver_09-10-26.01) - NTFSx86
Run by Tim at 20:54:52.53 on 04/11/2009
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.2047.1027 [GMT 0:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\System32\rundll32.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Java\jre7\bin\jusched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Safari\Safari.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\program files\windows defender\MpCmdRun.exe
C:\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [Window Washer] c:\program files\webroot\washer\wwDisp.exe
uRun: [DU Meter] c:\program files\du meter\DUMeter.exe
uRun: [CursorXP] c:\program files\cursorxp\CursorXP.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [SunJavaUpdateSched] "c:\program files\java\jre7\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
AppInit_DLLs: c:\windows\system32\kbdnet.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\tim\appdata\roaming\mozilla\firefox\profiles\hfwogq5j.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\win7codecs\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\win7codecs\rm\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 vpcnfltr;Virtual PC Network Filter Driver;c:\windows\system32\drivers\vpcnfltr.sys [2009-8-13 52224]
R1 vpcvmm;Virtual PC Virtual Machine Monitor;c:\windows\system32\drivers\vpcvmm.sys [2009-8-13 291712]
R3 MRV6X32U;Vista 32-bits Native WiFi Driver - USB;c:\windows\system32\drivers\MRVW23B.sys [2006-12-22 231040]
R3 NVNET;NVIDIA nForce 10/100 Mbps Ethernet ;c:\windows\system32\drivers\nvmf6232.sys [2009-4-30 287008]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]
R3 vpcbus;Virtual PC Host Bus Service;c:\windows\system32\drivers\vpchbus.sys [2009-8-13 165376]
R3 vpcusb;USB Virtualization Connector Service;c:\windows\system32\drivers\vpcusb.sys [2009-8-13 76288]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 nvrd32;nvrd32;c:\windows\system32\drivers\nvrd32.sys [2009-4-29 139296]

=============== Created Last 30 ================

2009-11-04 20:54:16 523776 ----a-w- C:\dds.scr
2009-11-04 20:45:51 3564524 ----a-w- C:\ComboFix.exe
2009-11-04 19:47:22 524800 ----a-w- C:\OTS.exe
2009-11-04 19:32:39 0 d-----w- c:\program files\Trend Micro
2009-11-04 19:32:27 812344 ----a-w- C:\HJTInstall.exe
2009-11-04 19:05:34 0 d-----w- c:\windows\pss
2009-11-04 17:46:36 0 d-----w- c:\programdata\Ad Muncher
2009-11-04 17:40:18 0 d-----w- c:\program files\Ad Muncher
2009-11-04 16:50:42 97 ----a-w- c:\windows\wininit.ini
2009-11-04 16:29:21 0 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-04 16:29:21 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-04 15:41:12 524288 --sha-w- c:\users\tim\ntuser.dat{21a085a6-c956-11de-9920-f2bcc5f13695}.TMContainer00000000000000000002.regtrans-ms
2009-11-04 15:41:11 65536 --sha-w- c:\users\tim\ntuser.dat{21a085a6-c956-11de-9920-f2bcc5f13695}.TM.blf
2009-11-04 15:41:11 524288 --sha-w- c:\users\tim\ntuser.dat{21a085a6-c956-11de-9920-f2bcc5f13695}.TMContainer00000000000000000001.regtrans-ms
2009-11-04 13:15:29 0 dc----w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-04 13:15:04 0 d-----w- c:\programdata\Lavasoft
2009-11-04 13:15:04 0 d-----w- c:\program files\Lavasoft
2009-11-04 10:05:38 661358 ----a-w- C:\Adblock Pro User Guide.pdf
2009-11-04 09:59:38 0 d-----w- c:\program files\Adblock Pro
2009-11-04 07:51:57 0 d-----w- c:\program files\DivX
2009-11-03 22:19:15 0 d-----w- c:\program files\CDex_150
2009-11-03 18:46:19 3408 ------w- C:\bootsqm.dat
2009-11-03 18:28:00 0 d-----w- c:\program files\MagicDVDCopier
2009-11-03 17:49:26 0 d-----w- C:\Magic.DVD.Copier.v4.9.2
2009-11-03 17:09:05 0 ----a-w- c:\windows\kbdnet.dll
2009-11-03 17:09:03 34921 ----a-w- c:\windows\system32\uses32.dat
2009-11-03 17:09:03 100 ----a-w- c:\windows\system32\flags.ini
2009-11-03 14:09:10 0 d-----w- c:\programdata\vsosdk
2009-11-03 14:07:32 36352 ----a-w- c:\windows\system32\mssrv32.exe
2009-11-03 13:46:01 57929 ----a-w- C:\chrysanthemums-viceroy.jpg
2009-11-03 13:17:57 0 d-----w- c:\programdata\Stardock
2009-11-03 13:15:36 0 d-----w- c:\program files\Stardock
2009-11-03 12:41:31 0 d-----w- c:\program files\DU Meter
2009-11-03 12:36:21 0 d-----w- c:\programdata\Hagel Technologies
2009-11-03 12:33:06 608448 ----a-w- c:\windows\system32\comctl32.ocx
2009-11-03 12:32:58 0 d-----w- c:\program files\Total Video Converter
2009-11-03 12:15:07 0 d-----w- c:\program files\TagRename
2009-11-03 06:27:36 29512 ----a-w- c:\windows\system32\TURegOpt.exe
2009-11-03 06:27:32 30024 ----a-w- c:\windows\system32\uxtuneup.dll
2009-11-03 06:27:32 21320 ----a-w- c:\windows\system32\authuitu.dll
2009-11-03 06:27:01 0 d-----w- c:\users\tim\appdata\roaming\TuneUp Software
2009-11-03 06:26:46 0 d-----w- c:\program files\TuneUp Utilities 2010
2009-11-03 06:26:13 0 d-----w- c:\programdata\TuneUp Software
2009-11-03 06:25:53 0 d-sh--w- c:\programdata\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2009-11-03 06:16:55 0 d-----w- c:\program files\common files\Windows Live
2009-11-03 06:16:34 257024 ----a-w- c:\windows\system32\msv1_0.dll
2009-11-03 06:10:18 34816 ----a-w- c:\windows\system32\msasn1.dll
2009-11-03 06:10:15 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-11-03 06:10:15 507568 ----a-w- c:\windows\system32\winload.exe
2009-11-03 06:10:15 2613248 ----a-w- c:\windows\explorer.exe
2009-11-03 06:10:15 1320960 ----a-w- c:\windows\system32\CertEnroll.dll
2009-11-03 06:10:14 442920 ----a-w- c:\windows\system32\winresume.exe
2009-11-03 06:10:14 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2009-11-03 02:07:39 0 d-----w- c:\windows\Panther
2009-11-03 02:07:06 0 d-----w- c:\windows\system32\OEM
2009-11-03 02:06:48 171136 --sha-r- C:\grldr
2009-11-03 02:06:47 0 d-----w- c:\program files\Lavalys
2009-11-03 01:55:13 0 d-----w- C:\Windows.old
2009-11-02 23:07:49 0 d-----w- c:\program files\CursorXP
2009-11-02 22:41:04 0 d-----w- c:\programdata\WinZip
2009-11-02 22:17:34 0 d-----w- c:\users\tim\appdata\roaming\Ashampoo
2009-11-02 22:14:59 0 d-----w- c:\programdata\ashampoo
2009-11-02 22:14:40 0 d-----w- c:\program files\Ashampoo
2009-11-02 22:03:45 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-11-02 22:03:45 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-11-02 22:02:46 0 d-----w- c:\program files\iPod
2009-11-02 22:02:45 0 d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-02 22:02:45 0 d-----w- c:\program files\iTunes
2009-11-02 21:36:57 0 d-----w- c:\programdata\Azureus
2009-11-02 21:36:55 0 d-----w- c:\users\tim\appdata\roaming\Azureus
2009-11-02 21:36:35 0 d-----w- c:\program files\Vuze
2009-11-02 21:19:13 0 d-----w- c:\program files\Jasc Software Inc
2009-11-02 21:09:07 187816 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-02 21:06:04 0 d-----w- c:\programdata\Apple Computer
2009-11-02 21:05:52 0 d-----w- c:\program files\Bonjour
2009-11-02 21:05:44 0 d-----w- c:\programdata\Apple
2009-11-02 21:00:37 0 d-----w- c:\program files\NVIDIA Corporation
2009-11-02 21:00:17 0 d-----w- c:\programdata\NVIDIA
2009-11-02 20:17:37 32656 ----a-w- c:\windows\system32\msonpmon.dll
2009-11-02 20:13:45 0 d-----w- c:\windows\PCHEALTH
2009-11-02 20:11:43 0 d-----w- c:\program files\Microsoft Visual Studio 8
2009-11-02 20:10:07 0 d-----w- c:\programdata\Microsoft Help
2009-11-02 19:49:42 0 d-----w- c:\users\tim\appdata\roaming\Webroot
2009-11-02 19:49:41 0 d-----w- c:\programdata\Webroot
2009-11-02 19:49:41 0 d-----w- c:\program files\Webroot
2009-11-02 19:49:41 0 d-----w- c:\program files\common files\Webroot Shared
2009-11-02 19:49:13 194888 ----a-w- c:\windows\Unwash6.exe
2009-11-02 19:39:46 0 d-----w- c:\program files\Unlocker
2009-11-02 19:37:23 11313 ----a-w- c:\windows\system32\Config.MPF
2009-11-02 19:35:39 0 d-----w- c:\programdata\SiteAdvisor
2009-11-02 19:35:36 0 d-----w- c:\program files\SiteAdvisor
2009-11-02 19:33:14 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-11-02 19:33:14 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-11-02 19:33:14 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-11-02 19:33:08 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-11-02 19:32:44 0 d-----w- c:\program files\common files\McAfee
2009-11-02 19:32:42 0 d-----w- c:\program files\McAfee.com
2009-11-02 19:32:40 0 d-----w- c:\program files\McAfee
2009-11-02 19:31:59 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-11-02 19:24:32 87608 ----a-w- c:\users\tim\appdata\roaming\inst.exe
2009-11-02 19:24:32 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-11-02 19:24:32 47360 ----a-w- c:\users\tim\appdata\roaming\pcouffin.sys
2009-11-02 19:24:25 65602 ----a-w- c:\windows\system32\cook3260.dll
2009-11-02 19:24:25 626688 ----a-w- c:\windows\system32\vp7vfw.dll
2009-11-02 19:24:25 217127 ----a-w- c:\windows\system32\drv43260.dll
2009-11-02 19:24:25 208935 ----a-w- c:\windows\system32\drv33260.dll
2009-11-02 19:24:25 176165 ----a-w- c:\windows\system32\drv23260.dll
2009-11-02 19:24:25 1184984 ----a-w- c:\windows\system32\wvc1dmod.dll
2009-11-02 19:24:25 102439 ----a-w- c:\windows\system32\sipr3260.dll
2009-11-02 19:24:24 0 d-----w- c:\program files\VSO
2009-11-02 19:13:02 0 d-----w- c:\programdata\McAfee
2009-11-02 18:59:48 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-11-02 18:39:10 713888 ----a-w- c:\windows\system32\PerfStringBackup.INI
2009-11-02 18:38:57 0 d-----w- c:\program files\Yamicsoft
2009-11-02 18:38:25 0 d-----r- c:\users\tim\Virtual Machines
2009-11-02 18:36:01 0 d-----w- c:\program files\Virtual Windows XP
2009-11-02 18:35:11 0 d-----w- c:\programdata\Adobe
2009-11-02 18:34:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-02 18:34:00 0 d-----w- c:\program files\Win7codecs
2009-11-02 18:33:48 0 d-sh--w- c:\windows\Installer
2009-11-02 18:33:47 0 d-----w- c:\programdata\Win7codecs
2009-11-02 18:33:24 0 d-sh--w- C:\Recovery
2009-11-02 18:11:26 0 d-----w- c:\windows\system32\RTCOM
2009-11-02 18:11:26 0 d-----w- c:\program files\Realtek
2009-11-02 18:10:50 490088 ----a-w- c:\windows\system32\nvuninst.exe
2009-11-01 11:06:27 0 d-----w- C:\dat-5788
2009-10-28 23:27:44 7754 ----a-w- C:\te.nfo
2009-10-26 22:18:00 1079272 ----a-w- C:\revosetup.exe
2009-10-18 22:04:27 0 d-----w- C:\euPOD_Pro
2009-10-18 21:55:36 0 d-----w- C:\goPod-1.4_win

==================== Find3M ====================

2009-09-27 17:46:00 4942440 ----a-w- c:\windows\system32\nvdisps.dll
2009-09-27 17:46:00 13949544 ----a-w- c:\windows\system32\nvcpl.dll
2009-09-24 23:31:00 1146184 ----a-w- C:\wlsetup-web.exe
2009-09-17 19:20:31 758937 ----a-w- C:\EasyBCD 1.7.2.exe
2009-09-16 10:22:48 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-08-29 19:27:07 389488 ----a-w- C:\OGAPluginInstall.exe
2009-08-28 11:07:28 437672 ----a-w- C:\msgr9uk.exe
2009-08-17 23:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-13 23:53:57 811520 ----a-w- c:\windows\system32\user32.dll
2009-08-13 23:53:57 805376 ----a-w- c:\windows\system32\cdosys.dll
2009-08-13 23:53:57 530432 ----a-w- c:\windows\system32\comctl32.dll
2009-08-13 23:53:57 380416 ----a-w- c:\windows\system32\sxs.dll
2009-08-13 23:53:57 36352 ----a-w- c:\windows\system32\mscert.dll
2009-08-13 23:53:57 30720 ----a-w- c:\windows\system32\kbdnet.dll
2009-08-13 23:53:57 304640 ----a-w- c:\windows\system32\gdi32.dll
2009-08-13 23:53:57 27136 ----a-w- c:\windows\system32\sxstrace.exe
2009-08-13 23:53:57 2326528 ----a-w- c:\windows\system32\win32k.sys
2009-08-13 23:53:52 179712 ----a-w- c:\windows\system32\notepad.exe
2009-08-13 23:53:52 179712 ----a-w- c:\windows\notepad.exe
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 20:56:06.04 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Moglee

Moglee
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 05 November 2009 - 08:05 AM

I have figured out what is causing the re-directs to spam sites, it is the kbdnet.dll, the problem has gone after renaming this file, however a new one is created at startup so there is obviously something lurking somewhere.

Hello Moglee,

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Regards,

The weatherman
(Moderator)

Edited by The weatherman, 06 November 2009 - 06:46 PM.


#3 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:04 AM

Posted 09 November 2009 - 03:35 PM

Hello and :( to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

*If you have since resolved the original problem you were having, we would appreciate you letting us know.

*If not please perform the following steps below so we can have a look at the current condition of your machine.

*If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

**If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.


You may want to keep the link to this topic in your favorites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications.
In order to be notified via email when your topic has a reply you need to enable topic notifications. To enable topic notifications you should do the following:

1. Click on the My Controls link at the top of the page to enter your control panel.

2. Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.

3. Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.

4. Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied

The topics you are tracking are shown Here.
Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

----------------------------*-------------------------------

We need to see some information about what is happening in your machine.

Please perform the following scan:


Posted Image
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Kind regards
Net_Surfer

:(

#4 Moglee

Moglee
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 09 November 2009 - 03:57 PM

Thank you for getting back to me. All I have done so far is write a batch file that loads at start up and deletes the kbdnet.dll
Doing this stops any searches on Google leading to spam sites.

Attached Files

  • Attached File  DDS.zip   9.96KB   7 downloads


#5 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:04 AM

Posted 09 November 2009 - 04:13 PM

Hi Moglee,

Can you please copy and paste the logs back here, they are more easy to research.

Thanks

Net_Surfer

#6 Moglee

Moglee
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 09 November 2009 - 04:24 PM

Here they are.


DDS (Ver_09-10-26.01) - NTFSx86
Run by Tim at 20:48:19.58 on 09/11/2009
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.2047.809 [GMT 0:00]

SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Safari\Safari.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Vuze\Azureus.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Samsung\Samsung PC Studio 3\LiveUpdate.exe
C:\Spyware\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [DU Meter] c:\program files\du meter\DUMeter.exe
uRun: [CursorXP] c:\program files\cursorxp\CursorXP.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Window Washer] c:\program files\webroot\washer\wwDisp.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRunOnce: [Delete USB Error Key] "c:\program files\samsung\samsung pc studio 3\usb drivers\SPS3_USB_Driver_Setup.exe"
StartupFolder: c:\users\tim\appdata\roaming\micros~1\windows\startm~1\programs\startup\abat-s~1.lnk - c:\a.bat
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\windows\system32\kbdnet.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\tim\appdata\roaming\mozilla\firefox\profiles\hfwogq5j.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\win7codecs\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\win7codecs\rm\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R3 MRV6X32U;Vista 32-bits Native WiFi Driver - USB;c:\windows\system32\drivers\MRVW23B.sys [2006-12-22 231040]
R3 NVNET;NVIDIA nForce 10/100 Mbps Ethernet ;c:\windows\system32\drivers\nvmf6232.sys [2009-4-30 287008]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2009-11-7 54632]
S3 nvrd32;nvrd32;c:\windows\system32\drivers\nvrd32.sys [2009-4-29 139296]

=============== Created Last 30 ================

2009-11-09 19:16:42 0 d-----w- c:\windows\system32\Samsung_USB_Drivers
2009-11-09 19:16:22 766 ----a-w- c:\windows\system32\Uninstall.ico
2009-11-09 19:16:13 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2009-11-09 19:15:53 0 d-----w- c:\program files\Samsung
2009-11-09 19:10:11 65290236 ----a-w- C:\20080116091810562_Samsung_PC_Studio_321_GJ9.exe
2009-11-09 09:28:24 0 d-----w- c:\program files\Burrrn
2009-11-09 07:07:53 2125249 ----a-w- C:\burrrn_package.exe
2009-11-08 07:18:30 0 d-----w- c:\program files\Thumbs4
2009-11-08 07:09:04 39 ----a-w- C:\a.bat
2009-11-07 20:22:29 0 d-----w- c:\users\tim\Tracing
2009-11-07 20:13:21 0 d-----w- c:\program files\Microsoft Office Outlook Connector
2009-11-07 20:13:11 54632 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2009-11-07 20:11:37 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-11-07 20:11:04 20 ----a-w- c:\windows\j
2009-11-07 20:11:04 0 d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-11-07 20:10:12 0 d-----w- c:\program files\Microsoft
2009-11-07 20:09:55 0 d-----w- c:\program files\Windows Live SkyDrive
2009-11-07 09:23:22 0 d-----w- C:\Spyware
2009-11-06 21:59:56 71029 ----a-w- C:\fanboy-adblocklist-elements.css
2009-11-06 18:11:10 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-11-06 17:21:27 0 d-----w- c:\program files\TagRename
2009-11-05 22:39:25 0 d-----w- c:\users\tim\appdata\roaming\Webroot
2009-11-05 22:39:24 0 d-----w- c:\programdata\Webroot
2009-11-05 22:39:24 0 d-----w- c:\program files\Webroot
2009-11-05 22:39:24 0 d-----w- c:\program files\common files\Webroot Shared
2009-11-05 22:38:55 194888 ----a-w- c:\windows\Unwash6.exe
2009-11-05 21:10:49 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-11-05 11:40:05 0 d-----w- c:\program files\Sophos
2009-11-05 11:38:44 0 d-----w- c:\users\tim\Pavark
2009-11-04 21:27:50 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2009-11-04 21:27:25 0 d-----w- c:\users\tim\appdata\roaming\SUPERAntiSpyware.com
2009-11-04 21:27:25 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-04 19:32:39 0 d-----w- c:\program files\Trend Micro
2009-11-04 19:05:34 0 d-----w- c:\windows\pss
2009-11-04 16:50:42 110 ----a-w- c:\windows\wininit.ini
2009-11-04 16:29:21 0 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-04 16:29:21 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-04 15:41:12 524288 --sha-w- c:\users\tim\ntuser.dat{21a085a6-c956-11de-9920-f2bcc5f13695}.TMContainer00000000000000000002.regtrans-ms
2009-11-04 15:41:11 65536 --sha-w- c:\users\tim\ntuser.dat{21a085a6-c956-11de-9920-f2bcc5f13695}.TM.blf
2009-11-04 15:41:11 524288 --sha-w- c:\users\tim\ntuser.dat{21a085a6-c956-11de-9920-f2bcc5f13695}.TMContainer00000000000000000001.regtrans-ms
2009-11-04 13:15:29 0 dc----w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-04 13:15:04 0 d-----w- c:\programdata\Lavasoft
2009-11-04 13:15:04 0 d-----w- c:\program files\Lavasoft
2009-11-04 09:59:38 0 d-----w- c:\program files\Adblock Pro
2009-11-04 07:51:57 0 d-----w- c:\program files\DivX
2009-11-03 22:19:15 0 d-----w- c:\program files\CDex_150
2009-11-03 18:28:00 0 d-----w- c:\program files\MagicDVDCopier
2009-11-03 17:09:05 0 ----a-w- c:\windows\kbdnet.dll
2009-11-03 17:09:03 34921 ----a-w- c:\windows\system32\uses32.dat
2009-11-03 17:09:03 100 ----a-w- c:\windows\system32\flags.ini
2009-11-03 14:09:10 0 d-----w- c:\programdata\vsosdk
2009-11-03 13:46:01 57929 ----a-w- C:\chrysanthemums-viceroy.jpg
2009-11-03 13:17:57 0 d-----w- c:\programdata\Stardock
2009-11-03 13:15:36 0 d-----w- c:\program files\Stardock
2009-11-03 12:41:31 0 d-----w- c:\program files\DU Meter
2009-11-03 12:36:21 0 d-----w- c:\programdata\Hagel Technologies
2009-11-03 12:33:06 608448 ----a-w- c:\windows\system32\comctl32.ocx
2009-11-03 12:32:58 0 d-----w- c:\program files\Total Video Converter
2009-11-03 06:27:36 29512 ----a-w- c:\windows\system32\TURegOpt.exe
2009-11-03 06:27:32 30024 ----a-w- c:\windows\system32\uxtuneup.dll
2009-11-03 06:27:32 21320 ----a-w- c:\windows\system32\authuitu.dll
2009-11-03 06:27:01 0 d-----w- c:\users\tim\appdata\roaming\TuneUp Software
2009-11-03 06:26:46 0 d-----w- c:\program files\TuneUp Utilities 2010
2009-11-03 06:26:13 0 d-----w- c:\programdata\TuneUp Software
2009-11-03 06:25:53 0 d-sh--w- c:\programdata\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2009-11-03 06:16:55 0 d-----w- c:\program files\common files\Windows Live
2009-11-03 06:16:34 257024 ----a-w- c:\windows\system32\msv1_0.dll
2009-11-03 06:10:18 34816 ----a-w- c:\windows\system32\msasn1.dll
2009-11-03 06:10:15 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-11-03 06:10:15 507568 ----a-w- c:\windows\system32\winload.exe
2009-11-03 06:10:15 2613248 ----a-w- c:\windows\explorer.exe
2009-11-03 06:10:15 1320960 ----a-w- c:\windows\system32\CertEnroll.dll
2009-11-03 06:10:14 442920 ----a-w- c:\windows\system32\winresume.exe
2009-11-03 06:10:14 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2009-11-03 02:07:39 0 d-----w- c:\windows\Panther
2009-11-03 02:07:06 0 d-----w- c:\windows\system32\OEM
2009-11-03 02:06:48 171136 --sha-r- C:\grldr
2009-11-03 02:06:47 0 d-----w- c:\program files\Lavalys
2009-11-02 23:07:49 0 d-----w- c:\program files\CursorXP
2009-11-02 22:41:04 0 d-----w- c:\programdata\WinZip
2009-11-02 22:17:34 0 d-----w- c:\users\tim\appdata\roaming\Ashampoo
2009-11-02 22:14:59 0 d-----w- c:\programdata\ashampoo
2009-11-02 22:14:40 0 d-----w- c:\program files\Ashampoo
2009-11-02 22:03:45 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-11-02 22:03:45 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-11-02 22:02:46 0 d-----w- c:\program files\iPod
2009-11-02 22:02:45 0 d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-02 22:02:45 0 d-----w- c:\program files\iTunes
2009-11-02 21:36:57 0 d-----w- c:\programdata\Azureus
2009-11-02 21:36:55 0 d-----w- c:\users\tim\appdata\roaming\Azureus
2009-11-02 21:36:35 0 d-----w- c:\program files\Vuze
2009-11-02 21:19:13 0 d-----w- c:\program files\Jasc Software Inc
2009-11-02 21:09:07 187816 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-02 21:06:04 0 d-----w- c:\programdata\Apple Computer
2009-11-02 21:05:52 0 d-----w- c:\program files\Bonjour
2009-11-02 21:05:44 0 d-----w- c:\programdata\Apple
2009-11-02 21:00:37 0 d-----w- c:\program files\NVIDIA Corporation
2009-11-02 21:00:17 0 d-----w- c:\programdata\NVIDIA
2009-11-02 20:17:37 32656 ----a-w- c:\windows\system32\msonpmon.dll
2009-11-02 20:13:45 0 d-----w- c:\windows\PCHEALTH
2009-11-02 20:11:43 0 d-----w- c:\program files\Microsoft Visual Studio 8
2009-11-02 20:10:07 0 d-----w- c:\programdata\Microsoft Help
2009-11-02 19:39:46 0 d-----w- c:\program files\Unlocker
2009-11-02 19:37:23 13665 ----a-w- c:\windows\system32\Config.MPF
2009-11-02 19:35:39 0 d-----w- c:\programdata\SiteAdvisor
2009-11-02 19:35:36 0 d-----w- c:\program files\SiteAdvisor
2009-11-02 19:33:14 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-11-02 19:33:14 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-11-02 19:33:14 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-11-02 19:33:08 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-11-02 19:32:44 0 d-----w- c:\program files\common files\McAfee
2009-11-02 19:32:42 0 d-----w- c:\program files\McAfee.com
2009-11-02 19:32:40 0 d-----w- c:\program files\McAfee
2009-11-02 19:31:59 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-11-02 19:24:32 87608 ----a-w- c:\users\tim\appdata\roaming\inst.exe
2009-11-02 19:24:32 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-11-02 19:24:32 47360 ----a-w- c:\users\tim\appdata\roaming\pcouffin.sys
2009-11-02 19:24:25 65602 ----a-w- c:\windows\system32\cook3260.dll
2009-11-02 19:24:25 626688 ----a-w- c:\windows\system32\vp7vfw.dll
2009-11-02 19:24:25 217127 ----a-w- c:\windows\system32\drv43260.dll
2009-11-02 19:24:25 208935 ----a-w- c:\windows\system32\drv33260.dll
2009-11-02 19:24:25 176165 ----a-w- c:\windows\system32\drv23260.dll
2009-11-02 19:24:25 1184984 ----a-w- c:\windows\system32\wvc1dmod.dll
2009-11-02 19:24:25 102439 ----a-w- c:\windows\system32\sipr3260.dll
2009-11-02 19:24:24 0 d-----w- c:\program files\VSO
2009-11-02 19:13:02 0 d-----w- c:\programdata\McAfee
2009-11-02 18:59:48 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-02 18:39:10 713888 ----a-w- c:\windows\system32\PerfStringBackup.INI
2009-11-02 18:38:57 0 d-----w- c:\program files\Yamicsoft
2009-11-02 18:38:25 0 d-----r- c:\users\tim\Virtual Machines
2009-11-02 18:36:01 0 d-----w- c:\program files\Virtual Windows XP
2009-11-02 18:35:11 0 d-----w- c:\programdata\Adobe
2009-11-02 18:34:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-02 18:34:00 0 d-----w- c:\program files\Win7codecs
2009-11-02 18:33:48 0 d-sh--w- c:\windows\Installer
2009-11-02 18:33:47 0 d-----w- c:\programdata\Win7codecs
2009-11-02 18:33:24 0 d-sh--w- C:\Recovery
2009-11-02 18:11:26 0 d-----w- c:\windows\system32\RTCOM
2009-11-02 18:11:26 0 d-----w- c:\program files\Realtek
2009-11-02 18:10:50 490088 ----a-w- c:\windows\system32\nvuninst.exe
2009-11-02 09:24:43 0 d-----w- C:\New Folder
2009-10-28 23:27:44 7754 ----a-w- C:\te.nfo
2009-10-26 22:18:00 1079272 ----a-w- C:\revosetup.exe
2009-10-18 22:04:27 0 d-----w- C:\euPOD_Pro
2009-10-18 21:55:36 0 d-----w- C:\goPod-1.4_win

==================== Find3M ====================

2009-11-07 19:53:52 1146184 ----a-w- C:\wlsetup-web.exe
2009-09-27 17:46:00 4942440 ----a-w- c:\windows\system32\nvdisps.dll
2009-09-27 17:46:00 13949544 ----a-w- c:\windows\system32\nvcpl.dll
2009-09-17 19:20:31 758937 ----a-w- C:\EasyBCD 1.7.2.exe
2009-09-16 10:22:48 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-08-29 19:27:07 389488 ----a-w- C:\OGAPluginInstall.exe
2009-08-28 19:42:52 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 11:07:28 437672 ----a-w- C:\msgr9uk.exe
2009-08-17 23:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-13 23:53:57 811520 ----a-w- c:\windows\system32\user32.dll
2009-08-13 23:53:57 805376 ----a-w- c:\windows\system32\cdosys.dll
2009-08-13 23:53:57 530432 ----a-w- c:\windows\system32\comctl32.dll
2009-08-13 23:53:57 380416 ----a-w- c:\windows\system32\sxs.dll
2009-08-13 23:53:57 36352 ----a-w- c:\windows\system32\mscert.dll
2009-08-13 23:53:57 304640 ----a-w- c:\windows\system32\gdi32.dll
2009-08-13 23:53:57 27136 ----a-w- c:\windows\system32\sxstrace.exe
2009-08-13 23:53:57 2326528 ----a-w- c:\windows\system32\win32k.sys
2009-08-13 23:53:52 179712 ----a-w- c:\windows\system32\notepad.exe
2009-08-13 23:53:52 179712 ----a-w- c:\windows\notepad.exe
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 20:49:32.82 ===============

DDS (Ver_09-10-26.01)

Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 02/11/2009 18:37:39
System Uptime: 11/09/2009 16:56:13 (1420 hours ago)

Motherboard: ASUSTeK Computer INC. | | M2N-MX SE
Processor: AMD Athlon™ 64 X2 Dual Core Processor 4800+ | CPU 1 | 2500/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 123.477 GiB free.
D: is FIXED (NTFS) - 75 GiB total, 31.382 GiB free.
E: is CDROM ()
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:
Description: Multimedia Audio Controller
Device ID: PCI\VEN_13F6&DEV_0111&SUBSYS_011113F6&REV_10\4&1F7FA0A&0&3820
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_13F6&DEV_0111&SUBSYS_011113F6&REV_10\4&1F7FA0A&0&3820
Service:

==== System Restore Points ===================

RP27: 07/11/2009 17:43:12 - Sat Nov 7th
RP29: 07/11/2009 20:11:15 - Installed DirectX
RP31: 08/11/2009 07:17:25 - ThumbsPlus version 4.50
RP32: 08/11/2009 17:55:31 - Windows Update
RP34: 09/11/2009 19:15:29 - Installed Samsung PC Studio 3
RP35: 09/11/2009 19:17:13 - Device Driver Package Install: SAMSUNG Electronics Co.,Ltd. Modems
RP36: 09/11/2009 19:17:48 - Device Driver Package Install: SAMSUNG Electronics Co.,Ltd. Modems
RP37: 09/11/2009 19:18:50 - Device Driver Package Install: SAMSUNG Electronics Co.,Ltd. Ports (COM & LPT)
RP38: 09/11/2009 19:19:19 - Device Driver Package Install: SAMSUNG Electronics Co., Ltd. Ports (COM & LPT)
RP39: 09/11/2009 19:20:03 - Device Driver Package Install: SAMSUNG Electronics Co., Ltd. Modems
RP40: 09/11/2009 19:21:24 - Device Driver Package Install: Samsung Electronic, Co. Ltd. Modems
RP41: 09/11/2009 19:21:53 - Device Driver Package Install: Samsung Electronic, Co. Ltd. Ports (COM & LPT)
RP42: 09/11/2009 19:22:27 - Device Driver Package Install: Samsung Electronic, Co. Ltd. Ports (COM & LPT)

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 2 (SP2)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ashampoo Burning Studio 2009 Advanced
Bonjour
ConvertXtoDVD 3.3.2.100
CursorXP
DU Meter
Google Earth Pro
HijackThis 2.0.2
IsoBuster 2.6
iTunes
Jasc Paint Shop Pro 8
Jasc Paint Shop Pro 8.10 Update Patch
Java™ 7
Junk Mail filter update
Magic DVD Copier Version 4.9.1
McAfee SecurityCenter
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Mozilla Firefox (3.5.5)
MSVCRT
NVIDIA Drivers
NVIDIA Stereoscopic 3D Driver
QuickTime
Realtek High Definition Audio Driver
Safari
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Drive Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Sophos Anti-Rootkit 1.5.0
SUPERAntiSpyware Professional
Tag&Rename 3.5.1
ThumbsPlus version 4.50-R
Total Video Converter 3.14 08113
TuneUp Utilities
TuneUp Utilities Language Pack (en-GB)
Unlocker 1.8.8
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB974810)
Virtual Windows XP
Vuze
Win7codecs
Window Washer
Windows 7 Manager
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
WinRAR archiver
WinZip 14.0

==== Event Viewer Messages From Past Week ========

09/11/2009 19:06:25, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk2\DR2.
09/11/2009 14:16:01, Error: Service Control Manager [7016] - The NVIDIA Display Driver Service service has reported an invalid current state 32.
06/11/2009 19:51:57, Error: Service Control Manager [7030] - The FEZPBU service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
06/11/2009 19:51:14, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the XWMJ service to connect.
06/11/2009 19:51:14, Error: Service Control Manager [7000] - The XWMJ service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
06/11/2009 19:50:40, Error: Service Control Manager [7030] - The XWMJ service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
06/11/2009 10:03:21, Error: cdrom [15] - The device, \Device\CdRom0, is not ready for access yet.
05/11/2009 21:16:22, Error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
04/11/2009 19:19:20, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
04/11/2009 19:19:19, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
04/11/2009 19:19:19, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
04/11/2009 19:19:17, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
04/11/2009 19:19:17, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
04/11/2009 19:19:15, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
04/11/2009 19:19:09, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
04/11/2009 19:18:46, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD CSC DfsC discache mfehidk MPFP NetBIOS NetBT nsiproxy Psched rdbss spldr Tcpip tdx vpcnfltr vpcvmm Wanarpv6 WfpLwf
04/11/2009 19:18:45, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
04/11/2009 19:18:45, Error: Service Control Manager [7001] - The TCP/IP Registry Compatibility service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
04/11/2009 19:18:45, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
04/11/2009 19:18:45, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
04/11/2009 19:18:45, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
04/11/2009 19:18:45, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
04/11/2009 19:18:45, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
04/11/2009 19:18:45, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
04/11/2009 19:18:45, Error: Service Control Manager [7001] - The McAfee Personal Firewall Service service depends on the Windows Firewall service which failed to start because of the following error: The dependency service or group failed to start.
04/11/2009 19:18:45, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
04/11/2009 19:18:45, Error: Service Control Manager [7001] - The DU Meter Service service depends on the Workstation service which failed to start because of the following error: The dependency service or group failed to start.
04/11/2009 19:18:45, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
04/11/2009 19:18:45, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
04/11/2009 19:18:45, Error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
04/11/2009 19:18:45, Error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
04/11/2009 19:12:56, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
04/11/2009 15:41:11, Error: Service Control Manager [7024] - The Windows Firewall service terminated with service-specific error Access is denied..
04/11/2009 13:16:07, Error: Service Control Manager [7030] - The Lavasoft Ad-Aware Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
03/11/2009 12:42:05, Error: Service Control Manager [7034] - The DU Meter Service service terminated unexpectedly. It has done this 1 time(s).
03/11/2009 06:27:36, Error: Service Control Manager [7000] - The TuneUp Theme Extension service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.
02/11/2009 22:24:54, Error: Service Control Manager [7001] - The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: The dependency service or group failed to start.
02/11/2009 22:24:39, Error: Service Control Manager [7001] - The DU Meter Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

==== End Of File ===========================

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:04 PM

Posted 09 November 2009 - 06:55 PM

Hi,

let's try to tackle that kbdnet.dll and what keeps bringing it back. :(

Please run a scan with Malwarebytes Anti-Malware:
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.


Please also run a scan with gmer:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.


Please post back with both logs in your next reply.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 Moglee

Moglee
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 10 November 2009 - 11:50 AM

Thank you for your help, here are both logs.


Malwarebytes' Anti-Malware 1.41
Database version: 3137
Windows 6.1.7600

10/11/2009 14:56:17
mbam-log-2009-11-10 (14-56-17).txt

Scan type: Full Scan (C:\|)
Objects scanned: 195155
Time elapsed: 46 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Spyware.Passwords) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Spyware.Passwords) -> Data: c:\windows\system32\kbdnet.dl -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Spyware.Passwords) -> Data: system32\kbdnet.dl -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\kbdnet.dl (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Windows\System32\mscert.dll (Spyware.Passwords) -> Quarantined and deleted successfully.

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-10 16:47:24
Windows 6.1.7600
Running: kc6fqxx5.exe; Driver: C:\Users\Tim\AppData\Local\Temp\kfldipob.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A20AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A20104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A203F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A092D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A08898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A201DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A20958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A206F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A20F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A211A8

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8E0A879E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8E0A8738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8E0A874C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8E0A8762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8E0A87DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8E0A881F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8E0A8710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8E0A8724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8E0A87B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8E0A8847]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8E0A8833]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8E0A878A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8E0A8776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8E0A880B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8E0A87F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8E0A87C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 82A68128 5 Bytes JMP 8E0A87CC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A80579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AA4F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text peauth.sys 98E2BC9D 28 Bytes [5E, 97, 0B, 08, 1B, 34, 86, ...]
.text peauth.sys 98E2BCC1 28 Bytes [5E, 97, 0B, 08, 1B, 34, 86, ...]
.text autochk.exe 001A11D4 3 Bytes [F0, 49, 1A]
.text autochk.exe 001A11DA 1 Byte [16]
.text autochk.exe 001A11DA 3 Bytes [16, 00, 40]
.text autochk.exe 001A11E0 1 Byte [80]
.text autochk.exe 001A11E8 4 Bytes [A7, F9, 57, 32]
.text ...
.text user32.dll!DrawIconEx 77384C5D 5 Bytes JMP 01D11120
.text user32.dll!GetIconInfo 77384FA4 5 Bytes JMP 01D11030
.text user32.dll!GetCursor 773A66D0 5 Bytes JMP 01D11080

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\services.exe[512] kernel32.dll!GetStartupInfoA 76CC1DF0 5 Bytes JMP 009200AC
.text C:\Windows\system32\services.exe[512] kernel32.dll!CreateProcessW 76CC202D 5 Bytes JMP 00920F32
.text C:\Windows\system32\services.exe[512] kernel32.dll!CreateProcessA 76CC2062 5 Bytes JMP 009200BD
.text C:\Windows\system32\services.exe[512] kernel32.dll!CreateNamedPipeW 76CF1FD6 5 Bytes JMP 0092001B
.text C:\Windows\system32\services.exe[512] kernel32.dll!CreatePipe 76CF4A8B 5 Bytes JMP 00920087
.text C:\Windows\system32\services.exe[512] kernel32.dll!VirtualProtect 76D050AB 5 Bytes JMP 0092006C
.text C:\Windows\system32\services.exe[512] kernel32.dll!LoadLibraryExW 76D0B6BF 5 Bytes JMP 00920051
.text C:\Windows\system32\services.exe[512] kernel32.dll!LoadLibraryExA 76D0BC8B 5 Bytes JMP 00920F94
.text C:\Windows\system32\services.exe[512] kernel32.dll!CreateFileW 76D10B5D 5 Bytes JMP 00920FEF
.text C:\Windows\system32\services.exe[512] kernel32.dll!GetProcAddress 76D11837 5 Bytes JMP 00920F21
.text C:\Windows\system32\services.exe[512] kernel32.dll!LoadLibraryA 76D12864 5 Bytes JMP 00920FAF
.text C:\Windows\system32\services.exe[512] kernel32.dll!LoadLibraryW 76D128B2 5 Bytes JMP 00920040
.text C:\Windows\system32\services.exe[512] kernel32.dll!CreateFileA 76D128FC 1 Byte [E9]
.text C:\Windows\system32\services.exe[512] kernel32.dll!CreateFileA 76D128FC 5 Bytes JMP 00920000
.text C:\Windows\system32\services.exe[512] kernel32.dll!GetStartupInfoW 76D17CB5 5 Bytes JMP 00920F5E
.text C:\Windows\system32\services.exe[512] kernel32.dll!CreateNamedPipeA 76D4D4DF 5 Bytes JMP 00920FCA
.text C:\Windows\system32\services.exe[512] kernel32.dll!WinExec 76D4E695 5 Bytes JMP 00920F4D
.text C:\Windows\system32\services.exe[512] kernel32.dll!VirtualProtectEx 76D4F651 5 Bytes JMP 00920F79
.text C:\Windows\system32\services.exe[512] msvcrt.dll!_open 76757E48 5 Bytes JMP 004A0FE3
.text C:\Windows\system32\services.exe[512] msvcrt.dll!_wsystem 7678B04F 5 Bytes JMP 004A0FA6
.text C:\Windows\system32\services.exe[512] msvcrt.dll!system 7678B16F 5 Bytes JMP 004A0FC1
.text C:\Windows\system32\services.exe[512] msvcrt.dll!_creat 7678ED29 5 Bytes JMP 004A001D
.text C:\Windows\system32\services.exe[512] msvcrt.dll!_wcreat 7679038E 5 Bytes JMP 004A0FD2
.text C:\Windows\system32\services.exe[512] msvcrt.dll!_wopen 76790570 5 Bytes JMP 004A0000
.text C:\Windows\system32\services.exe[512] ADVAPI32.dll!RegOpenKeyA 76F7D2ED 5 Bytes JMP 00B00000
.text C:\Windows\system32\services.exe[512] ADVAPI32.dll!RegCreateKeyA 76F7D3C1 5 Bytes JMP 00B0002C
.text C:\Windows\system32\services.exe[512] ADVAPI32.dll!RegCreateKeyExA 76F81B71 5 Bytes JMP 00B00058
.text C:\Windows\system32\services.exe[512] ADVAPI32.dll!RegCreateKeyW 76F81CC0 5 Bytes JMP 00B0003D
.text C:\Windows\system32\services.exe[512] ADVAPI32.dll!RegOpenKeyW 76F83129 5 Bytes JMP 00B00011
.text C:\Windows\system32\services.exe[512] ADVAPI32.dll!RegCreateKeyExW 76F8B946 5 Bytes JMP 00B00F9B
.text C:\Windows\system32\services.exe[512] ADVAPI32.dll!RegOpenKeyExA 76F8BC0D 5 Bytes JMP 00B00FDB
.text C:\Windows\system32\services.exe[512] ADVAPI32.dll!RegOpenKeyExW 76F8BEC4 5 Bytes JMP 00B00FCA
.text C:\Windows\system32\services.exe[512] WS2_32.dll!socket 76833F00 5 Bytes JMP 004B0FEF
.text C:\Windows\system32\lsass.exe[528] kernel32.dll!GetStartupInfoA 76CC1DF0 5 Bytes JMP 000E0098
.text C:\Windows\system32\lsass.exe[528] kernel32.dll!CreateProcessW 76CC202D 5 Bytes JMP 000E00DF
.text C:\Windows\system32\lsass.exe[528] kernel32.dll!CreateProcessA 76CC2062 5 Bytes JMP 000E00CE
.text C:\Windows\system32\lsass.exe[528] kernel32.dll!CreateNamedPipeW 76CF1FD6 5 Bytes JMP 000E0FC3
.text C:\Windows\system32\lsass.exe[528] kernel32.dll!CreatePipe 76CF4A8B 5 Bytes JMP 000E0F65
.text C:\Windows\system32\lsass.exe[528] kernel32.dll!VirtualProtect 76D050AB 5 Bytes JMP 000E0069
.text C:\Windows\system32\lsass.exe[528] kernel32.dll!LoadLibraryExW 76D0B6BF 5 Bytes JMP 000E0058
.text C:\Windows\system32\lsass.exe[528] kernel32.dll!LoadLibraryExA 76D0BC8B 5 Bytes JMP 000E0047
.text C:\Windows\system32\lsass.exe[528] kernel32.dll!CreateFileW 76D10B5D 5 Bytes JMP 000E0FD4
.text C:\Windows\system32\lsass.exe[528] kernel32.dll!GetProcAddress 76D11837 5 Bytes JMP 000E0F39
.text C:\Windows\system32\lsass.exe[528] kernel32.dll!LoadLibraryA 76D12864 5 Bytes JMP 000E0025
.text C:\Windows\system32\lsass.exe[528] kernel32.dll!LoadLibraryW 76D128B2 5 Bytes JMP 000E0036
.text C:\Windows\system32\lsass.exe[528] kernel32.dll!CreateFileA 76D128FC 5 Bytes JMP 000E0FEF
.text C:\Windows\system32\lsass.exe[528] kernel32.dll!GetStartupInfoW 76D17CB5 5 Bytes JMP 000E00B3
.text C:\Windows\system32\lsass.exe[528] kernel32.dll!CreateNamedPipeA 76D4D4DF 5 Bytes JMP 000E000A
.text C:\Windows\system32\lsass.exe[528] kernel32.dll!WinExec 76D4E695 5 Bytes JMP 000E0F54
.text C:\Windows\system32\lsass.exe[528] kernel32.dll!VirtualProtectEx 76D4F651 5 Bytes JMP 000E0F76
.text C:\Windows\system32\lsass.exe[528] msvcrt.dll!_open 76757E48 5 Bytes JMP 000C0FE3
.text C:\Windows\system32\lsass.exe[528] msvcrt.dll!_wsystem 7678B04F 5 Bytes JMP 000C002A
.text C:\Windows\system32\lsass.exe[528] msvcrt.dll!system 7678B16F 5 Bytes JMP 000C0F9F
.text C:\Windows\system32\lsass.exe[528] msvcrt.dll!_creat 7678ED29 5 Bytes JMP 000C0FC1
.text C:\Windows\system32\lsass.exe[528] msvcrt.dll!_wcreat 7679038E 5 Bytes JMP 000C0FB0
.text C:\Windows\system32\lsass.exe[528] msvcrt.dll!_wopen 76790570 5 Bytes JMP 000C0FD2
.text C:\Windows\system32\lsass.exe[528] ADVAPI32.dll!RegOpenKeyA 76F7D2ED 5 Bytes JMP 000F0FEF
.text C:\Windows\system32\lsass.exe[528] ADVAPI32.dll!RegCreateKeyA 76F7D3C1 5 Bytes JMP 000F0036
.text C:\Windows\system32\lsass.exe[528] ADVAPI32.dll!RegCreateKeyExA 76F81B71 5 Bytes JMP 000F0FAF
.text C:\Windows\system32\lsass.exe[528] ADVAPI32.dll!RegCreateKeyW 76F81CC0 5 Bytes JMP 000F0051
.text C:\Windows\system32\lsass.exe[528] ADVAPI32.dll!RegOpenKeyW 76F83129 5 Bytes JMP 000F0FD4
.text C:\Windows\system32\lsass.exe[528] ADVAPI32.dll!RegCreateKeyExW 76F8B946 5 Bytes JMP 000F0076
.text C:\Windows\system32\lsass.exe[528] ADVAPI32.dll!RegOpenKeyExA 76F8BC0D 5 Bytes JMP 000F0014
.text C:\Windows\system32\lsass.exe[528] ADVAPI32.dll!RegOpenKeyExW 76F8BEC4 5 Bytes JMP 000F0025
.text C:\Windows\system32\lsass.exe[528] WS2_32.dll!socket 76833F00 5 Bytes JMP 000D0000
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!GetStartupInfoA 76CC1DF0 5 Bytes JMP 003B00C7
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!CreateProcessW 76CC202D 5 Bytes JMP 003B010E
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!CreateProcessA 76CC2062 5 Bytes JMP 003B0F6F
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!CreateNamedPipeW 76CF1FD6 5 Bytes JMP 003B0FE5
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!CreatePipe 76CF4A8B 5 Bytes JMP 003B00B6
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!VirtualProtect 76D050AB 5 Bytes JMP 003B0076
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!LoadLibraryExW 76D0B6BF 5 Bytes JMP 003B0F9E
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!LoadLibraryExA 76D0BC8B 5 Bytes JMP 003B0FAF
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!CreateFileW 76D10B5D 5 Bytes JMP 003B0011
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!GetProcAddress 76D11837 5 Bytes JMP 003B011F
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!LoadLibraryA 76D12864 5 Bytes JMP 003B0FCA
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!LoadLibraryW 76D128B2 5 Bytes JMP 003B0051
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!CreateFileA 76D128FC 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!CreateFileA 76D128FC 5 Bytes JMP 003B0000
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!GetStartupInfoW 76D17CB5 5 Bytes JMP 003B00D8
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!CreateNamedPipeA 76D4D4DF 5 Bytes JMP 003B0036
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!WinExec 76D4E695 5 Bytes JMP 003B00E9
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!VirtualProtectEx 76D4F651 5 Bytes JMP 003B0091
.text C:\Windows\system32\svchost.exe[700] msvcrt.dll!_open 76757E48 5 Bytes JMP 00340000
.text C:\Windows\system32\svchost.exe[700] msvcrt.dll!_wsystem 7678B04F 5 Bytes JMP 0034003D
.text C:\Windows\system32\svchost.exe[700] msvcrt.dll!system 7678B16F 5 Bytes JMP 0034002C
.text C:\Windows\system32\svchost.exe[700] msvcrt.dll!_creat 7678ED29 5 Bytes JMP 00340011
.text C:\Windows\system32\svchost.exe[700] msvcrt.dll!_wcreat 7679038E 5 Bytes JMP 00340FB2
.text C:\Windows\system32\svchost.exe[700] msvcrt.dll!_wopen 76790570 5 Bytes JMP 00340FD7
.text C:\Windows\system32\svchost.exe[700] ADVAPI32.dll!RegOpenKeyA 76F7D2ED 5 Bytes JMP 003C0000
.text C:\Windows\system32\svchost.exe[700] ADVAPI32.dll!RegCreateKeyA 76F7D3C1 5 Bytes JMP 003C0FA8
.text C:\Windows\system32\svchost.exe[700] ADVAPI32.dll!RegCreateKeyExA 76F81B71 5 Bytes JMP 003C0036
.text C:\Windows\system32\svchost.exe[700] ADVAPI32.dll!RegCreateKeyW 76F81CC0 5 Bytes JMP 003C0025
.text C:\Windows\system32\svchost.exe[700] ADVAPI32.dll!RegOpenKeyW 76F83129 5 Bytes JMP 003C0FE5
.text C:\Windows\system32\svchost.exe[700] ADVAPI32.dll!RegCreateKeyExW 76F8B946 5 Bytes JMP 003C0F6F
.text C:\Windows\system32\svchost.exe[700] ADVAPI32.dll!RegOpenKeyExA 76F8BC0D 5 Bytes JMP 003C0FCA
.text C:\Windows\system32\svchost.exe[700] ADVAPI32.dll!RegOpenKeyExW 76F8BEC4 5 Bytes JMP 003C0FB9
.text C:\Windows\system32\svchost.exe[700] WS2_32.dll!socket 76833F00 5 Bytes JMP 003A0FEF
.text C:\Windows\system32\svchost.exe[796] kernel32.dll!GetStartupInfoA 76CC1DF0 5 Bytes JMP 002A0F68
.text C:\Windows\system32\svchost.exe[796] kernel32.dll!CreateProcessW 76CC202D 5 Bytes JMP 002A0F2B
.text C:\Windows\system32\svchost.exe[796] kernel32.dll!CreateProcessA 76CC2062 5 Bytes JMP 002A00C0
.text C:\Windows\system32\svchost.exe[796] kernel32.dll!CreateNamedPipeW 76CF1FD6 5 Bytes JMP 002A0FD4
.text C:\Windows\system32\svchost.exe[796] kernel32.dll!CreatePipe 76CF4A8B 5 Bytes JMP 002A0F79
.text C:\Windows\system32\svchost.exe[796] kernel32.dll!VirtualProtect 76D050AB 5 Bytes JMP 002A0087
.text C:\Windows\system32\svchost.exe[796] kernel32.dll!LoadLibraryExW 76D0B6BF 5 Bytes JMP 002A006C
.text C:\Windows\system32\svchost.exe[796] kernel32.dll!LoadLibraryExA 76D0BC8B 5 Bytes JMP 002A005B
.text C:\Windows\system32\svchost.exe[796] kernel32.dll!CreateFileW 76D10B5D 5 Bytes JMP 002A0014
.text C:\Windows\system32\svchost.exe[796] kernel32.dll!GetProcAddress 76D11837 5 Bytes JMP 002A00D1
.text C:\Windows\system32\svchost.exe[796] kernel32.dll!LoadLibraryA 76D12864 5 Bytes JMP 002A0FC3
.text C:\Windows\system32\svchost.exe[796] kernel32.dll!LoadLibraryW 76D128B2 5 Bytes JMP 002A004A
.text C:\Windows\system32\svchost.exe[796] kernel32.dll!CreateFileA 76D128FC 5 Bytes JMP 002A0FEF
.text C:\Windows\system32\svchost.exe[796] kernel32.dll!GetStartupInfoW 76D17CB5 5 Bytes JMP 002A0F57
.text C:\Windows\system32\svchost.exe[796] kernel32.dll!CreateNamedPipeA 76D4D4DF 5 Bytes JMP 002A0025
.text C:\Windows\system32\svchost.exe[796] kernel32.dll!WinExec 76D4E695 5 Bytes JMP 002A0F46
.text C:\Windows\system32\svchost.exe[796] kernel32.dll!VirtualProtectEx 76D4F651 5 Bytes JMP 002A0F8A
.text C:\Windows\system32\svchost.exe[796] msvcrt.dll!_open 76757E48 5 Bytes JMP 001C0000
.text C:\Windows\system32\svchost.exe[796] msvcrt.dll!_wsystem 7678B04F 5 Bytes JMP 001C004E
.text C:\Windows\system32\svchost.exe[796] msvcrt.dll!system 7678B16F 5 Bytes JMP 001C003D
.text C:\Windows\system32\svchost.exe[796] msvcrt.dll!_creat 7678ED29 5 Bytes JMP 001C001B
.text C:\Windows\system32\svchost.exe[796] msvcrt.dll!_wcreat 7679038E 5 Bytes JMP 001C002C
.text C:\Windows\system32\svchost.exe[796] msvcrt.dll!_wopen 76790570 5 Bytes JMP 001C0FE3
.text C:\Windows\system32\svchost.exe[796] ADVAPI32.dll!RegOpenKeyA 76F7D2ED 5 Bytes JMP 00340FEF
.text C:\Windows\system32\svchost.exe[796] ADVAPI32.dll!RegCreateKeyA 76F7D3C1 5 Bytes JMP 00340036
.text C:\Windows\system32\svchost.exe[796] ADVAPI32.dll!RegCreateKeyExA 76F81B71 5 Bytes JMP 00340062
.text C:\Windows\system32\svchost.exe[796] ADVAPI32.dll!RegCreateKeyW 76F81CC0 5 Bytes JMP 00340051
.text C:\Windows\system32\svchost.exe[796] ADVAPI32.dll!RegOpenKeyW 76F83129 5 Bytes JMP 0034000A
.text C:\Windows\system32\svchost.exe[796] ADVAPI32.dll!RegCreateKeyExW 76F8B946 5 Bytes JMP 00340087
.text C:\Windows\system32\svchost.exe[796] ADVAPI32.dll!RegOpenKeyExA 76F8BC0D 5 Bytes JMP 00340FCA
.text C:\Windows\system32\svchost.exe[796] ADVAPI32.dll!RegOpenKeyExW 76F8BEC4 5 Bytes JMP 0034001B
.text C:\Windows\system32\svchost.exe[796] WS2_32.dll!socket 76833F00 5 Bytes JMP 001D0FE5
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!GetStartupInfoA 76CC1DF0 5 Bytes JMP 00AD0F46
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!CreateProcessW 76CC202D 5 Bytes JMP 00AD00B6
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!CreateProcessA 76CC2062 5 Bytes JMP 00AD0F21
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!CreateNamedPipeW 76CF1FD6 5 Bytes JMP 00AD0FB9
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!CreatePipe 76CF4A8B 5 Bytes JMP 00AD0F61
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!VirtualProtect 76D050AB 5 Bytes JMP 00AD0F8D
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!LoadLibraryExW 76D0B6BF 5 Bytes JMP 00AD0065
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!LoadLibraryExA 76D0BC8B 5 Bytes JMP 00AD0FA8
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!CreateFileW 76D10B5D 5 Bytes JMP 00AD0000
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!GetProcAddress 76D11837 5 Bytes JMP 00AD0EFC
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!LoadLibraryA 76D12864 5 Bytes JMP 00AD002F
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!LoadLibraryW 76D128B2 5 Bytes JMP 00AD0040
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!CreateFileA 76D128FC 5 Bytes JMP 00AD0FE5
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!GetStartupInfoW 76D17CB5 5 Bytes JMP 00AD008A
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!CreateNamedPipeA 76D4D4DF 5 Bytes JMP 00AD0FD4
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!WinExec 76D4E695 5 Bytes JMP 00AD009B
.text C:\Windows\System32\svchost.exe[884] kernel32.dll!VirtualProtectEx 76D4F651 5 Bytes JMP 00AD0F7C
.text C:\Windows\System32\svchost.exe[884] msvcrt.dll!_open 76757E48 5 Bytes JMP 00A70000
.text C:\Windows\System32\svchost.exe[884] msvcrt.dll!_wsystem 7678B04F 5 Bytes JMP 00A7002C
.text C:\Windows\System32\svchost.exe[884] msvcrt.dll!system 7678B16F 5 Bytes JMP 00A70FAB
.text C:\Windows\System32\svchost.exe[884] msvcrt.dll!_creat 7678ED29 5 Bytes JMP 00A70FD7
.text C:\Windows\System32\svchost.exe[884] msvcrt.dll!_wcreat 7679038E 5 Bytes JMP 00A70FC6
.text C:\Windows\System32\svchost.exe[884] msvcrt.dll!_wopen 76790570 5 Bytes JMP 00A70011
.text C:\Windows\System32\svchost.exe[884] ADVAPI32.dll!RegOpenKeyA 76F7D2ED 5 Bytes JMP 00AE0FE5
.text C:\Windows\System32\svchost.exe[884] ADVAPI32.dll!RegCreateKeyA 76F7D3C1 5 Bytes JMP 00AE0051
.text C:\Windows\System32\svchost.exe[884] ADVAPI32.dll!RegCreateKeyExA 76F81B71 5 Bytes JMP 00AE0FCA
.text C:\Windows\System32\svchost.exe[884] ADVAPI32.dll!RegCreateKeyW 76F81CC0 5 Bytes JMP 00AE006C
.text C:\Windows\System32\svchost.exe[884] ADVAPI32.dll!RegOpenKeyW 76F83129 5 Bytes JMP 00AE000A
.text C:\Windows\System32\svchost.exe[884] ADVAPI32.dll!RegCreateKeyExW 76F8B946 5 Bytes JMP 00AE0FB9
.text C:\Windows\System32\svchost.exe[884] ADVAPI32.dll!RegOpenKeyExA 76F8BC0D 5 Bytes JMP 00AE001B
.text C:\Windows\System32\svchost.exe[884] ADVAPI32.dll!RegOpenKeyExW 76F8BEC4 5 Bytes JMP 00AE0036
.text C:\Windows\System32\svchost.exe[884] WS2_32.dll!socket 76833F00 5 Bytes JMP 00AC0000
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!GetStartupInfoA 76CC1DF0 5 Bytes JMP 009B0F3C
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!CreateProcessW 76CC202D 5 Bytes JMP 009B00AF
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!CreateProcessA 76CC2062 5 Bytes JMP 009B0F10
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!CreateNamedPipeW 76CF1FD6 5 Bytes JMP 009B0011
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!CreatePipe 76CF4A8B 5 Bytes JMP 009B0F4D
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!VirtualProtect 76D050AB 5 Bytes JMP 009B005B
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!LoadLibraryExW 76D0B6BF 5 Bytes JMP 009B0F79
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!LoadLibraryExA 76D0BC8B 5 Bytes JMP 009B0040
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!CreateFileW 76D10B5D 5 Bytes JMP 009B0FDB
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!GetProcAddress 76D11837 5 Bytes JMP 009B00C0
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!LoadLibraryA 76D12864 5 Bytes JMP 009B0FA5
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!LoadLibraryW 76D128B2 5 Bytes JMP 009B0F94
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!CreateFileA 76D128FC 1 Byte [E9]
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!CreateFileA 76D128FC 5 Bytes JMP 009B0000
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!GetStartupInfoW 76D17CB5 5 Bytes JMP 009B0080
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!CreateNamedPipeA 76D4D4DF 5 Bytes JMP 009B0FC0
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!WinExec 76D4E695 5 Bytes JMP 009B0F2B
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!VirtualProtectEx 76D4F651 5 Bytes JMP 009B0F68
.text C:\Windows\System32\svchost.exe[944] msvcrt.dll!_open 76757E48 5 Bytes JMP 00950000
.text C:\Windows\System32\svchost.exe[944] msvcrt.dll!_wsystem 7678B04F 5 Bytes JMP 00950069
.text C:\Windows\System32\svchost.exe[944] msvcrt.dll!system 7678B16F 5 Bytes JMP 00950058
.text C:\Windows\System32\svchost.exe[944] msvcrt.dll!_creat 7678ED29 5 Bytes JMP 0095002C
.text C:\Windows\System32\svchost.exe[944] msvcrt.dll!_wcreat 7679038E 5 Bytes JMP 0095003D
.text C:\Windows\System32\svchost.exe[944] msvcrt.dll!_wopen 76790570 5 Bytes JMP 00950011
.text C:\Windows\System32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyA 76F7D2ED 5 Bytes JMP 00CD0000
.text C:\Windows\System32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyA 76F7D3C1 5 Bytes JMP 00CD0FDE
.text C:\Windows\System32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyExA 76F81B71 5 Bytes JMP 00CD0FC3
.text C:\Windows\System32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyW 76F81CC0 5 Bytes JMP 00CD0065
.text C:\Windows\System32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyW 76F83129 5 Bytes JMP 00CD001B
.text C:\Windows\System32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyExW 76F8B946 5 Bytes JMP 00CD008A
.text C:\Windows\System32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyExA 76F8BC0D 5 Bytes JMP 00CD0036
.text C:\Windows\System32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyExW 76F8BEC4 5 Bytes JMP 00CD0FEF
.text C:\Windows\System32\svchost.exe[944] WS2_32.dll!socket 76833F00 5 Bytes JMP 009A0FEF
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!GetStartupInfoA 76CC1DF0 5 Bytes JMP 00F800C0
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!CreateProcessW 76CC202D 5 Bytes JMP 00F80F6B
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!CreateProcessA 76CC2062 5 Bytes JMP 00F80F7C
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!CreateNamedPipeW 76CF1FD6 5 Bytes JMP 00F80FDB
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!CreatePipe 76CF4A8B 5 Bytes JMP 00F80F97
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!VirtualProtect 76D050AB 5 Bytes JMP 00F8009B
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!LoadLibraryExW 76D0B6BF 5 Bytes JMP 00F80FB9
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!LoadLibraryExA 76D0BC8B 5 Bytes JMP 00F80FCA
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!CreateFileW 76D10B5D 5 Bytes JMP 00F80011
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!GetProcAddress 76D11837 5 Bytes JMP 00F8011B
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!LoadLibraryA 76D12864 5 Bytes JMP 00F80047
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!LoadLibraryW 76D128B2 5 Bytes JMP 00F8006C
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!CreateFileA 76D128FC 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!CreateFileA 76D128FC 5 Bytes JMP 00F80000
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!GetStartupInfoW 76D17CB5 5 Bytes JMP 00F800DB
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!CreateNamedPipeA 76D4D4DF 5 Bytes JMP 00F80022
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!WinExec 76D4E695 5 Bytes JMP 00F800EC
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!VirtualProtectEx 76D4F651 5 Bytes JMP 00F80FA8
.text C:\Windows\system32\svchost.exe[992] msvcrt.dll!_open 76757E48 5 Bytes JMP 00DA0000
.text C:\Windows\system32\svchost.exe[992] msvcrt.dll!_wsystem 7678B04F 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[992] msvcrt.dll!_wsystem 7678B04F 5 Bytes JMP 00DA0053
.text C:\Windows\system32\svchost.exe[992] msvcrt.dll!system 7678B16F 5 Bytes JMP 00DA0FC8
.text C:\Windows\system32\svchost.exe[992] msvcrt.dll!_creat 7678ED29 5 Bytes JMP 00DA0FE3
.text C:\Windows\system32\svchost.exe[992] msvcrt.dll!_wcreat 7679038E 5 Bytes JMP 00DA0038
.text C:\Windows\system32\svchost.exe[992] msvcrt.dll!_wopen 76790570 5 Bytes JMP 00DA0011
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyA 76F7D2ED 5 Bytes JMP 00F90FEF
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyA 76F7D3C1 5 Bytes JMP 00F90025
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyExA 76F81B71 5 Bytes JMP 00F90036
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyW 76F81CC0 5 Bytes JMP 00F90F9E
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyW 76F83129 5 Bytes JMP 00F90FD4
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyExW 76F8B946 5 Bytes JMP 00F90F79
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyExA 76F8BC0D 5 Bytes JMP 00F90FC3
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyExW 76F8BEC4 5 Bytes JMP 00F90014
.text C:\Windows\system32\svchost.exe[992] WS2_32.dll!socket 76833F00 5 Bytes JMP 00DF0FEF
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!GetStartupInfoA 76CC1DF0 5 Bytes JMP 0001008A
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!CreateProcessW 76CC202D 5 Bytes JMP 000100C7
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!CreateProcessA 76CC2062 5 Bytes JMP 00010F32
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!CreateNamedPipeW 76CF1FD6 5 Bytes JMP 00010FCD
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!CreatePipe 76CF4A8B 5 Bytes JMP 00010F61
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!VirtualProtect 76D050AB 5 Bytes JMP 0001005E
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!LoadLibraryExW 76D0B6BF 5 Bytes JMP 0001004D
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!LoadLibraryExA 76D0BC8B 5 Bytes JMP 00010F90
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!CreateFileW 76D10B5D 5 Bytes JMP 00010014
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!GetProcAddress 76D11837 5 Bytes JMP 000100D8
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!LoadLibraryA 76D12864 5 Bytes JMP 00010FB2
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!LoadLibraryW 76D128B2 5 Bytes JMP 00010FA1
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!CreateFileA 76D128FC 5 Bytes JMP 00010FEF
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!GetStartupInfoW 76D17CB5 5 Bytes JMP 0001009B
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!CreateNamedPipeA 76D4D4DF 5 Bytes JMP 00010FDE
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!WinExec 76D4E695 5 Bytes JMP 000100AC
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!VirtualProtectEx 76D4F651 5 Bytes JMP 0001006F
.text C:\Windows\System32\svchost.exe[1104] msvcrt.dll!_open 76757E48 5 Bytes JMP 000D0000
.text C:\Windows\System32\svchost.exe[1104] msvcrt.dll!_wsystem 7678B04F 5 Bytes JMP 000D0FAF
.text C:\Windows\System32\svchost.exe[1104] msvcrt.dll!system 7678B16F 5 Bytes JMP 000D003A
.text C:\Windows\System32\svchost.exe[1104] msvcrt.dll!_creat 7678ED29 5 Bytes JMP 000D0FEF
.text C:\Windows\System32\svchost.exe[1104] msvcrt.dll!_wcreat 7679038E 5 Bytes JMP 000D0FCA
.text C:\Windows\System32\svchost.exe[1104] msvcrt.dll!_wopen 76790570 5 Bytes JMP 000D001D
.text C:\Windows\System32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyA 76F7D2ED 5 Bytes JMP 000E0FEF
.text C:\Windows\System32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyA 76F7D3C1 5 Bytes JMP 000E000A
.text C:\Windows\System32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExA 76F81B71 5 Bytes JMP 000E0F68
.text C:\Windows\System32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyW 76F81CC0 5 Bytes JMP 000E0F83
.text C:\Windows\System32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyW 76F83129 5 Bytes JMP 000E0FDE
.text C:\Windows\System32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExW 76F8B946 5 Bytes JMP 000E0025
.text C:\Windows\System32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExA 76F8BC0D 5 Bytes JMP 000E0FC3
.text C:\Windows\System32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExW 76F8BEC4 5 Bytes JMP 000E0FA8
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!GetStartupInfoA 76CC1DF0 5 Bytes JMP 006B0F9E
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!CreateProcessW 76CC202D 5 Bytes JMP 006B0F3C
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!CreateProcessA 76CC2062 5 Bytes JMP 006B0F57
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!CreateNamedPipeW 76CF1FD6 5 Bytes JMP 006B0040
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!CreatePipe 76CF4A8B 5 Bytes JMP 006B0FAF
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!VirtualProtect 76D050AB 5 Bytes JMP 006B0098
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!LoadLibraryExW 76D0B6BF 5 Bytes JMP 006B0087
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!LoadLibraryExA 76D0BC8B 5 Bytes JMP 006B0FCA
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!CreateFileW 76D10B5D 5 Bytes JMP 006B001B
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!GetProcAddress 76D11837 5 Bytes JMP 006B00EC
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!LoadLibraryA 76D12864 5 Bytes JMP 006B005B
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!LoadLibraryW 76D128B2 5 Bytes JMP 006B006C
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!CreateFileA 76D128FC 5 Bytes JMP 006B000A
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!GetStartupInfoW 76D17CB5 5 Bytes JMP 006B0F83
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!CreateNamedPipeA 76D4D4DF 5 Bytes JMP 006B0FEF
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!WinExec 76D4E695 5 Bytes JMP 006B0F68
.text C:\Windows\system32\svchost.exe[1144] kernel32.dll!VirtualProtectEx 76D4F651 5 Bytes JMP 006B00B3
.text C:\Windows\system32\svchost.exe[1144] msvcrt.dll!_open 76757E48 5 Bytes JMP 0061000C
.text C:\Windows\system32\svchost.exe[1144] msvcrt.dll!_wsystem 7678B04F 5 Bytes JMP 0061004E
.text C:\Windows\system32\svchost.exe[1144] msvcrt.dll!system 7678B16F 5 Bytes JMP 00610FC3
.text C:\Windows\system32\svchost.exe[1144] msvcrt.dll!_creat 7678ED29 5 Bytes JMP 00610FEF
.text C:\Windows\system32\svchost.exe[1144] msvcrt.dll!_wcreat 7679038E 5 Bytes JMP 00610FD4
.text C:\Windows\system32\svchost.exe[1144] msvcrt.dll!_wopen 76790570 5 Bytes JMP 0061001D
.text C:\Windows\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyA 76F7D2ED 5 Bytes JMP 006C0000
.text C:\Windows\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyA 76F7D3C1 5 Bytes JMP 006C005B
.text C:\Windows\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyExA 76F81B71 5 Bytes JMP 006C0080
.text C:\Windows\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyW 76F81CC0 5 Bytes JMP 006C0FD4
.text C:\Windows\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyW 76F83129 5 Bytes JMP 006C0FEF
.text C:\Windows\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyExW 76F8B946 5 Bytes JMP 006C0091
.text C:\Windows\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyExA 76F8BC0D 5 Bytes JMP 006C0025
.text C:\Windows\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyExW 76F8BEC4 5 Bytes JMP 006C0040
.text C:\Windows\system32\svchost.exe[1144] WS2_32.dll!socket 76833F00 5 Bytes JMP 00660000
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!GetStartupInfoA 76CC1DF0 5 Bytes JMP 003400A5
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!CreateProcessW 76CC202D 5 Bytes JMP 00340F46
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!CreateProcessA 76CC2062 5 Bytes JMP 003400D1
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!CreateNamedPipeW 76CF1FD6 5 Bytes JMP 00340FBC
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!CreatePipe 76CF4A8B 5 Bytes JMP 00340F72
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!VirtualProtect 76D050AB 5 Bytes JMP 0034006F
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!LoadLibraryExW 76D0B6BF 5 Bytes JMP 0034005E
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!LoadLibraryExA 76D0BC8B 5 Bytes JMP 0034004D
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!CreateFileW 76D10B5D 5 Bytes JMP 00340FDE
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!GetProcAddress 76D11837 5 Bytes JMP 00340F2B
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!LoadLibraryA 76D12864 5 Bytes JMP 00340028
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!LoadLibraryW 76D128B2 5 Bytes JMP 00340FA1
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!CreateFileA 76D128FC 5 Bytes JMP 00340FEF
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!GetStartupInfoW 76D17CB5 5 Bytes JMP 003400B6
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!CreateNamedPipeA 76D4D4DF 5 Bytes JMP 00340FCD
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!WinExec 76D4E695 5 Bytes JMP 00340F61
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!VirtualProtectEx 76D4F651 5 Bytes JMP 00340080
.text C:\Windows\system32\svchost.exe[1348] msvcrt.dll!_open 76757E48 5 Bytes JMP 0032000C
.text C:\Windows\system32\svchost.exe[1348] msvcrt.dll!_wsystem 7678B04F 5 Bytes JMP 00320042
.text C:\Windows\system32\svchost.exe[1348] msvcrt.dll!system 7678B16F 5 Bytes JMP 00320FB7
.text C:\Windows\system32\svchost.exe[1348] msvcrt.dll!_creat 7678ED29 5 Bytes JMP 00320FD2
.text C:\Windows\system32\svchost.exe[1348] msvcrt.dll!_wcreat 7679038E 5 Bytes JMP 00320027
.text C:\Windows\system32\svchost.exe[1348] msvcrt.dll!_wopen 76790570 5 Bytes JMP 00320FE3
.text C:\Windows\system32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyA 76F7D2ED 5 Bytes JMP 00E90FEF
.text C:\Windows\system32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyA 76F7D3C1 5 Bytes JMP 00E90040
.text C:\Windows\system32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyExA 76F81B71 5 Bytes JMP 00E90051
.text C:\Windows\system32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyW 76F81CC0 5 Bytes JMP 00E90FB9
.text C:\Windows\system32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyW 76F83129 5 Bytes JMP 00E90FDE
.text C:\Windows\system32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyExW 76F8B946 5 Bytes JMP 00E90F94
.text C:\Windows\system32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyExA 76F8BC0D 5 Bytes JMP 00E9000A
.text C:\Windows\system32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyExW 76F8BEC4 5 Bytes JMP 00E90025
.text C:\Windows\system32\svchost.exe[1348] WS2_32.dll!socket 76833F00 5 Bytes JMP 00330000
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!GetStartupInfoA 76CC1DF0 5 Bytes JMP 004F00A9
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!CreateProcessW 76CC202D 5 Bytes JMP 004F0F4A
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!CreateProcessA 76CC2062 5 Bytes JMP 004F00DF
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!CreateNamedPipeW 76CF1FD6 5 Bytes JMP 004F0025
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!CreatePipe 76CF4A8B 5 Bytes JMP 004F0098
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!VirtualProtect 76D050AB 5 Bytes JMP 004F0F9E
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!LoadLibraryExW 76D0B6BF 5 Bytes JMP 004F0076
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!LoadLibraryExA 76D0BC8B 5 Bytes JMP 004F005B
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!CreateFileW 76D10B5D 5 Bytes JMP 004F0FE5
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!GetProcAddress 76D11837 5 Bytes JMP 004F00F0
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!LoadLibraryA 76D12864 5 Bytes JMP 004F0040
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!LoadLibraryW 76D128B2 5 Bytes JMP 004F0FAF
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!CreateFileA 76D128FC 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!CreateFileA 76D128FC 5 Bytes JMP 004F0000
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!GetStartupInfoW 76D17CB5 5 Bytes JMP 004F0F65
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!CreateNamedPipeA 76D4D4DF 5 Bytes JMP 004F0FD4
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!WinExec 76D4E695 5 Bytes JMP 004F00CE
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!VirtualProtectEx 76D4F651 5 Bytes JMP 004F0087
.text C:\Windows\system32\svchost.exe[1528] msvcrt.dll!_open 76757E48 5 Bytes JMP 00490FEF
.text C:\Windows\system32\svchost.exe[1528] msvcrt.dll!_wsystem 7678B04F 5 Bytes JMP 00490029
.text C:\Windows\system32\svchost.exe[1528] msvcrt.dll!system 7678B16F 5 Bytes JMP 00490FA8
.text C:\Windows\system32\svchost.exe[1528] msvcrt.dll!_creat 7678ED29 5 Bytes JMP 00490FC3
.text C:\Windows\system32\svchost.exe[1528] msvcrt.dll!_wcreat 7679038E 5 Bytes JMP 00490018
.text C:\Windows\system32\svchost.exe[1528] msvcrt.dll!_wopen 76790570 5 Bytes JMP 00490FDE
.text C:\Windows\system32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyA 76F7D2ED 5 Bytes JMP 00500000
.text C:\Windows\system32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyA 76F7D3C1 5 Bytes JMP 00500FAF
.text C:\Windows\system32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyExA 76F81B71 5 Bytes JMP 00500036
.text C:\Windows\system32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyW 76F81CC0 5 Bytes JMP 00500F9E
.text C:\Windows\system32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyW 76F83129 5 Bytes JMP 00500FDB
.text C:\Windows\system32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyExW 76F8B946 5 Bytes JMP 00500047
.text C:\Windows\system32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyExA 76F8BC0D 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyExA 76F8BC0D 5 Bytes JMP 00500011
.text C:\Windows\system32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyExW 76F8BEC4 5 Bytes JMP 00500FC0
.text C:\Windows\system32\svchost.exe[1528] WS2_32.dll!socket 76833F00 5 Bytes JMP 004A000A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1772] kernel32.dll!LoadLibraryA 76D12864 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1772] kernel32.dll!LoadLibraryW 76D128B2 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\system32\Dwm.exe[2116] USER32.dll!DrawIconEx 77384C5D 5 Bytes JMP 00681120 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\Windows\system32\Dwm.exe[2116] USER32.dll!GetIconInfo 77384FA4 5 Bytes JMP 00681030 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\Windows\system32\Dwm.exe[2116] USER32.dll!GetCursor 773A66D0 5 Bytes JMP 00681080 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\Windows\System32\svchost.exe[2140] kernel32.dll!GetStartupInfoA 76CC1DF0 5 Bytes JMP 003F0091
.text C:\Windows\System32\svchost.exe[2140] kernel32.dll!CreateProcessW 76CC202D 5 Bytes JMP 003F00FD
.text C:\Windows\System32\svchost.exe[2140] kernel32.dll!CreateProcessA 76CC2062 5 Bytes JMP 003F00EC
.text C:\Windows\System32\svchost.exe[2140] kernel32.dll!CreateNamedPipeW 76CF1FD6 5 Bytes JMP 003F0FD1
.text C:\Windows\System32\svchost.exe[2140] kernel32.dll!CreatePipe 76CF4A8B 5 Bytes JMP 003F0F68
.text C:\Windows\System32\svchost.exe[2140] kernel32.dll!VirtualProtect 76D050AB 5 Bytes JMP 003F0F83
.text C:\Windows\System32\svchost.exe[2140] kernel32.dll!LoadLibraryExW 76D0B6BF 5 Bytes JMP 003F0F94
.text C:\Windows\System32\svchost.exe[2140] kernel32.dll!LoadLibraryExA 76D0BC8B 5 Bytes JMP 003F0FA5
.text C:\Windows\System32\svchost.exe[2140] kernel32.dll!CreateFileW 76D10B5D 5 Bytes JMP 003F0011
.text C:\Windows\System32\svchost.exe[2140] kernel32.dll!GetProcAddress 76D11837 5 Bytes JMP 003F0F43
.text C:\Windows\System32\svchost.exe[2140] kernel32.dll!LoadLibraryA 76D12864 5 Bytes JMP 003F003D
.text C:\Windows\System32\svchost.exe[2140] kernel32.dll!LoadLibraryW 76D128B2 1 Byte [E9]
.text C:\Windows\System32\svchost.exe[2140] kernel32.dll!LoadLibraryW 76D128B2 5 Bytes JMP 003F0FB6
.text C:\Windows\System32\svchost.exe[2140] kernel32.dll!CreateFileA 76D128FC 1 Byte [E9]
.text C:\Windows\System32\svchost.exe[2140] kernel32.dll!CreateFileA 76D128FC 5 Bytes JMP 003F0000
.text C:\Windows\System32\svchost.exe[2140] kernel32.dll!GetStartupInfoW 76D17CB5 5 Bytes JMP 003F00AC
.text C:\Windows\System32\svchost.exe[2140] kernel32.dll!CreateNamedPipeA 76D4D4DF 5 Bytes JMP 003F0022
.text C:\Windows\System32\svchost.exe[2140] kernel32.dll!WinExec 76D4E695 5 Bytes JMP 003F00D1
.text C:\Windows\System32\svchost.exe[2140] kernel32.dll!VirtualProtectEx 76D4F651 5 Bytes JMP 003F0076
.text C:\Windows\System32\svchost.exe[2140] msvcrt.dll!_open 76757E48 5 Bytes JMP 00340FEF
.text C:\Windows\System32\svchost.exe[2140] msvcrt.dll!_wsystem 7678B04F 5 Bytes JMP 00340FA8
.text C:\Windows\System32\svchost.exe[2140] msvcrt.dll!system 7678B16F 5 Bytes JMP 00340FC3
.text C:\Windows\System32\svchost.exe[2140] msvcrt.dll!_creat 7678ED29 5 Bytes JMP 00340029
.text C:\Windows\System32\svchost.exe[2140] msvcrt.dll!_wcreat 7679038E 5 Bytes JMP 00340FD4
.text C:\Windows\System32\svchost.exe[2140] msvcrt.dll!_wopen 76790570 5 Bytes JMP 00340018
.text C:\Windows\System32\svchost.exe[2140] ADVAPI32.dll!RegOpenKeyA 76F7D2ED 5 Bytes JMP 00440FE5
.text C:\Windows\System32\svchost.exe[2140] ADVAPI32.dll!RegCreateKeyA 76F7D3C1 5 Bytes JMP 0044002C
.text C:\Windows\System32\svchost.exe[2140] ADVAPI32.dll!RegCreateKeyExA 76F81B71 5 Bytes JMP 00440F94
.text C:\Windows\System32\svchost.exe[2140] ADVAPI32.dll!RegCreateKeyW 76F81CC0 5 Bytes JMP 00440FA5
.text C:\Windows\System32\svchost.exe[2140] ADVAPI32.dll!RegOpenKeyW 76F83129 5 Bytes JMP 00440000
.text C:\Windows\System32\svchost.exe[2140] ADVAPI32.dll!RegCreateKeyExW 76F8B946 5 Bytes JMP 0044005B
.text C:\Windows\System32\svchost.exe[2140] ADVAPI32.dll!RegOpenKeyExA 76F8BC0D 5 Bytes JMP 00440FCA
.text C:\Windows\System32\svchost.exe[2140] ADVAPI32.dll!RegOpenKeyExW 76F8BEC4 5 Bytes JMP 0044001B
.text C:\Windows\System32\svchost.exe[2140] wininet.dll!InternetOpenA 76897E1C 5 Bytes JMP 00360000
.text C:\Windows\System32\svchost.exe[2140] wininet.dll!InternetOpenW 76899DA0 5 Bytes JMP 00360011
.text C:\Windows\System32\svchost.exe[2140] wininet.dll!InternetOpenUrlA 7689DC18 5 Bytes JMP 00360FDB
.text C:\Windows\System32\svchost.exe[2140] wininet.dll!InternetOpenUrlW 768EDC14 5 Bytes JMP 0036002C
.text C:\Windows\System32\svchost.exe[2140] WS2_32.dll!socket 76833F00 5 Bytes JMP 00450000
.text C:\Windows\Explorer.EXE[2168] kernel32.dll!GetStartupInfoA 76CC1DF0 5 Bytes JMP 03160F5E
.text C:\Windows\Explorer.EXE[2168] kernel32.dll!CreateProcessW 76CC202D 5 Bytes JMP 031600C7
.text C:\Windows\Explorer.EXE[2168] kernel32.dll!CreateProcessA 76CC2062 5 Bytes JMP 03160F32
.text C:\Windows\Explorer.EXE[2168] kernel32.dll!CreateNamedPipeW 76CF1FD6 5 Bytes JMP 0316001B
.text C:\Windows\Explorer.EXE[2168] kernel32.dll!CreatePipe 76CF4A8B 5 Bytes JMP 03160087
.text C:\Windows\Explorer.EXE[2168] kernel32.dll!VirtualProtect 76D050AB 5 Bytes JMP 03160F79
.text C:\Windows\Explorer.EXE[2168] kernel32.dll!LoadLibraryExW 76D0B6BF 5 Bytes JMP 03160051
.text C:\Windows\Explorer.EXE[2168] kernel32.dll!LoadLibraryExA 76D0BC8B 5 Bytes JMP 03160F8A
.text C:\Windows\Explorer.EXE[2168] kernel32.dll!CreateFileW 76D10B5D 5 Bytes JMP 03160FE5
.text C:\Windows\Explorer.EXE[2168] kernel32.dll!GetProcAddress 76D11837 5 Bytes JMP 031600E2
.text C:\Windows\Explorer.EXE[2168] kernel32.dll!LoadLibraryA 76D12864 5 Bytes JMP 0316002C
.text C:\Windows\Explorer.EXE[2168] kernel32.dll!LoadLibraryW 76D128B2 5 Bytes JMP 03160FAF
.text C:\Windows\Explorer.EXE[2168] kernel32.dll!CreateFileA 76D128FC 1 Byte [E9]
.text C:\Windows\Explorer.EXE[2168] kernel32.dll!CreateFileA 76D128FC 5 Bytes JMP 03160000
.text C:\Windows\Explorer.EXE[2168] kernel32.dll!GetStartupInfoW 76D17CB5 5 Bytes JMP 031600AC
.text C:\Windows\Explorer.EXE[2168] kernel32.dll!CreateNamedPipeA 76D4D4DF 5 Bytes JMP 03160FCA
.text C:\Windows\Explorer.EXE[2168] kernel32.dll!WinExec 76D4E695 5 Bytes JMP 03160F4D
.text C:\Windows\Explorer.EXE[2168] kernel32.dll!VirtualProtectEx 76D4F651 5 Bytes JMP 03160076
.text C:\Windows\Explorer.EXE[2168] ADVAPI32.dll!RegOpenKeyA 76F7D2ED 5 Bytes JMP 03170FEF
.text C:\Windows\Explorer.EXE[2168] ADVAPI32.dll!RegCreateKeyA 76F7D3C1 5 Bytes JMP 0317004A
.text C:\Windows\Explorer.EXE[2168] ADVAPI32.dll!RegCreateKeyExA 76F81B71 5 Bytes JMP 03170065
.text C:\Windows\Explorer.EXE[2168] ADVAPI32.dll!RegCreateKeyW 76F81CC0 5 Bytes JMP 03170FC3
.text C:\Windows\Explorer.EXE[2168] ADVAPI32.dll!RegOpenKeyW 76F83129 5 Bytes JMP 03170FDE
.text C:\Windows\Explorer.EXE[2168] ADVAPI32.dll!RegCreateKeyExW 76F8B946 5 Bytes JMP 03170076
.text C:\Windows\Explorer.EXE[2168] ADVAPI32.dll!RegOpenKeyExA 76F8BC0D 5 Bytes JMP 03170014
.text C:\Windows\Explorer.EXE[2168] ADVAPI32.dll!RegOpenKeyExW 76F8BEC4 5 Bytes JMP 0317002F
.text C:\Windows\Explorer.EXE[2168] msvcrt.dll!_open 76757E48 5 Bytes JMP 03140000
.text C:\Windows\Explorer.EXE[2168] msvcrt.dll!_wsystem 7678B04F 5 Bytes JMP 0314001B
.text C:\Windows\Explorer.EXE[2168] msvcrt.dll!system 7678B16F 5 Bytes JMP 03140F9A
.text C:\Windows\Explorer.EXE[2168] msvcrt.dll!_creat 7678ED29 5 Bytes JMP 03140FBC
.text C:\Windows\Explorer.EXE[2168] msvcrt.dll!_wcreat 7679038E 5 Bytes JMP 03140FAB
.text C:\Windows\Explorer.EXE[2168] msvcrt.dll!_wopen 76790570 5 Bytes JMP 03140FE3
.text C:\Windows\Explorer.EXE[2168] USER32.dll!DrawIconEx 77384C5D 5 Bytes JMP 02131120 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\Windows\Explorer.EXE[2168] USER32.dll!GetIconInfo 77384FA4 5 Bytes JMP 02131030 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\Windows\Explorer.EXE[2168] USER32.dll!GetCursor 773A66D0 5 Bytes JMP 02131080 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\Windows\Explorer.EXE[2168] SHELL32.dll!SHFileOperationW 757696B8 5 Bytes JMP 02CF1102 C:\Program Files\Unlocker\UnlockerHook.dll
.text C:\Windows\Explorer.EXE[2168] WININET.dll!InternetOpenA 76897E1C 3 Bytes JMP 03150FEF
.text C:\Windows\Explorer.EXE[2168] WININET.dll!InternetOpenA + 4 76897E20 1 Byte [8C]
.text C:\Windows\Explorer.EXE[2168] WININET.dll!InternetOpenW 76899DA0 3 Bytes JMP 0315000A
.text C:\Windows\Explorer.EXE[2168] WININET.dll!InternetOpenW + 4 76899DA4 1 Byte [8C]
.text C:\Windows\Explorer.EXE[2168] WININET.dll!InternetOpenUrlA 7689DC18 3 Bytes JMP 03150FD4
.text C:\Windows\Explorer.EXE[2168] WININET.dll!InternetOpenUrlA + 4 7689DC1C 1 Byte [8C]
.text C:\Windows\Explorer.EXE[2168] WININET.dll!InternetOpenUrlW 768EDC14 5 Bytes JMP 03150FB9
.text C:\Windows\Explorer.EXE[2168] WS2_32.dll!socket 76833F00 5 Bytes JMP 03610000
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[2568] USER32.dll!DrawIconEx 77384C5D 5 Bytes JMP 01E81120 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[2568] USER32.dll!GetIconInfo 77384FA4 5 Bytes JMP 01E81030 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[2568] USER32.dll!GetCursor 773A66D0 5 Bytes JMP 01E81080 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!GetStartupInfoA 76CC1DF0 5 Bytes JMP 003C0F6F
.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!CreateProcessW 76CC202D 5 Bytes JMP 003C0F39
.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!CreateProcessA 76CC2062 5 Bytes JMP 003C00CE
.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!CreateNamedPipeW 76CF1FD6 5 Bytes JMP 003C0036
.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!CreatePipe 76CF4A8B 5 Bytes JMP 003C0F80
.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!VirtualProtect 76D050AB 5 Bytes JMP 003C007D
.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!LoadLibraryExW 76D0B6BF 5 Bytes JMP 003C006C
.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!LoadLibraryExA 76D0BC8B 5 Bytes JMP 003C005B
.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!CreateFileW 76D10B5D 5 Bytes JMP 003C001B
.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!GetProcAddress 76D11837 5 Bytes JMP 003C00E9
.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!LoadLibraryA 76D12864 5 Bytes JMP 003C0FC0
.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!LoadLibraryW 76D128B2 5 Bytes JMP 003C0FAF
.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!CreateFileA 76D128FC 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!CreateFileA 76D128FC 5 Bytes JMP 003C0000
.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!GetStartupInfoW 76D17CB5 5 Bytes JMP 003C00B3
.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!CreateNamedPipeA 76D4D4DF 5 Bytes JMP 003C0FDB
.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!WinExec 76D4E695 5 Bytes JMP 003C0F54
.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!VirtualProtectEx 76D4F651 5 Bytes JMP 003C0098
.text C:\Windows\system32\svchost.exe[3040] msvcrt.dll!_open 76757E48 5 Bytes JMP 003A000C
.text C:\Windows\system32\svchost.exe[3040] msvcrt.dll!_wsystem 7678B04F 5 Bytes JMP 003A004E
.text C:\Windows\system32\svchost.exe[3040] msvcrt.dll!system 7678B16F 5 Bytes JMP 003A003D
.text C:\Windows\system32\svchost.exe[3040] msvcrt.dll!_creat 7678ED29 5 Bytes JMP 003A0FDE
.text C:\Windows\system32\svchost.exe[3040] msvcrt.dll!_wcreat 7679038E 5 Bytes JMP 003A0FC3
.text C:\Windows\system32\svchost.exe[3040] msvcrt.dll!_wopen 76790570 5 Bytes JMP 003A0FEF
.text C:\Windows\system32\svchost.exe[3040] ADVAPI32.dll!RegOpenKeyA 76F7D2ED 5 Bytes JMP 003D0000
.text C:\Windows\system32\svchost.exe[3040] ADVAPI32.dll!RegCreateKeyA 76F7D3C1 5 Bytes JMP 003D003D
.text C:\Windows\system32\svchost.exe[3040] ADVAPI32.dll!RegCreateKeyExA 76F81B71 5 Bytes JMP 003D0FB6
.text C:\Windows\system32\svchost.exe[3040] ADVAPI32.dll!RegCreateKeyW 76F81CC0 5 Bytes JMP 003D0058
.text C:\Windows\system32\svchost.exe[3040] ADVAPI32.dll!RegOpenKeyW 76F83129 5 Bytes JMP 003D0011
.text C:\Windows\system32\svchost.exe[3040] ADVAPI32.dll!RegCreateKeyExW 76F8B946 5 Bytes JMP 003D0069
.text C:\Windows\system32\svchost.exe[3040] ADVAPI32.dll!RegOpenKeyExA 76F8BC0D 5 Bytes JMP 003D0FDB
.text C:\Windows\system32\svchost.exe[3040] ADVAPI32.dll!RegOpenKeyExW 76F8BEC4 5 Bytes JMP 003D002C
.text C:\Windows\system32\svchost.exe[3040] WS2_32.dll!socket 76833F00 5 Bytes JMP 003B000A
.text C:\kc6fqxx5.exe[3744] USER32.dll!DrawIconEx 77384C5D 5 Bytes JMP 01D11120 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\kc6fqxx5.exe[3744] USER32.dll!GetIconInfo 77384FA4 5 Bytes JMP 01D11030 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\kc6fqxx5.exe[3744] USER32.dll!GetCursor 773A66D0 5 Bytes JMP 01D11080 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\Program Files\Mozilla Firefox\firefox.exe[3872] USER32.dll!DrawIconEx 77384C5D 5 Bytes JMP 03751120 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\Program Files\Mozilla Firefox\firefox.exe[3872] USER32.dll!GetIconInfo 77384FA4 5 Bytes JMP 03751030 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\Program Files\Mozilla Firefox\firefox.exe[3872] USER32.dll!GetCursor 773A66D0 5 Bytes JMP 03751080 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\rundll32.exe[1780] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [752B5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1780] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [752B5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1780] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [752B5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Webroot\Washer\WasherSvc.exe[2236] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateThread] [0008ECEC] C:\Program Files\Webroot\Washer\WasherSvc.exe (Window Washer Engine/Webroot Software, Inc.)
IAT C:\Program Files\Webroot\Washer\WasherSvc.exe[2236] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [0008ECEC] C:\Program Files\Webroot\Washer\WasherSvc.exe (Window Washer Engine/Webroot Software, Inc.)
IAT C:\Program Files\Webroot\Washer\WasherSvc.exe[2236] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [0008EEF0] C:\Program Files\Webroot\Washer\WasherSvc.exe (Window Washer Engine/Webroot Software, Inc.)
IAT C:\Program Files\Webroot\Washer\WasherSvc.exe[2236] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!QueueUserWorkItem] [0008EEF0] C:\Program Files\Webroot\Washer\WasherSvc.exe (Window Washer Engine/Webroot Software, Inc.)
IAT C:\Program Files\Webroot\Washer\WasherSvc.exe[2236] @ C:\Windows\system32\wininet.dll [KERNEL32.dll!CreateThread] [0008ECEC] C:\Program Files\Webroot\Washer\WasherSvc.exe (Window Washer Engine/Webroot Software, Inc.)
IAT C:\Program Files\Webroot\Washer\wwDisp.exe[3676] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateThread] [0008F270] C:\Program Files\Webroot\Washer\wwDisp.exe (Window Washer Client Executable/Webroot Software, Inc.)
IAT C:\Program Files\Webroot\Washer\wwDisp.exe[3676] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [0008F270] C:\Program Files\Webroot\Washer\wwDisp.exe (Window Washer Client Executable/Webroot Software, Inc.)
IAT C:\Program Files\Webroot\Washer\wwDisp.exe[3676] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [0008F474] C:\Program Files\Webroot\Washer\wwDisp.exe (Window Washer Client Executable/Webroot Software, Inc.)
IAT C:\Program Files\Webroot\Washer\wwDisp.exe[3676] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!QueueUserWorkItem] [0008F474] C:\Program Files\Webroot\Washer\wwDisp.exe (Window Washer Client Executable/Webroot Software, Inc.)
IAT C:\Program Files\Webroot\Washer\wwDisp.exe[3676] @ C:\Windows\system32\wininet.dll [KERNEL32.dll!CreateThread] [0008F270] C:\Program Files\Webroot\Washer\wwDisp.exe (Window Washer Client Executable/Webroot Software, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \Driver\ACPI_HAL \Device\00000055 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- Threads - GMER 1.0.15 ----

Thread System [4:1356] 98F12F2E

---- EOF - GMER 1.0.15 ----

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:04 PM

Posted 10 November 2009 - 01:22 PM

Hi,

please post a new log from OTL (only otl.txt will be created).

I have changed my nick today from _temp_ to myrti, I hope that won't cause to much confusion,

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 Moglee

Moglee
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 10 November 2009 - 01:42 PM

Since I ran the malware and had it remove files I can now no longer write anything to the DVD drive, I am going to do a fresh install of Win 7, I hope I can get back to you.

#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:04 PM

Posted 10 November 2009 - 01:59 PM

Hi moglee,

if you have the CD handy this is probably the quickest solution. Otherwise we could have tried fixing the problem, but the fresh install is probably quicker.

The file Malwarebytes deleted were definitely bad, so I'm not sure what might be causing this.

Let me know what you decide.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 Moglee

Moglee
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 10 November 2009 - 02:18 PM

well perhaps if you could try and help with this writing problem, installing windows and all the software again is a huge task

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:04 PM

Posted 10 November 2009 - 03:13 PM

Hi,

the first step we can try to restore the system to a state prior to this problem is by restoring the files Malwarebytes quarantined. You can easily do this by running Malwarebytes, select the Quarantine tab and restore the deleted files and registry entries.

If this solves the problem please let me know.

If this doesn't work we will try to do a system restore.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 Moglee

Moglee
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 10 November 2009 - 03:24 PM

Hello myrti, I sent you a pm, I have already restored the files that malware quarantined, no difference, I have also done a system restore, again no difference.

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:04 PM

Posted 10 November 2009 - 03:40 PM

Hi,

thanks, I got your PM, just hadn't had the time to reply.

Can you test the CD-Drive at a different PC? If you did a system restore and the CD-drive still isn't working, this may not be software related.

What happens if you try to burn a CD? Does the burning software recognize the drive as a burner?
Could you give me the make of the CD-drive, I'll see if I can find some information on that.

regards myrti

Edited by myrti, 10 November 2009 - 03:41 PM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users