Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google being redirected - HOSTS file locked


  • Please log in to reply
17 replies to this topic

#1 UbreBlanca

UbreBlanca

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 08 November 2009 - 12:12 PM

Hi there - I originally posted to the "Am I infected forum?". I was directed to run RootRepeal, Win32kdiag, and Dss - and to post all logs in this forum (which I've done below). Topic referenced is here: http://www.bleepingcomputer.com/forums/t/269091/cannot-remove-google-redirect-infection/ ~ OB Really appreciate the help.

Here are my original posts describing my problem:

Post 1

I have a Dell Dimension 4600 running Windows XP Home Edition and recently was infected with a rouge anti-virus program - no idea which version. I have (and at the time of infection had) a current version of McAfee Security Centre up and running. I managed to download and run Malwarebytes Anti-Malware. It found numerous infected files which I've removed. I then updated McAfee - which found some other infected files which I then quarantined and removed. That cleaned up my computer. Since then, there have been repeated instances of reinfection by what looks like the same rouge anti-virus program. However, I'm suspecting that these reinfections are caused by my wife viewing celebrity gossip sites (I've since told her to stop). I clean the computer up each time it's infected. Currently Both Malwarebytes and McAfee Scans indicate that no files are infected.

However, when I search on Google (I'm browing using IE8) I get a full set of search results - but on a random basis (maybe about half to two-thirds of the time) - when I click on these links - I get taken to some random website - like info.com which has a bunch of search results. I find the redirects happen more frequently when I use a google toolbar for the search rather than typing in the address google.ca or google.com - however even direct typing of the address can result my being redirected. I've reinstalled Google Toolbar - but this has no impact.

I've tried running CWShredder - didn't find any infected files.

Can you point me in the direction of a program that might be able to identify or fix this problem?

Thanks

Post 2

I've done further researching into this. I think my Hosts file has been tampered with. It currently reads:

74.125.45.100 www.securesoftwarebill.com

I've tried to modify it back to the original MS setting - 127.0.0.1 localhost - but it won't let me make changes to the file. The HOSTS file is listed as read only. I've tried to change this and I'm being blocked from changing the read only status.

Not sure if this is the problem - but it seems fishy to me - the 74.125.45.100 is a google domain and www.securesoftwarebill.com seems to be associated with all sorts of badness.

Hope that helps in identifying the problem. Thanks!

Here are the DSS, Root Repeal and win32kdiag - logs - in that order. I've attached a zipped attach log as well.


DDS (Ver_09-10-26.01) - NTFSx86
Run by Cooper at 8:48:50.71 on 08/11/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.5.0_12
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2302.1615 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Windows Enterprise Defender *On-access scanning enabled* (Updated) {263695FD-DEBC-47B6-B5BE-A56EAB4FA758}
AV: Windows Enterprise Defender *On-access scanning enabled* (Updated) {4AAF26E7-76E1-466A-9D46-E5BBE35D9CC2}
FW: Windows Enterprise Defender *enabled* {918852D7-305C-41F9-B60D-3665FB3CA0DF}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Windows Enterprise Defender *enabled* {A0931979-528E-4CEC-BE9D-5CB5025454DD}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Cooper\My Documents\Downloaded Files\Anti-Malware\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://login.passport.net/uilogin.srf?id=2
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
TB: {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - No File
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6253\SiteAdv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [RealPlayer] "c:\program files\real\realplayer\realplay.exe" /RunUPGToolCommandReBoot
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [StatusClient 2.6] c:\program files\hewlett-packard\toolbox\statusclient\StatusClient.exe /auto
mRun: [TomcatStartup 2.5] c:\program files\hewlett-packard\toolbox\hpbpsttp.exe
mRun: [OrderReminder] c:\program files\hewlett-packard\orderreminder\orderreminder\OrderReminder.exe
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SiteAdvisor] c:\program files\siteadvisor\6172\SiteAdv.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: []
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [spechkgu] c:\documents and settings\pamela\local settings\application data\lunwne\nehvsysguard.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
mPolicies-explorer: =
IE: &eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_A54B7D6FB1DA63EA.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://westmap.westvancouver.ca/westmapviewer/mgaxctrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {AD08A333-609E-11D3-950C-008098601567} - hxxp://wordreference.com/Install/ItalianToEnglish.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\quicktax 2007\ic2007pp.dll
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\quicktax 2008\ic2008pp.dll
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6253\SiteAdv.dll
Notify: igfxcui - igfxdev.dll
IFEO: image file execution options - svchost.exe
IFEO: brastk.exe - svchost.exe

============= SERVICES / DRIVERS ===============

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
S3 cel90xbe;cel90xbe;\??\c:\docume~1\cooper\locals~1\temp\cel90xbe.sys --> c:\docume~1\cooper\locals~1\temp\cel90xbe.sys [?]
S3 palmusb;USB Comm driver (WDM);c:\windows\system32\drivers\palmusb.sys [2001-12-20 72800]

=============== Created Last 30 ================

2009-11-07 22:09:01 0 --sha-w- C:\-865300045
2009-11-03 00:19:31 0 d-----w- c:\program files\ynqnhh
2009-10-26 03:54:22 0 dc-h--w- c:\windows\ie8
2009-10-25 20:07:26 0 d-sh--w- c:\docume~1\alluse~1\applic~1\84adafa
2009-10-23 21:17:51 0 d-----w- c:\program files\hcvcok
2009-10-21 02:09:48 0 d-----w- c:\docume~1\cooper\applic~1\Malwarebytes
2009-10-21 02:09:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-21 02:09:39 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-21 02:09:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-21 02:09:38 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-11 15:34:46 0 d-----w- c:\docume~1\cooper\applic~1\Crayon Physics Deluxe
2009-10-11 15:34:30 0 d-----w- c:\program files\Crayon Physics Deluxe Demo

==================== Find3M ====================

2009-09-16 17:22:48 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 17:22:48 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 17:22:48 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 17:22:48 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 17:22:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-15 15:09:19 83712 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-11 14:33:52 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:33:52 133632 ----a-w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\dllcache\msasn1.dll
2009-08-29 02:42:52 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 10:35:52 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:16:37 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2005-09-26 20:31:40 3523520 ----a-w- c:\program files\easypdf_setup.exe
2001-11-30 18:09:50 49152 ----a-r- c:\program files\common files\HDvAvi.dll

============= FINISH: 8:50:51.68 ===============

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/11/07 07:10
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAF8E2000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\mcafee_24kp519xrkgqiyz
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcafee_9ll0mdv9tw3cdlk
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_inhw6u06nlzbaqd
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_k3klesqr7yxv173
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_nbjdzh7e4b2uw6b
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_oamdvahejhmxwtr
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_xco6gwcnb08ngic
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Documents and Settings\Pamela\My Documents\Photos\Fall & H'ween 2007\Dc276.JPG
Status: Locked to the Windows API!

==EOF==

Running from: C:\Documents and Settings\Cooper\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Cooper\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll

[1] 2005-07-25 20:20:23 225792 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\catsrv.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:10 225280 C:\WINDOWS\$NtServicePackUninstall$\catsrv.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 215040 C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll ()

[1] 2004-08-03 23:56:41 229888 C:\WINDOWS\$NtUninstallKB902400$\catsrv.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:41 229888 C:\WINDOWS\ServicePackFiles\i386\catsrv.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:50 226304 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\catsrv.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:42 225792 C:\WINDOWS\SYSTEM32\catsrv.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 215040 C:\i386\CATSRV.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll

[1] 2005-07-25 20:20:23 625152 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\catsrvut.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:10 594944 C:\WINDOWS\$NtServicePackUninstall$\catsrvut.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 582656 C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll ()

[1] 2004-08-03 23:56:41 628224 C:\WINDOWS\$NtUninstallKB902400$\catsrvut.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:41 628224 C:\WINDOWS\ServicePackFiles\i386\catsrvut.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:50 625664 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\catsrvut.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:43 625152 C:\WINDOWS\SYSTEM32\catsrvut.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 582656 C:\i386\CATSRVUT.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll

[1] 2005-07-25 20:20:23 110080 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:10 110080 C:\WINDOWS\$NtServicePackUninstall$\clbcatex.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 100864 C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll ()

[1] 2004-08-03 23:56:41 110080 C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:41 110080 C:\WINDOWS\ServicePackFiles\i386\clbcatex.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:50 110592 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\clbcatex.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:43 110080 C:\WINDOWS\SYSTEM32\clbcatex.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 100864 C:\i386\CLBCATEX.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll

[1] 2005-07-25 20:20:24 498688 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:11 499712 C:\WINDOWS\$NtServicePackUninstall$\clbcatq.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 468480 C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll ()

[1] 2004-08-03 23:56:41 501248 C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:41 501248 C:\WINDOWS\ServicePackFiles\i386\clbcatq.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:50 498688 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\clbcatq.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:43 498688 C:\WINDOWS\SYSTEM32\clbcatq.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:43 498688 C:\WINDOWS\SYSTEM32\DLLCACHE\clbcatq.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 468480 C:\i386\CLBCATQ.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\colbact.dll

[1] 2005-07-25 20:20:24 60416 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\colbact.dll (Microsoft Corporation)

[1] 2005-07-25 20:20:24 60416 C:\WINDOWS\$hf_mig$\KB956572\SP2QFE\colbact.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:10 64512 C:\WINDOWS\$NtServicePackUninstall$\colbact.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 56832 C:\WINDOWS\$NtUninstallKB828741$\colbact.dll ()

[1] 2004-08-03 23:56:41 62464 C:\WINDOWS\$NtUninstallKB902400$\colbact.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:41 62464 C:\WINDOWS\ServicePackFiles\i386\colbact.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:51 60416 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\colbact.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:43 60416 C:\WINDOWS\SYSTEM32\colbact.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:43 60416 C:\WINDOWS\SYSTEM32\DLLCACHE\colbact.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 56832 C:\i386\COLBACT.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll

[1] 2005-07-25 20:20:24 195072 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\comadmin.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:10 187904 C:\WINDOWS\$NtServicePackUninstall$\comadmin.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 186880 C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll ()

[1] 2004-08-03 23:56:41 195584 C:\WINDOWS\$NtUninstallKB902400$\comadmin.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:41 195584 C:\WINDOWS\ServicePackFiles\i386\comadmin.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:51 195072 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\comadmin.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:44 195072 C:\WINDOWS\SYSTEM32\Com\comadmin.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 186880 C:\i386\COMADMIN.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe

[1] 2004-02-17 10:49:58 8192 C:\WINDOWS\$NtServicePackUninstall$\comrepl.exe (Microsoft Corporation)

[1] 2002-08-29 03:00:00 8192 C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe ()

[1] 2004-08-03 23:56:48 9728 C:\WINDOWS\ServicePackFiles\i386\comrepl.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:15 9728 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\comrepl.exe (Microsoft Corporation)

[1] 2004-08-03 23:56:48 9728 C:\WINDOWS\SYSTEM32\Com\comrepl.exe (Microsoft Corporation)

[1] 2002-08-29 03:00:00 8192 C:\i386\COMREPL.EXE (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll

[1] 2005-07-25 20:20:27 1267200 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\comsvcs.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:11 1194496 C:\WINDOWS\$NtServicePackUninstall$\comsvcs.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 1172992 C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll ()

[1] 2004-08-03 23:56:41 1251840 C:\WINDOWS\$NtUninstallKB902400$\comsvcs.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:41 1251840 C:\WINDOWS\ServicePackFiles\i386\comsvcs.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:51 1267200 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\comsvcs.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:44 1267200 C:\WINDOWS\SYSTEM32\comsvcs.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 1172992 C:\i386\COMSVCS.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\comuid.dll

[1] 2005-07-25 20:20:28 540160 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\comuid.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:10 499200 C:\WINDOWS\$NtServicePackUninstall$\comuid.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 495616 C:\WINDOWS\$NtUninstallKB828741$\comuid.dll ()

[1] 2004-08-03 23:56:41 540160 C:\WINDOWS\$NtUninstallKB902400$\comuid.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:41 540160 C:\WINDOWS\ServicePackFiles\i386\comuid.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:51 539648 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\comuid.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:45 540160 C:\WINDOWS\SYSTEM32\comuid.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 495616 C:\i386\COMUID.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\es.dll

[1] 2005-07-25 20:20:28 243200 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\es.dll (Microsoft Corporation)

[1] 2008-07-07 12:06:43 253952 C:\WINDOWS\$hf_mig$\KB950974\SP2QFE\es.dll (Microsoft Corporation)

[1] 2008-07-07 12:26:58 253952 C:\WINDOWS\$hf_mig$\KB950974\SP3GDR\es.dll (Microsoft Corporation)

[1] 2008-07-07 12:23:18 253952 C:\WINDOWS\$hf_mig$\KB950974\SP3QFE\es.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:11 226816 C:\WINDOWS\$NtServicePackUninstall$\es.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 225280 C:\WINDOWS\$NtUninstallKB828741$\es.dll ()

[1] 2004-08-03 23:56:42 243200 C:\WINDOWS\$NtUninstallKB902400$\es.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:45 243200 C:\WINDOWS\$NtUninstallKB950974$\es.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:42 243200 C:\WINDOWS\ServicePackFiles\i386\es.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:53 246272 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\es.dll (Microsoft Corporation)

[1] 2008-07-07 12:32:22 253952 C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll (Microsoft Corporation)

[1] 2008-07-07 12:32:22 253952 C:\WINDOWS\SYSTEM32\es.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 225280 C:\i386\ES.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll

[1] 2005-07-25 20:20:29 425472 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\msdtcprx.dll (Microsoft Corporation)

[1] 2006-03-01 11:34:20 426496 C:\WINDOWS\$hf_mig$\KB913580\SP2QFE\msdtcprx.dll (Microsoft Corporation)

[1] 2008-06-12 05:47:12 428032 C:\WINDOWS\$hf_mig$\KB952004\SP2QFE\msdtcprx.dll (Microsoft Corporation)

[1] 2008-06-12 06:23:32 428032 C:\WINDOWS\$hf_mig$\KB952004\SP3GDR\msdtcprx.dll (Microsoft Corporation)

[1] 2008-06-12 06:09:35 428032 C:\WINDOWS\$hf_mig$\KB952004\SP3QFE\msdtcprx.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:10 367616 C:\WINDOWS\$NtServicePackUninstall$\msdtcprx.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 359936 C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll ()

[1] 2004-08-03 23:56:43 425472 C:\WINDOWS\$NtUninstallKB902400$\msdtcprx.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:46 425472 C:\WINDOWS\$NtUninstallKB913580$\msdtcprx.dll (Microsoft Corporation)

[1] 2006-03-01 11:42:42 426496 C:\WINDOWS\$NtUninstallKB952004$\msdtcprx.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:43 425472 C:\WINDOWS\ServicePackFiles\i386\msdtcprx.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:59 427008 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\msdtcprx.dll (Microsoft Corporation)

[1] 2008-06-12 06:16:46 428032 C:\WINDOWS\SYSTEM32\DLLCACHE\msdtcprx.dll (Microsoft Corporation)

[1] 2008-06-12 06:16:46 428032 C:\WINDOWS\SYSTEM32\msdtcprx.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 359936 C:\i386\MSDTCPRX.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll

[1] 2005-07-25 20:20:31 945152 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\msdtctm.dll (Microsoft Corporation)

[1] 2006-03-01 11:34:20 956416 C:\WINDOWS\$hf_mig$\KB913580\SP2QFE\msdtctm.dll (Microsoft Corporation)

[1] 2008-06-12 05:47:13 956928 C:\WINDOWS\$hf_mig$\KB952004\SP2QFE\msdtctm.dll (Microsoft Corporation)

[1] 2008-06-12 06:23:32 956928 C:\WINDOWS\$hf_mig$\KB952004\SP3GDR\msdtctm.dll (Microsoft Corporation)

[1] 2008-06-12 06:09:35 956928 C:\WINDOWS\$hf_mig$\KB952004\SP3QFE\msdtctm.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:11 977920 C:\WINDOWS\$NtServicePackUninstall$\msdtctm.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 869376 C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll ()

[1] 2004-08-03 23:56:43 949248 C:\WINDOWS\$NtUninstallKB902400$\msdtctm.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:47 945152 C:\WINDOWS\$NtUninstallKB913580$\msdtctm.dll (Microsoft Corporation)

[1] 2006-03-01 11:42:42 956416 C:\WINDOWS\$NtUninstallKB952004$\msdtctm.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:43 949248 C:\WINDOWS\ServicePackFiles\i386\msdtctm.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:59 956928 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\msdtctm.dll (Microsoft Corporation)

[1] 2008-06-12 06:16:46 956928 C:\WINDOWS\SYSTEM32\DLLCACHE\msdtctm.dll (Microsoft Corporation)

[1] 2008-06-12 06:16:46 956928 C:\WINDOWS\SYSTEM32\msdtctm.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 869376 C:\i386\MSDTCTM.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll

[1] 2005-07-25 20:20:31 161280 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\msdtcuiu.dll (Microsoft Corporation)

[1] 2006-03-01 11:34:20 161280 C:\WINDOWS\$hf_mig$\KB913580\SP2QFE\msdtcuiu.dll (Microsoft Corporation)

[1] 2008-06-12 05:47:13 161792 C:\WINDOWS\$hf_mig$\KB952004\SP2QFE\msdtcuiu.dll (Microsoft Corporation)

[1] 2008-06-12 06:23:32 161792 C:\WINDOWS\$hf_mig$\KB952004\SP3GDR\msdtcuiu.dll (Microsoft Corporation)

[1] 2008-06-12 06:09:35 161792 C:\WINDOWS\$hf_mig$\KB952004\SP3QFE\msdtcuiu.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:10 150528 C:\WINDOWS\$NtServicePackUninstall$\msdtcuiu.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 151040 C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll ()

[1] 2004-08-03 23:56:43 161280 C:\WINDOWS\$NtUninstallKB902400$\msdtcuiu.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:47 161280 C:\WINDOWS\$NtUninstallKB913580$\msdtcuiu.dll (Microsoft Corporation)

[1] 2006-03-01 11:42:42 161280 C:\WINDOWS\$NtUninstallKB952004$\msdtcuiu.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:43 161280 C:\WINDOWS\ServicePackFiles\i386\msdtcuiu.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:59 161792 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\msdtcuiu.dll (Microsoft Corporation)

[1] 2008-06-12 06:16:46 161792 C:\WINDOWS\SYSTEM32\DLLCACHE\msdtcuiu.dll (Microsoft Corporation)

[1] 2008-06-12 06:16:46 161792 C:\WINDOWS\SYSTEM32\msdtcuiu.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 151040 C:\i386\MSDTCUIU.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll

[1] 2005-07-25 20:20:39 66560 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\mtxclu.dll (Microsoft Corporation)

[1] 2006-03-01 11:34:20 66560 C:\WINDOWS\$hf_mig$\KB913580\SP2QFE\mtxclu.dll (Microsoft Corporation)

[1] 2008-06-12 05:47:13 66560 C:\WINDOWS\$hf_mig$\KB952004\SP2QFE\mtxclu.dll (Microsoft Corporation)

[1] 2008-06-12 06:23:32 66560 C:\WINDOWS\$hf_mig$\KB952004\SP3GDR\mtxclu.dll (Microsoft Corporation)

[1] 2008-06-12 06:09:35 66560 C:\WINDOWS\$hf_mig$\KB952004\SP3QFE\mtxclu.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:10 64512 C:\WINDOWS\$NtServicePackUninstall$\mtxclu.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 61440 C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll ()

[1] 2004-08-03 23:56:44 66560 C:\WINDOWS\$NtUninstallKB902400$\mtxclu.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:47 66560 C:\WINDOWS\$NtUninstallKB913580$\mtxclu.dll (Microsoft Corporation)

[1] 2006-03-01 11:42:42 66560 C:\WINDOWS\$NtUninstallKB952004$\mtxclu.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:44 66560 C:\WINDOWS\ServicePackFiles\i386\mtxclu.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:01 66560 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\mtxclu.dll (Microsoft Corporation)

[1] 2008-06-12 06:16:46 66560 C:\WINDOWS\SYSTEM32\DLLCACHE\mtxclu.dll (Microsoft Corporation)

[1] 2008-06-12 06:16:46 66560 C:\WINDOWS\SYSTEM32\mtxclu.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 61440 C:\i386\MTXCLU.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll

[1] 2005-07-25 20:20:40 91136 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\mtxoci.dll (Microsoft Corporation)

[1] 2006-03-01 11:34:20 91136 C:\WINDOWS\$hf_mig$\KB913580\SP2QFE\mtxoci.dll (Microsoft Corporation)

[1] 2008-06-12 05:47:13 91648 C:\WINDOWS\$hf_mig$\KB952004\SP2QFE\mtxoci.dll (Microsoft Corporation)

[1] 2008-06-12 06:23:32 91648 C:\WINDOWS\$hf_mig$\KB952004\SP3GDR\mtxoci.dll (Microsoft Corporation)

[1] 2008-06-12 06:09:35 91648 C:\WINDOWS\$hf_mig$\KB952004\SP3QFE\mtxoci.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:10 82432 C:\WINDOWS\$NtServicePackUninstall$\mtxoci.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 83968 C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll ()

[1] 2004-08-03 23:56:44 90112 C:\WINDOWS\$NtUninstallKB902400$\mtxoci.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:47 91136 C:\WINDOWS\$NtUninstallKB913580$\mtxoci.dll (Microsoft Corporation)

[1] 2006-03-01 11:42:42 91136 C:\WINDOWS\$NtUninstallKB952004$\mtxoci.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:44 90112 C:\WINDOWS\ServicePackFiles\i386\mtxoci.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:01 91648 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\mtxoci.dll (Microsoft Corporation)

[1] 2008-06-12 06:16:46 91648 C:\WINDOWS\SYSTEM32\DLLCACHE\mtxoci.dll (Microsoft Corporation)

[1] 2008-06-12 06:16:46 91648 C:\WINDOWS\SYSTEM32\mtxoci.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 83968 C:\i386\MTXOCI.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\ole32.dll

[1] 2005-01-13 21:07:42 1284608 C:\WINDOWS\$hf_mig$\KB873333\SP2QFE\ole32.dll (Microsoft Corporation)

[1] 2005-04-28 11:35:02 1286144 C:\WINDOWS\$hf_mig$\KB894391\SP2QFE\ole32.dll (Microsoft Corporation)

[1] 2005-07-25 20:20:40 1285632 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\ole32.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:11 1183744 C:\WINDOWS\$NtServicePackUninstall$\ole32.dll (Microsoft Corporation)

[1] 2003-08-25 11:53:44 1172992 C:\WINDOWS\$NtUninstallKB828741$\ole32.dll ()

[1] 2004-08-03 23:56:44 1281536 C:\WINDOWS\$NtUninstallKB873333$\ole32.dll (Microsoft Corporation)

[1] 2005-01-14 00:55:50 1285120 C:\WINDOWS\$NtUninstallKB894391$\ole32.dll (Microsoft Corporation)

[1] 2005-04-28 11:31:11 1285120 C:\WINDOWS\$NtUninstallKB902400$\ole32.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:44 1281536 C:\WINDOWS\ServicePackFiles\i386\ole32.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:02 1287168 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ole32.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:48 1285120 C:\WINDOWS\SYSTEM32\DLLCACHE\ole32.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:48 1285120 C:\WINDOWS\SYSTEM32\ole32.dll (Microsoft Corporation)

[1] 2003-08-25 11:53:44 1172992 C:\i386\OLE32.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll

[1] 2009-04-15 06:51:25 585216 C:\WINDOWS\$hf_mig$\KB970238\SP3GDR\rpcrt4.dll (Microsoft Corporation)

[1] 2009-04-15 07:24:20 585216 C:\WINDOWS\$hf_mig$\KB970238\SP3QFE\rpcrt4.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:11 535552 C:\WINDOWS\$NtServicePackUninstall$\rpcrt4.dll (Microsoft Corporation)

[1] 2003-08-25 11:53:46 532480 C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll ()

[1] 2004-08-03 23:56:44 581120 C:\WINDOWS\$NtUninstallKB933729$\rpcrt4.dll (Microsoft Corporation)

[1] 2007-07-09 05:16:16 582656 C:\WINDOWS\$NtUninstallKB970238$\rpcrt4.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:44 581120 C:\WINDOWS\ServicePackFiles\i386\rpcrt4.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:04 584704 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\rpcrt4.dll (Microsoft Corporation)

[1] 2009-04-15 07:26:39 583168 C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll (Microsoft Corporation)

[1] 2009-04-15 07:26:39 583168 C:\WINDOWS\SYSTEM32\rpcrt4.dll (Microsoft Corporation)

[1] 2003-08-25 11:53:46 532480 C:\i386\RPCRT4.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll

[1] 2005-01-13 21:07:42 395776 C:\WINDOWS\$hf_mig$\KB873333\SP2QFE\rpcss.dll (Microsoft Corporation)

[1] 2005-04-28 11:35:01 396288 C:\WINDOWS\$hf_mig$\KB894391\SP2QFE\rpcss.dll (Microsoft Corporation)

[1] 2005-07-25 20:20:40 398336 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\rpcss.dll (Microsoft Corporation)

[1] 2009-02-09 02:01:53 401408 C:\WINDOWS\$hf_mig$\KB956572\SP2QFE\rpcss.dll (Microsoft Corporation)

[1] 2009-02-09 04:10:48 401408 C:\WINDOWS\$hf_mig$\KB956572\SP3GDR\rpcss.dll (Microsoft Corporation)

[1] 2009-02-09 02:56:36 401408 C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\rpcss.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:11 263680 C:\WINDOWS\$NtServicePackUninstall$\rpcss.dll (Microsoft Corporation)

[1] 2003-08-25 11:53:40 260608 C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll ()

[1] 2004-08-03 23:56:44 395776 C:\WINDOWS\$NtUninstallKB873333$\rpcss.dll (Microsoft Corporation)

[1] 2005-01-14 00:55:50 395776 C:\WINDOWS\$NtUninstallKB894391$\rpcss.dll (Microsoft Corporation)

[1] 2005-04-28 11:31:11 395776 C:\WINDOWS\$NtUninstallKB902400$\rpcss.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:49 397824 C:\WINDOWS\$NtUninstallKB956572$\rpcss.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:44 395776 C:\WINDOWS\ServicePackFiles\i386\rpcss.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:04 399360 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\rpcss.dll (Microsoft Corporation)

[1] 2009-02-09 02:20:34 399360 C:\WINDOWS\SYSTEM32\DLLCACHE\rpcss.dll (Microsoft Corporation)

[1] 2009-02-09 02:20:34 399360 C:\WINDOWS\SYSTEM32\rpcss.dll (Microsoft Corporation)

[1] 2003-08-25 11:53:40 260608 C:\i386\RPCSS.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\txflog.dll

[1] 2005-07-25 20:20:40 101376 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\txflog.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:10 97280 C:\WINDOWS\$NtServicePackUninstall$\txflog.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 90624 C:\WINDOWS\$NtUninstallKB828741$\txflog.dll ()

[1] 2004-08-03 23:56:46 101376 C:\WINDOWS\$NtUninstallKB902400$\txflog.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:46 101376 C:\WINDOWS\ServicePackFiles\i386\txflog.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:07 101376 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\txflog.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:49 101376 C:\WINDOWS\SYSTEM32\txflog.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 90624 C:\i386\TXFLOG.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\callcont.dll

[1] 2004-03-29 17:48:36 364544 C:\WINDOWS\$NtServicePackUninstall$\callcont.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 360448 C:\WINDOWS\$NtUninstallKB835732$\callcont.dll ()

[1] 2004-08-03 23:56:41 385024 C:\WINDOWS\ServicePackFiles\i386\callcont.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:50 385024 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\callcont.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 360448 C:\i386\CALLCONT.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll

[1] 2005-10-05 19:18:28 280064 C:\WINDOWS\$hf_mig$\KB896424\SP2QFE\gdi32.dll (Microsoft Corporation)

[1] 2005-12-28 19:04:05 280064 C:\WINDOWS\$hf_mig$\KB912919\SP2QFE\gdi32.dll (Microsoft Corporation)

[1] 2007-03-08 07:48:36 282112 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\gdi32.dll (Microsoft Corporation)

[1] 2007-06-19 05:37:21 282112 C:\WINDOWS\$hf_mig$\KB938829\SP2QFE\gdi32.dll (Microsoft Corporation)

[1] 2008-10-23 04:51:04 284160 C:\WINDOWS\$hf_mig$\KB956802\SP2QFE\gdi32.dll (Microsoft Corporation)

[1] 2008-10-23 04:36:14 286720 C:\WINDOWS\$hf_mig$\KB956802\SP3GDR\gdi32.dll (Microsoft Corporation)

[1] 2008-10-23 04:43:42 286720 C:\WINDOWS\$hf_mig$\KB956802\SP3QFE\gdi32.dll (Microsoft Corporation)

[1] 2004-03-29 17:48:36 257536 C:\WINDOWS\$NtServicePackUninstall$\gdi32.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 250368 C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll ()

[1] 2004-08-03 23:56:42 278016 C:\WINDOWS\$NtUninstallKB896424$\gdi32.dll (Microsoft Corporation)

[1] 2005-10-05 19:09:36 280064 C:\WINDOWS\$NtUninstallKB912919$\gdi32.dll (Microsoft Corporation)

[1] 2005-12-28 18:54:35 280064 C:\WINDOWS\$NtUninstallKB925902$\gdi32.dll (Microsoft Corporation)

[1] 2007-03-08 07:36:28 281600 C:\WINDOWS\$NtUninstallKB938829$\gdi32.dll (Microsoft Corporation)

[1] 2007-06-19 05:31:19 282112 C:\WINDOWS\$NtUninstallKB956802$\gdi32.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:42 278016 C:\WINDOWS\ServicePackFiles\i386\gdi32.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:54 285184 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\gdi32.dll (Microsoft Corporation)

[1] 2008-10-23 05:01:36 283648 C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll (Microsoft Corporation)

[1] 2008-10-23 05:01:36 283648 C:\WINDOWS\SYSTEM32\gdi32.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 250368 C:\i386\GDI32.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\h323.tsp

[1] 2004-03-29 17:48:36 253440 C:\WINDOWS\$NtServicePackUninstall$\h323.tsp ()

[1] 2002-08-29 03:00:00 252928 C:\WINDOWS\$NtUninstallKB835732$\h323.tsp ()

[1] 2004-08-03 23:56:57 265728 C:\WINDOWS\ServicePackFiles\i386\h323.tsp ()

[1] 2008-04-13 16:12:45 265728 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\h323.tsp ()

[1] 2004-08-03 23:56:57 265728 C:\WINDOWS\SYSTEM32\DLLCACHE\h323.tsp ()

[1] 2004-08-03 23:56:57 265728 C:\WINDOWS\SYSTEM32\h323.tsp ()

[1] 2002-08-29 03:00:00 252928 C:\i386\H323.TSP ()



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll

[1] 2004-03-29 17:48:36 593408 C:\WINDOWS\$NtServicePackUninstall$\h323msp.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 592896 C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll ()

[1] 2004-08-03 23:56:42 614912 C:\WINDOWS\ServicePackFiles\i386\h323msp.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:54 614912 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\h323msp.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:42 614912 C:\WINDOWS\SYSTEM32\h323msp.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 592896 C:\i386\H323MSP.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe

[1] 2004-04-14 16:50:06 740864 C:\WINDOWS\$NtServicePackUninstall$\helpctr.exe (Microsoft Corporation)

[1] 2002-08-29 03:00:00 742400 C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe ()

[1] 2004-03-29 17:34:15 741376 C:\WINDOWS\$NtUninstallKB840374$\helpctr.exe (Microsoft Corporation)

[1] 2004-08-03 23:56:49 768512 C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpctr.exe (Microsoft Corporation)

[1] 2004-08-03 23:56:49 768512 C:\WINDOWS\ServicePackFiles\i386\helpctr.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:21 769024 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\helpctr.exe (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll

[1] 2004-03-29 17:48:36 439808 C:\WINDOWS\$NtServicePackUninstall$\ipnathlp.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 435200 C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll ()

[1] 2004-08-03 23:56:42 331264 C:\WINDOWS\ServicePackFiles\i386\ipnathlp.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:55 331264 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ipnathlp.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:42 331264 C:\WINDOWS\SYSTEM32\DLLCACHE\ipnathlp.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:42 331264 C:\WINDOWS\SYSTEM32\ipnathlp.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 435200 C:\i386\IPNATHLP.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll

[1] 2004-10-27 17:28:18 721920 C:\WINDOWS\$hf_mig$\KB885835\SP2QFE\lsasrv.dll (Microsoft Corporation)

[1] 2006-08-17 04:37:49 726528 C:\WINDOWS\$hf_mig$\KB924270\SP2QFE\lsasrv.dll (Microsoft Corporation)

[1] 2007-11-07 01:50:47 727040 C:\WINDOWS\$hf_mig$\KB943485\SP2QFE\lsasrv.dll (Microsoft Corporation)

[1] 2009-02-09 02:01:53 728576 C:\WINDOWS\$hf_mig$\KB956572\SP2QFE\lsasrv.dll (Microsoft Corporation)

[1] 2009-02-09 04:10:49 729088 C:\WINDOWS\$hf_mig$\KB956572\SP3GDR\lsasrv.dll (Microsoft Corporation)

[1] 2009-02-09 02:56:36 729088 C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\lsasrv.dll (Microsoft Corporation)

[1] 2009-06-25 00:17:27 729600 C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\lsasrv.dll (Microsoft Corporation)

[1] 2009-06-25 00:25:26 730112 C:\WINDOWS\$hf_mig$\KB968389\SP3GDR\lsasrv.dll (Microsoft Corporation)

[1] 2009-06-26 01:41:12 730112 C:\WINDOWS\$hf_mig$\KB968389\SP3QFE\lsasrv.dll (Microsoft Corporation)

[1] 2004-03-29 17:48:36 667648 C:\WINDOWS\$NtServicePackUninstall$\lsasrv.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 671744 C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll ()

[1] 2004-08-03 23:56:42 721920 C:\WINDOWS\$NtUninstallKB885835$\lsasrv.dll (Microsoft Corporation)

[1] 2004-10-27 17:21:01 721920 C:\WINDOWS\$NtUninstallKB924270$\lsasrv.dll (Microsoft Corporation)

[1] 2006-08-17 04:28:27 721920 C:\WINDOWS\$NtUninstallKB943485$\lsasrv.dll (Microsoft Corporation)

[1] 2007-11-07 01:26:56 721920 C:\WINDOWS\$NtUninstallKB956572$\lsasrv.dll (Microsoft Corporation)

[1] 2009-02-09 02:20:34 723456 C:\WINDOWS\$NtUninstallKB968389$\lsasrv.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:42 721920 C:\WINDOWS\ServicePackFiles\i386\lsasrv.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:56 728064 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\lsasrv.dll (Microsoft Corporation)

[1] 2009-06-25 00:44:41 724480 C:\WINDOWS\SYSTEM32\DLLCACHE\lsasrv.dll (Microsoft Corporation)

[1] 2009-06-25 00:44:41 724480 C:\WINDOWS\SYSTEM32\lsasrv.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 671744 C:\i386\LSASRV.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll

[1] 2007-03-08 07:48:36 40960 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\mf3216.dll (Microsoft Corporation)

[1] 2004-03-29 17:48:36 36864 C:\WINDOWS\$NtServicePackUninstall$\mf3216.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 35328 C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll ()

[1] 2004-08-03 23:56:42 39936 C:\WINDOWS\$NtUninstallKB925902$\mf3216.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:42 39936 C:\WINDOWS\ServicePackFiles\i386\mf3216.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:56 40960 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\mf3216.dll (Microsoft Corporation)

[1] 2007-03-08 07:36:28 40960 C:\WINDOWS\SYSTEM32\DLLCACHE\mf3216.dll (Microsoft Corporation)

[1] 2007-03-08 07:36:28 40960 C:\WINDOWS\SYSTEM32\mf3216.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 35328 C:\i386\MF3216.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll

[1] 2009-09-04 12:36:13 58880 C:\WINDOWS\$hf_mig$\KB974571\SP2QFE\msasn1.dll (Microsoft Corporation)

[1] 2009-09-04 13:03:36 58880 C:\WINDOWS\$hf_mig$\KB974571\SP3GDR\msasn1.dll (Microsoft Corporation)

[1] 2009-09-04 12:57:48 58880 C:\WINDOWS\$hf_mig$\KB974571\SP3QFE\msasn1.dll (Microsoft Corporation)

[1] 2004-03-29 17:48:36 51712 C:\WINDOWS\$NtServicePackUninstall$\msasn1.dll (Microsoft Corporation)

[1] 2003-09-19 09:37:54 51712 C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll ()

[1] 2004-08-03 23:56:42 57344 C:\WINDOWS\$NtUninstallKB974571$\msasn1.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:42 57344 C:\WINDOWS\ServicePackFiles\i386\msasn1.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:58 57344 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\msasn1.dll (Microsoft Corporation)

[1] 2009-09-04 12:45:26 58880 C:\WINDOWS\SYSTEM32\DLLCACHE\msasn1.dll (Microsoft Corporation)

[1] 2009-09-04 12:45:26 58880 C:\WINDOWS\SYSTEM32\msasn1.dll (Microsoft Corporation)

[1] 2003-09-19 09:37:54 51712 C:\i386\MSASN1.DLL (Microsoft Corporation)

[1] 2003-09-19 13:21:06 51712 C:\i386\SP1\MSASN1.DLL (Microsoft Corporation)

[1] 2003-09-19 09:37:54 51712 C:\i386\SP2\MSASN1.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\msgina.dll

[1] 2004-03-29 17:48:36 971264 C:\WINDOWS\$NtServicePackUninstall$\msgina.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 968192 C:\WINDOWS\$NtUninstallKB835732$\msgina.dll ()

[1] 2004-08-03 23:56:43 994304 C:\WINDOWS\ServicePackFiles\i386\msgina.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:59 997376 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\msgina.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:43 994304 C:\WINDOWS\SYSTEM32\msgina.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 968192 C:\i386\MSGINA.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\mst120.dll

[1] 2004-03-29 17:48:36 253952 C:\WINDOWS\$NtServicePackUninstall$\mst120.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 249856 C:\WINDOWS\$NtUninstallKB835732$\mst120.dll ()

[1] 2004-08-03 23:56:43 274432 C:\WINDOWS\ServicePackFiles\i386\mst120.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:00 274432 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\mst120.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 249856 C:\i386\MST120.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll

[1] 2006-08-17 04:37:49 337408 C:\WINDOWS\$hf_mig$\KB924270\SP2QFE\netapi32.dll (Microsoft Corporation)

[1] 2008-10-15 08:53:28 339456 C:\WINDOWS\$hf_mig$\KB958644\SP2QFE\netapi32.dll (Microsoft Corporation)

[1] 2008-10-15 08:34:24 337408 C:\WINDOWS\$hf_mig$\KB958644\SP3GDR\netapi32.dll (Microsoft Corporation)

[1] 2008-10-15 08:25:53 339456 C:\WINDOWS\$hf_mig$\KB958644\SP3QFE\netapi32.dll (Microsoft Corporation)

[1] 2004-06-08 14:02:21 306688 C:\WINDOWS\$NtServicePackUninstall$\netapi32.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 309248 C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll ()

[1] 2004-03-29 17:48:36 306176 C:\WINDOWS\$NtUninstallKB841873$\netapi32.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:44 332288 C:\WINDOWS\$NtUninstallKB924270$\netapi32.dll (Microsoft Corporation)

[1] 2006-08-17 04:28:27 332288 C:\WINDOWS\$NtUninstallKB958644$\netapi32.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:44 332288 C:\WINDOWS\ServicePackFiles\i386\netapi32.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:01 337408 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\netapi32.dll (Microsoft Corporation)

[1] 2008-10-15 08:57:55 332800 C:\WINDOWS\SYSTEM32\DLLCACHE\netapi32.dll (Microsoft Corporation)

[1] 2008-10-15 08:57:55 332800 C:\WINDOWS\SYSTEM32\netapi32.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 309248 C:\i386\NETAPI32.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll

[1] 2004-03-29 17:48:36 73728 C:\WINDOWS\$NtServicePackUninstall$\nmcom.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 69632 C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll ()

[1] 2004-08-03 23:56:44 77824 C:\WINDOWS\ServicePackFiles\i386\nmcom.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:02 77824 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\nmcom.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 69632 C:\i386\NMCOM.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll

[1] 2004-03-29 17:48:36 548352 C:\WINDOWS\$NtServicePackUninstall$\rtcdll.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 548864 C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll ()

[1] 2008-04-13 16:12:50 991232 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\asms\52\msft\windows\net\rtcdll\rtcdll.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:59 991232 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95\rtcdll.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 548864 C:\i386\RTCDLL.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\schannel.dll

[1] 2007-04-25 12:32:22 144896 C:\WINDOWS\$hf_mig$\KB935840\SP2QFE\schannel.dll (Microsoft Corporation)

[1] 2008-12-04 22:41:26 144896 C:\WINDOWS\$hf_mig$\KB960225\SP2QFE\schannel.dll (Microsoft Corporation)

[1] 2008-12-04 22:54:55 144896 C:\WINDOWS\$hf_mig$\KB960225\SP3GDR\schannel.dll (Microsoft Corporation)

[1] 2008-12-04 22:58:08 144896 C:\WINDOWS\$hf_mig$\KB960225\SP3QFE\schannel.dll (Microsoft Corporation)

[1] 2009-06-25 00:17:27 168448 C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\schannel.dll (Microsoft Corporation)

[1] 2009-06-25 00:25:26 147456 C:\WINDOWS\$hf_mig$\KB968389\SP3GDR\schannel.dll (Microsoft Corporation)

[1] 2009-06-25 00:41:11 147456 C:\WINDOWS\$hf_mig$\KB968389\SP3QFE\schannel.dll (Microsoft Corporation)

[1] 2004-03-29 17:48:36 136704 C:\WINDOWS\$NtServicePackUninstall$\schannel.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 136704 C:\WINDOWS\$NtUninstallKB835732$\schannel.dll ()

[1] 2004-08-03 23:56:44 144896 C:\WINDOWS\$NtUninstallKB935840$\schannel.dll (Microsoft Corporation)

[1] 2007-04-25 06:21:15 144896 C:\WINDOWS\$NtUninstallKB960225$\schannel.dll (Microsoft Corporation)

[1] 2008-12-04 23:12:45 144896 C:\WINDOWS\$NtUninstallKB968389$\schannel.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:44 144896 C:\WINDOWS\ServicePackFiles\i386\schannel.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:05 144384 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\schannel.dll (Microsoft Corporation)

[1] 2009-06-25 00:44:41 168448 C:\WINDOWS\SYSTEM32\DLLCACHE\schannel.dll (Microsoft Corporation)

[1] 2009-06-25 00:44:41 168448 C:\WINDOWS\SYSTEM32\schannel.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 136704 C:\i386\SCHANNEL.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\xpsp2res.dll

[1] 2004-04-10 20:04:21 593408 C:\WINDOWS\$NtServicePackUninstall$\xpsp2res.dll (Microsoft Corporation)

[1] 2003-03-06 08:27:38 526848 C:\WINDOWS\$NtUninstallKB835732$\xpsp2res.dll ()

[1] 2004-03-10 09:59:50 593408 C:\WINDOWS\$NtUninstallKB839645$\xpsp2res.dll (Microsoft Corporation)

[1] 2004-03-10 09:59:50 593408 C:\WINDOWS\$NtUninstallKB841873$\xpsp2res.dll (Microsoft Corporation)

[2] 2004-08-03 23:56:29 757248 C:\WINDOWS\ServicePackFiles\i386\sprb041b.dll (Microsoft Corporation)

[2] 2004-08-03 23:56:30 732160 C:\WINDOWS\ServicePackFiles\i386\sprb0424.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:36 2897920 C:\WINDOWS\ServicePackFiles\i386\xpsp2res.dll (Microsoft Corporation)

[2] 2008-04-13 10:38:37 757248 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\sprb041b.dll (Microsoft Corporation)

[2] 2008-04-13 10:38:36 732160 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\sprb0424.dll (Microsoft Corporation)

[1] 2008-04-13 09:39:24 2897920 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\xpsp2res.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:36 2897920 C:\WINDOWS\SYSTEM32\DLLCACHE\xpsp2res.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:29 757248 C:\WINDOWS\SYSTEM32\MUI\041b\xpsp2res.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:36 2897920 C:\WINDOWS\SYSTEM32\MUI\041e\xpsp2res.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:30 732160 C:\WINDOWS\SYSTEM32\MUI\0424\xpsp2res.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:36 2897920 C:\WINDOWS\SYSTEM32\xpsp2res.dll (Microsoft Corporation)

[1] 2003-03-06 08:27:38 526848 C:\i386\xpsp2res.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB837001$\dao360.dll

[1] 2008-01-22 20:56:21 554008 C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\dao360.dll (Microsoft Corporation)

[1] 2004-03-01 10:55:22 561179 C:\WINDOWS\$NtServicePackUninstall$\dao360.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 557128 C:\WINDOWS\$NtUninstallKB837001$\dao360.dll ()

[1] 2004-08-03 23:56:42 561179 C:\WINDOWS\$NtUninstallKB950749$\dao360.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:42 561179 C:\WINDOWS\ServicePackFiles\i386\dao360.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:25 554008 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\dao360.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:25 554008 C:\WINDOWS\SYSTEM32\DLLCACHE\dao360.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 557128 C:\i386\DAO360.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB837001$\expsrv.dll

[1] 2004-01-10 03:37:02 380957 C:\WINDOWS\$NtServicePackUninstall$\expsrv.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 380445 C:\WINDOWS\$NtUninstallKB837001$\expsrv.dll ()

[1] 2004-08-03 23:56:42 380957 C:\WINDOWS\ServicePackFiles\i386\expsrv.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:53 380445 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\expsrv.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:42 380957 C:\WINDOWS\SYSTEM32\expsrv.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 380445 C:\i386\EXPSRV.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB837001$\msexch40.dll

[1] 2007-12-10 04:41:11 518944 C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexch40.dll (Microsoft Corporation)

[1] 2004-03-01 10:55:23 512029 C:\WINDOWS\$NtServicePackUninstall$\msexch40.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 512031 C:\WINDOWS\$NtUninstallKB837001$\msexch40.dll ()

[1] 2004-08-03 23:56:43 512029 C:\WINDOWS\$NtUninstallKB950749$\msexch40.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:43 512029 C:\WINDOWS\ServicePackFiles\i386\msexch40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:28 518944 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\msexch40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:28 518944 C:\WINDOWS\SYSTEM32\DLLCACHE\msexch40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:28 518944 C:\WINDOWS\SYSTEM32\msexch40.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 512031 C:\i386\MSEXCH40.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll

[1] 2007-12-10 04:41:11 326432 C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexcl40.dll (Microsoft Corporation)

[1] 2004-03-01 10:55:24 319517 C:\WINDOWS\$NtServicePackUninstall$\msexcl40.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 319519 C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll ()

[1] 2004-08-03 23:56:43 319517 C:\WINDOWS\$NtUninstallKB950749$\msexcl40.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:43 319517 C:\WINDOWS\ServicePackFiles\i386\msexcl40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:30 326432 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\msexcl40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:30 326432 C:\WINDOWS\SYSTEM32\DLLCACHE\msexcl40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:30 326432 C:\WINDOWS\SYSTEM32\msexcl40.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 319519 C:\i386\MSEXCL40.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll

[1] 2007-12-10 04:41:11 1516568 C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjet40.dll (Microsoft Corporation)

[1] 2004-03-16 10:44:10 1507356 C:\WINDOWS\$NtServicePackUninstall$\msjet40.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 1503262 C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll ()

[1] 2004-08-03 23:56:43 1507356 C:\WINDOWS\$NtUninstallKB950749$\msjet40.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:43 1507356 C:\WINDOWS\ServicePackFiles\i386\msjet40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:34 1516568 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\msjet40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:34 1516568 C:\WINDOWS\SYSTEM32\DLLCACHE\msjet40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:34 1516568 C:\WINDOWS\SYSTEM32\msjet40.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 1503262 C:\i386\MSJET40.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll

[1] 2002-08-29 03:00:00 348195 C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll ()

[2] 2004-03-01 10:52:15 358976 C:\WINDOWS\$NtUninstallKB950749$\msjetol1.dll (Microsoft Corporation)

[1] 2004-03-01 10:52:15 358976 C:\WINDOWS\$NtUninstallKB950749$\msjetoledb40.dll (Microsoft Corporation)

[2] 2004-03-01 10:52:15 358976 C:\WINDOWS\ServicePackFiles\i386\msjetol1.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:40 355112 C:\WINDOWS\SYSTEM32\msjetoledb40.dll ()

[1] 2002-08-29 03:00:00 348195 C:\i386\msjetoledb40.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB837001$\msjint40.dll

[1] 2008-03-26 23:39:13 151583 C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjint40.dll (Microsoft Corporation)

[1] 2004-03-16 09:38:32 151583 C:\WINDOWS\$NtServicePackUninstall$\msjint40.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 151626 C:\WINDOWS\$NtUninstallKB837001$\msjint40.dll ()

[1] 2004-08-03 23:56:43 151583 C:\WINDOWS\$NtUninstallKB950749$\msjint40.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:43 151583 C:\WINDOWS\ServicePackFiles\i386\msjint40.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:00 151583 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\msjint40.dll (Microsoft Corporation)

[1] 2008-03-27 00:12:54 151583 C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll (Microsoft Corporation)

[1] 2008-03-27 00:12:54 151583 C:\WINDOWS\SYSTEM32\msjint40.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 151626 C:\i386\MSJINT40.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB837001$\msjter40.dll

[1] 2007-12-10 04:41:12 60192 C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjter40.dll (Microsoft Corporation)

[1] 2004-01-10 03:36:33 53279 C:\WINDOWS\$NtServicePackUninstall$\msjter40.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 53322 C:\WINDOWS\$NtUninstallKB837001$\msjter40.dll ()

[1] 2004-08-03 23:56:43 53279 C:\WINDOWS\$NtUninstallKB950749$\msjter40.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:43 53279 C:\WINDOWS\ServicePackFiles\i386\msjter40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:42 60192 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\msjter40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:42 60192 C:\WINDOWS\SYSTEM32\DLLCACHE\msjter40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:42 60192 C:\WINDOWS\SYSTEM32\msjter40.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 53322 C:\i386\MSJTER40.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll

[1] 2007-12-10 04:41:12 248608 C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjtes40.dll (Microsoft Corporation)

[1] 2004-03-01 10:55:29 241693 C:\WINDOWS\$NtServicePackUninstall$\msjtes40.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 241695 C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll ()

[1] 2004-08-03 23:56:43 241693 C:\WINDOWS\$NtUninstallKB950749$\msjtes40.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:43 241693 C:\WINDOWS\ServicePackFiles\i386\msjtes40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:42 248608 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\msjtes40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:42 248608 C:\WINDOWS\SYSTEM32\DLLCACHE\msjtes40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:42 248608 C:\WINDOWS\SYSTEM32\msjtes40.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 241695 C:\i386\MSJTES40.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB837001$\msltus40.dll

[1] 2007-12-10 04:41:12 219936 C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msltus40.dll (Microsoft Corporation)

[1] 2004-01-10 03:36:38 213023 C:\WINDOWS\$NtServicePackUninstall$\msltus40.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 213023 C:\WINDOWS\$NtUninstallKB837001$\msltus40.dll ()

[1] 2004-08-03 23:56:43 213023 C:\WINDOWS\$NtUninstallKB950749$\msltus40.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:43 213023 C:\WINDOWS\ServicePackFiles\i386\msltus40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:44 219936 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\msltus40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:44 219936 C:\WINDOWS\SYSTEM32\DLLCACHE\msltus40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:44 219936 C:\WINDOWS\SYSTEM32\msltus40.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 213023 C:\i386\MSLTUS40.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll

[1] 2007-12-10 04:41:12 355104 C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mspbde40.dll (Microsoft Corporation)

[1] 2004-03-01 10:55:31 348189 C:\WINDOWS\$NtServicePackUninstall$\mspbde40.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 348191 C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll ()

[1] 2004-08-03 23:56:43 348189 C:\WINDOWS\$NtUninstallKB950749$\mspbde40.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:43 348189 C:\WINDOWS\ServicePackFiles\i386\mspbde40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:45 355104 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\mspbde40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:45 355104 C:\WINDOWS\SYSTEM32\DLLCACHE\mspbde40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:45 355104 C:\WINDOWS\SYSTEM32\mspbde40.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 348191 C:\i386\MSPBDE40.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll

[1] 2007-12-10 04:41:13 432928 C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd2x40.dll (Microsoft Corporation)

[1] 2004-01-10 03:36:42 421919 C:\WINDOWS\$NtServicePackUninstall$\msrd2x40.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 421919 C:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll ()

[1] 2004-08-03 23:56:43 421919 C:\WINDOWS\$NtUninstallKB950749$\msrd2x40.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:43 421919 C:\WINDOWS\ServicePackFiles\i386\msrd2x40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:47 432928 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\msrd2x40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:47 432928 C:\WINDOWS\SYSTEM32\DLLCACHE\msrd2x40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:47 432928 C:\WINDOWS\SYSTEM32\msrd2x40.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 421919 C:\i386\MSRD2X40.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll

[1] 2007-12-10 04:41:13 322336 C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd3x40.dll (Microsoft Corporation)

[1] 2004-01-10 03:36:43 315423 C:\WINDOWS\$NtServicePackUninstall$\msrd3x40.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 315466 C:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll ()

[1] 2004-08-03 23:56:43 315423 C:\WINDOWS\$NtUninstallKB950749$\msrd3x40.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:43 315423 C:\WINDOWS\ServicePackFiles\i386\msrd3x40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:49 322336 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\msrd3x40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:49 322336 C:\WINDOWS\SYSTEM32\DLLCACHE\msrd3x40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:49 322336 C:\WINDOWS\SYSTEM32\msrd3x40.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 315466 C:\i386\MSRD3X40.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll

[1] 2007-12-10 04:41:13 559904 C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrepl40.dll (Microsoft Corporation)

[1] 2004-03-01 10:55:35 552989 C:\WINDOWS\$NtServicePackUninstall$\msrepl40.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 552991 C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll ()

[1] 2004-08-03 23:56:43 552989 C:\WINDOWS\$NtUninstallKB950749$\msrepl40.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:43 552989 C:\WINDOWS\ServicePackFiles\i386\msrepl40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:52 559904 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\msrepl40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:52 559904 C:\WINDOWS\SYSTEM32\DLLCACHE\msrepl40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:52 559904 C:\WINDOWS\SYSTEM32\msrepl40.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 552991 C:\i386\MSREPL40.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll

[1] 2007-12-10 04:41:13 264992 C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mstext40.dll (Microsoft Corporation)

[1] 2004-03-01 10:55:35 258077 C:\WINDOWS\$NtServicePackUninstall$\mstext40.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 253983 C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll ()

[1] 2004-08-03 23:56:43 258077 C:\WINDOWS\$NtUninstallKB950749$\mstext40.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:43 258077 C:\WINDOWS\ServicePackFiles\i386\mstext40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:55 264992 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\mstext40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:55 264992 C:\WINDOWS\SYSTEM32\DLLCACHE\mstext40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:55 264992 C:\WINDOWS\SYSTEM32\mstext40.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 253983 C:\i386\MSTEXT40.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll

[1] 2007-12-10 04:41:13 838432 C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswdat10.dll (Microsoft Corporation)

[1] 2004-01-10 03:36:50 831519 C:\WINDOWS\$NtServicePackUninstall$\mswdat10.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 831562 C:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll ()

[1] 2004-08-03 23:56:44 831519 C:\WINDOWS\$NtUninstallKB950749$\mswdat10.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:44 831519 C:\WINDOWS\ServicePackFiles\i386\mswdat10.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:57 838432 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\mswdat10.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:57 838432 C:\WINDOWS\SYSTEM32\DLLCACHE\mswdat10.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:57 838432 C:\WINDOWS\SYSTEM32\mswdat10.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 831562 C:\i386\MSWDAT10.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll

[1] 2007-12-10 04:41:14 621344 C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswstr10.dll (Microsoft Corporation)

[1] 2004-03-16 09:38:33 614431 C:\WINDOWS\$NtServicePackUninstall$\mswstr10.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 614474 C:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll ()

[1] 2004-08-03 23:56:44 614429 C:\WINDOWS\$NtUninstallKB950749$\mswstr10.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:44 614429 C:\WINDOWS\ServicePackFiles\i386\mswstr10.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:58 621344 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\mswstr10.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:58 621344 C:\WINDOWS\SYSTEM32\DLLCACHE\mswstr10.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:58 621344 C:\WINDOWS\SYSTEM32\mswstr10.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 614474 C:\i386\MSWSTR10.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll

[1] 2007-12-10 04:41:14 355104 C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msxbde40.dll (Microsoft Corporation)

[1] 2004-03-01 10:55:39 348189 C:\WINDOWS\$NtServicePackUninstall$\msxbde40.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 344095 C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll ()

[1] 2004-08-03 23:56:44 348189 C:\WINDOWS\$NtUninstallKB950749$\msxbde40.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:44 348189 C:\WINDOWS\ServicePackFiles\i386\msxbde40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:58 355104 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\msxbde40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:58 355104 C:\WINDOWS\SYSTEM32\DLLCACHE\msxbde40.dll (Microsoft Corporation)

[1] 2008-03-24 20:50:58 355104 C:\WINDOWS\SYSTEM32\msxbde40.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 344095 C:\i386\MSXBDE40.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll

[1] 2004-03-16 10:44:16 30749 C:\WINDOWS\$NtServicePackUninstall$\vbajet32.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 30992 C:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll ()

[1] 2004-08-03 23:56:46 30749 C:\WINDOWS\ServicePackFiles\i386\vbajet32.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:08 30749 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\vbajet32.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:46 30749 C:\WINDOWS\SYSTEM32\vbajet32.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 30992 C:\i386\VBAJET32.DLL (Microsoft Corporation)





Finished!

Attached Files


Edited by Orange Blossom, 08 November 2009 - 05:30 PM.


BC AdBot (Login to Remove)

 


#2 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:59 PM

Posted 13 November 2009 - 03:02 AM

Hello

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.
Posted Image

#3 UbreBlanca

UbreBlanca
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 13 November 2009 - 10:26 PM

Hi there - here's the Combofix log:

ComboFix 09-11-14.01 - Cooper 13/11/2009 18:56..1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2302.1832 [GMT -8:00]
Running from: c:\documents and settings\Cooper\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Data

Infected copy of c:\windows\System32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-10-14 to 2009-11-14 )))))))))))))))))))))))))))))))
.

2009-11-14 03:08 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-14 03:08 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-09 22:46 . 2009-11-09 22:46 17212912 ----a-w- c:\documents and settings\Pamela\Application Data\Real\Update\setup\rp\RealPlayerSPGold.exe
2009-11-07 22:09 . 2009-11-08 19:54 -------- d-----w- c:\documents and settings\Pamela\Local Settings\Application Data\lunwne
2009-11-03 00:19 . 2009-11-03 14:30 -------- d-----w- c:\program files\ynqnhh
2009-10-26 03:54 . 2009-10-26 03:56 -------- dc-h--w- c:\windows\ie8
2009-10-25 20:07 . 2009-11-03 15:03 -------- d-sh--w- c:\documents and settings\All Users\Application Data\84adafa
2009-10-23 23:20 . 2009-10-23 23:20 -------- d-----w- c:\documents and settings\Caleb\Application Data\Malwarebytes
2009-10-23 21:17 . 2009-10-24 02:01 -------- d-----w- c:\program files\hcvcok
2009-10-21 17:33 . 2009-10-21 17:33 -------- d-----w- c:\documents and settings\Pamela\Application Data\Malwarebytes
2009-10-21 02:09 . 2009-10-21 02:09 -------- d-----w- c:\documents and settings\Cooper\Application Data\Malwarebytes
2009-10-21 02:09 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-21 02:09 . 2009-10-21 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-21 02:09 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-21 02:09 . 2009-10-21 02:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-09 18:35 . 2004-03-23 19:31 -------- d-----w- c:\documents and settings\Pamela\Application Data\AdobeUM
2009-10-26 13:50 . 2004-03-13 21:04 -------- d-----w- c:\program files\Google
2009-10-24 01:45 . 2007-03-26 18:30 -------- d-----w- c:\program files\McAfee
2009-10-21 02:26 . 2009-10-06 16:59 -------- d-----w- c:\program files\fyhqoc
2009-10-18 20:17 . 2007-03-27 05:59 -------- d-----w- c:\documents and settings\Cooper\Application Data\SiteAdvisor
2009-10-15 03:50 . 2007-03-26 18:34 -------- d-----w- c:\documents and settings\Pamela\Application Data\SiteAdvisor
2009-10-11 15:45 . 2009-10-11 15:34 -------- d-----w- c:\program files\Crayon Physics Deluxe Demo
2009-10-11 15:35 . 2009-10-11 15:34 -------- d-----w- c:\documents and settings\Cooper\Application Data\Crayon Physics Deluxe
2009-10-10 23:38 . 2008-11-22 23:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-06 17:36 . 2005-03-03 05:18 -------- d-----w- c:\documents and settings\Pamela\Application Data\Apple Computer
2009-10-06 17:15 . 2007-07-10 22:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-10-01 02:13 . 2009-10-01 02:13 64000 ----a-w- c:\documents and settings\Pamela\Application Data\Real\Update\setup\RUP\inst_config\gcapi_dll.dll
2009-10-01 02:13 . 2009-10-01 02:13 52288 ----a-w- c:\documents and settings\Pamela\Application Data\Real\Update\setup\RUP\inst_config\gtapi.dll
2009-10-01 02:13 . 2009-10-01 02:13 50688 ----a-w- c:\documents and settings\Pamela\Application Data\Real\Update\setup\RUP\inst_config\fftbapi.dll
2009-10-01 02:13 . 2009-10-01 02:13 114688 ----a-w- c:\documents and settings\Pamela\Application Data\Real\Update\setup\RUP\inst_config\compat.dll
2009-09-16 17:22 . 2007-03-26 18:32 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 17:22 . 2007-03-26 18:32 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 17:22 . 2007-03-26 18:32 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 17:22 . 2007-03-26 18:32 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 17:22 . 2007-03-26 18:32 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-15 20:54 . 2009-09-15 20:54 8406648 ----a-w- c:\documents and settings\Pamela\Application Data\Real\Update\setup\gtb_us\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2009-09-15 20:54 . 2009-09-15 20:54 10309448 ----a-w- c:\documents and settings\Pamela\Application Data\Real\Update\setup\chr\ChromeInstaller.exe
2009-09-15 15:09 . 2009-09-15 15:09 83712 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-15 15:08 . 2004-07-20 03:21 -------- d-----w- c:\documents and settings\Cooper\Application Data\Apple Computer
2009-09-15 14:49 . 2009-09-15 14:48 -------- d-----w- c:\program files\iTunes
2009-09-15 14:49 . 2009-09-15 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-15 14:48 . 2004-07-20 03:20 -------- d-----w- c:\program files\iPod
2009-09-15 14:48 . 2007-07-10 22:23 -------- d-----w- c:\program files\Common Files\Apple
2009-09-15 14:46 . 2009-08-12 23:55 -------- d-----w- c:\program files\QuickTime
2009-09-15 14:38 . 2009-09-15 14:38 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2009-09-11 14:33 . 2002-08-29 11:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-07 16:14 . 2008-04-22 19:43 488968 ----a-w- c:\documents and settings\Pamela\Application Data\Real\Update\setup\setup.exe
2009-09-04 20:45 . 2003-09-19 17:37 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-02-07 01:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 02:42 . 2009-04-01 03:25 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-29 02:42 . 2008-02-06 04:49 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-26 08:16 . 2002-08-29 11:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2005-09-26 20:31 . 2005-09-26 20:31 3523520 ----a-w- c:\program files\easypdf_setup.exe
2001-11-30 18:09 . 2004-07-29 04:43 49152 ----a-r- c:\program files\Common Files\HDvAvi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"RealPlayer"="c:\program files\Real\RealPlayer\realplay.exe" [2006-05-23 208941]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2003-10-03 61440]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-04-09 184320]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2005-08-28 98304]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-23 180269]
"SiteAdvisor"="c:\program files\SiteAdvisor\6172\SiteAdv.exe" [2007-02-09 36904]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-10-26 122880]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/01/2007 8:57 PM 24652]
S3 cel90xbe;cel90xbe;\??\c:\docume~1\Cooper\LOCALS~1\Temp\cel90xbe.sys --> c:\docume~1\Cooper\LOCALS~1\Temp\cel90xbe.sys [?]
S3 palmusb;USB Comm driver (WDM);c:\windows\SYSTEM32\DRIVERS\palmusb.sys [20/12/2001 9:21 PM 72800]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:34]

2004-03-13 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 07:56]

2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-26 19:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-26 19:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.passport.net/uilogin.srf?id=2
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_A54B7D6FB1DA63EA.dll/cmsidewiki.html
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-13 19:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(124)
c:\windows\system32\WININET.dll
c:\program files\SiteAdvisor\6172\saHook.dll
c:\program files\Google\Quick Search Box\bin\1.2.1150.162\qsb.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\windows\system32\wdfmgr.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-11-13 19:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-14 03:21

Pre-Run: 25,678,458,880 bytes free
Post-Run: 26,330,525,696 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 2D2E75C98B28F3B6A82DA0D52E82B408

#4 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:59 PM

Posted 14 November 2009 - 03:16 AM

Hello :(

Please click your Start button then Click on Run and type in the following without the quotes: "notepad" Then copy (Ctrl C) and paste (Ctrl V) the following text in the codebox,
Driver::
cel90xbe

File::
c:\docume~1\Cooper\LOCALS~1\Temp\cel90xbe.sys

Dirlook::
c:\documents and settings\Pamela\Local Settings\Application Data\lunwne
c:\program files\ynqnhh
c:\documents and settings\All Users\Application Data\84adafa
c:\program files\hcvcok
c:\program files\fyhqoc


Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.


Please download ATF-cleaner and save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser:

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser:

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.

Malwarebytes' Anti-Malware

Launch Malwarebytes' Anti-Malware
  • Choose Update -tab and click Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
    Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.

Please post Combofix log, Mbam log and a fresh HijackThis log back here :(
Posted Image

#5 UbreBlanca

UbreBlanca
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 14 November 2009 - 01:48 PM

OK - here are the logs you requested - while running Hijackthis - it ran into problems when trying to access the HOSTS file, the O1 line items didn't run as a result. It suggested that I try to modify the HOSTS file. I've checked back to the HOSTS file - it's still read only and when I try to change the setting - it still alerts me with an access denied message.

Thanks for all your help!! :(

ComboFix 09-11-14.03 - Cooper 14/11/2009 8:39..1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2302.1806 [GMT -8:00]
Running from: c:\documents and settings\Cooper\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Cooper\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2009-10-14 to 2009-11-14 )))))))))))))))))))))))))))))))
.

2009-11-14 03:08 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-14 03:08 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-09 22:46 . 2009-11-09 22:46 17212912 ----a-w- c:\documents and settings\Pamela\Application Data\Real\Update\setup\rp\RealPlayerSPGold.exe
2009-11-07 22:09 . 2009-11-08 19:54 -------- d-----w- c:\documents and settings\Pamela\Local Settings\Application Data\lunwne
2009-11-03 00:19 . 2009-11-03 14:30 -------- d-----w- c:\program files\ynqnhh
2009-10-26 03:54 . 2009-10-26 03:56 -------- dc-h--w- c:\windows\ie8
2009-10-25 20:07 . 2009-11-03 15:03 -------- d-sh--w- c:\documents and settings\All Users\Application Data\84adafa
2009-10-23 23:20 . 2009-10-23 23:20 -------- d-----w- c:\documents and settings\Caleb\Application Data\Malwarebytes
2009-10-23 21:17 . 2009-10-24 02:01 -------- d-----w- c:\program files\hcvcok
2009-10-21 17:33 . 2009-10-21 17:33 -------- d-----w- c:\documents and settings\Pamela\Application Data\Malwarebytes
2009-10-21 02:09 . 2009-10-21 02:09 -------- d-----w- c:\documents and settings\Cooper\Application Data\Malwarebytes
2009-10-21 02:09 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-21 02:09 . 2009-10-21 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-21 02:09 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-21 02:09 . 2009-10-21 02:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-09 18:35 . 2004-03-23 19:31 -------- d-----w- c:\documents and settings\Pamela\Application Data\AdobeUM
2009-10-26 13:50 . 2004-03-13 21:04 -------- d-----w- c:\program files\Google
2009-10-24 01:45 . 2007-03-26 18:30 -------- d-----w- c:\program files\McAfee
2009-10-21 02:26 . 2009-10-06 16:59 -------- d-----w- c:\program files\fyhqoc
2009-10-18 20:17 . 2007-03-27 05:59 -------- d-----w- c:\documents and settings\Cooper\Application Data\SiteAdvisor
2009-10-15 03:50 . 2007-03-26 18:34 -------- d-----w- c:\documents and settings\Pamela\Application Data\SiteAdvisor
2009-10-11 15:45 . 2009-10-11 15:34 -------- d-----w- c:\program files\Crayon Physics Deluxe Demo
2009-10-11 15:35 . 2009-10-11 15:34 -------- d-----w- c:\documents and settings\Cooper\Application Data\Crayon Physics Deluxe
2009-10-10 23:38 . 2008-11-22 23:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-06 17:36 . 2005-03-03 05:18 -------- d-----w- c:\documents and settings\Pamela\Application Data\Apple Computer
2009-10-06 17:15 . 2007-07-10 22:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-10-01 02:13 . 2009-10-01 02:13 64000 ----a-w- c:\documents and settings\Pamela\Application Data\Real\Update\setup\RUP\inst_config\gcapi_dll.dll
2009-10-01 02:13 . 2009-10-01 02:13 52288 ----a-w- c:\documents and settings\Pamela\Application Data\Real\Update\setup\RUP\inst_config\gtapi.dll
2009-10-01 02:13 . 2009-10-01 02:13 50688 ----a-w- c:\documents and settings\Pamela\Application Data\Real\Update\setup\RUP\inst_config\fftbapi.dll
2009-10-01 02:13 . 2009-10-01 02:13 114688 ----a-w- c:\documents and settings\Pamela\Application Data\Real\Update\setup\RUP\inst_config\compat.dll
2009-09-16 17:22 . 2007-03-26 18:32 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 17:22 . 2007-03-26 18:32 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 17:22 . 2007-03-26 18:32 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 17:22 . 2007-03-26 18:32 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 17:22 . 2007-03-26 18:32 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-15 20:54 . 2009-09-15 20:54 8406648 ----a-w- c:\documents and settings\Pamela\Application Data\Real\Update\setup\gtb_us\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2009-09-15 20:54 . 2009-09-15 20:54 10309448 ----a-w- c:\documents and settings\Pamela\Application Data\Real\Update\setup\chr\ChromeInstaller.exe
2009-09-15 15:09 . 2009-09-15 15:09 83712 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-15 14:38 . 2009-09-15 14:38 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2009-09-11 14:33 . 2002-08-29 11:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-07 16:14 . 2008-04-22 19:43 488968 ----a-w- c:\documents and settings\Pamela\Application Data\Real\Update\setup\setup.exe
2009-09-04 20:45 . 2003-09-19 17:37 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-02-07 01:05 916480 ------w- c:\windows\system32\wininet.dll
2009-08-29 02:42 . 2009-04-01 03:25 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-29 02:42 . 2008-02-06 04:49 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-26 08:16 . 2002-08-29 11:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2005-09-26 20:31 . 2005-09-26 20:31 3523520 ----a-w- c:\program files\easypdf_setup.exe
2001-11-30 18:09 . 2004-07-29 04:43 49152 ----a-r- c:\program files\Common Files\HDvAvi.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-14_03.12.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-14 06:39 . 2009-11-14 15:22 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2002-09-03 08:08 . 2009-11-14 15:22 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2002-09-03 08:08 . 2009-11-14 01:47 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2009-11-14 06:39 . 2009-11-14 15:22 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"RealPlayer"="c:\program files\Real\RealPlayer\realplay.exe" [2006-05-23 208941]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2003-10-03 61440]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-04-09 184320]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2005-08-28 98304]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-23 180269]
"SiteAdvisor"="c:\program files\SiteAdvisor\6172\SiteAdv.exe" [2007-02-09 36904]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-10-26 122880]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/01/2007 8:57 PM 24652]
S3 cel90xbe;cel90xbe;\??\c:\docume~1\Cooper\LOCALS~1\Temp\cel90xbe.sys --> c:\docume~1\Cooper\LOCALS~1\Temp\cel90xbe.sys [?]
S3 palmusb;USB Comm driver (WDM);c:\windows\SYSTEM32\DRIVERS\palmusb.sys [20/12/2001 9:21 PM 72800]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:34]

2004-03-13 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 07:56]

2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-26 19:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-26 19:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.passport.net/uilogin.srf?id=2
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_A54B7D6FB1DA63EA.dll/cmsidewiki.html
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-14 08:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2916)
c:\windows\system32\WININET.dll
c:\program files\SiteAdvisor\6172\saHook.dll
c:\windows\system32\ieframe.dll
c:\program files\Google\Quick Search Box\bin\1.2.1150.162\qsb.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-11-14 08:49
ComboFix-quarantined-files.txt 2009-11-14 16:48
ComboFix2.txt 2009-11-14 03:21

Pre-Run: 26,310,234,112 bytes free
Post-Run: 26,274,947,072 bytes free

- - End Of File - - 5089A6F007524C2D398BD1E5079EC385

Malwarebytes' Anti-Malware 1.41
Database version: 3171
Windows 5.1.2600 Service Pack 2

14/11/2009 10:30:13 AM
mbam-log-2009-11-14 (10-30-13).txt

Scan type: Full Scan (C:\|)
Objects scanned: 250439
Time elapsed: 1 hour(s), 32 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38:31 AM, on 14/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Cooper\My Documents\Downloaded Files\Anti-Malware\HiJackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?id=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_A54B7D6FB1DA63EA.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer...SWebManager.CAB
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://westmap.westvancouver.ca/westmapviewer/mgaxctrl.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {AD08A333-609E-11D3-950C-008098601567} - http://wordreference.com/Install/ItalianToEnglish.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11258 bytes

#6 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:59 PM

Posted 15 November 2009 - 05:56 AM

Hello

CFScript didn't work like should.

Let's try again.

Please click your Start button then Click on Run and type in the following without the quotes: "notepad" Then copy (Ctrl C) and paste (Ctrl V) the following text in the codebox,
Driver::
cel90xbe

File::
c:\docume~1\Cooper\LOCALS~1\Temp\cel90xbe.sys

Dirlook::
c:\documents and settings\Pamela\Local Settings\Application Data\lunwne
c:\program files\ynqnhh
c:\documents and settings\All Users\Application Data\84adafa
c:\program files\hcvcok
c:\program files\fyhqoc


Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.



I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.


Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):

1. Click Start, point to Settings, and then click Control Panel.
2. In Control Panel, double-click Add or Remove Programs.
3. In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
4. Do the same for each Viewpoint component.


Reboot computer and post Combofix log and a fresh HijackThis log back here :(
Posted Image

#7 UbreBlanca

UbreBlanca
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 15 November 2009 - 11:01 AM

OK - I reran using that CFscript. I didn't have the anti-virus program turned off when I ran ComboFix (it gave me an alert and then I disabled) - and it had to do an update - not sure if that affects the script being used or not - wouldn't think so. I did notice that the CFScrpit text file disappeared after using it to run ComboFix today - however the script I created yeterday didn't disappear after using it to run ComboFix. So hopefully today's run of ComboFix operated properly. Ran into the same O1 line item error messages as I did previously.

Thanks for the tip on ViewPoint - I've deleted. Always happy to get rid of unwanted / unnecessary software.

Oh - I ran HiJackThis without my rebooting the computer. Combofix did a reboot while running - hope this is sufficient. If not - let me know and I'll reboot and rerun HiJackThis.

ComboFix 09-11-15.02 - Cooper 15/11/2009 7:21..1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2302.1788 [GMT -8:00]
Running from: c:\documents and settings\Cooper\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Cooper\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\docume~1\Cooper\LOCALS~1\Temp\cel90xbe.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CEL90XBE
-------\Service_cel90xbe


((((((((((((((((((((((((( Files Created from 2009-10-15 to 2009-11-15 )))))))))))))))))))))))))))))))
.

2009-11-14 03:08 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-14 03:08 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-09 22:46 . 2009-11-09 22:46 17212912 ----a-w- c:\documents and settings\Pamela\Application Data\Real\Update\setup\rp\RealPlayerSPGold.exe
2009-11-07 22:09 . 2009-11-08 19:54 -------- d-----w- c:\documents and settings\Pamela\Local Settings\Application Data\lunwne
2009-11-03 00:19 . 2009-11-03 14:30 -------- d-----w- c:\program files\ynqnhh
2009-10-26 03:54 . 2009-10-26 03:56 -------- dc-h--w- c:\windows\ie8
2009-10-25 20:07 . 2009-11-03 15:03 -------- d-sh--w- c:\documents and settings\All Users\Application Data\84adafa
2009-10-23 23:20 . 2009-10-23 23:20 -------- d-----w- c:\documents and settings\Caleb\Application Data\Malwarebytes
2009-10-23 21:17 . 2009-10-24 02:01 -------- d-----w- c:\program files\hcvcok
2009-10-21 17:33 . 2009-10-21 17:33 -------- d-----w- c:\documents and settings\Pamela\Application Data\Malwarebytes
2009-10-21 02:09 . 2009-10-21 02:09 -------- d-----w- c:\documents and settings\Cooper\Application Data\Malwarebytes
2009-10-21 02:09 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-21 02:09 . 2009-10-21 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-21 02:09 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-21 02:09 . 2009-10-21 02:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-14 23:47 . 2008-11-22 23:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-14 22:46 . 2004-03-23 19:31 -------- d-----w- c:\documents and settings\Pamela\Application Data\AdobeUM
2009-10-26 13:50 . 2004-03-13 21:04 -------- d-----w- c:\program files\Google
2009-10-24 01:45 . 2007-03-26 18:30 -------- d-----w- c:\program files\McAfee
2009-10-21 02:26 . 2009-10-06 16:59 -------- d-----w- c:\program files\fyhqoc
2009-10-18 20:17 . 2007-03-27 05:59 -------- d-----w- c:\documents and settings\Cooper\Application Data\SiteAdvisor
2009-10-15 03:50 . 2007-03-26 18:34 -------- d-----w- c:\documents and settings\Pamela\Application Data\SiteAdvisor
2009-10-11 15:45 . 2009-10-11 15:34 -------- d-----w- c:\program files\Crayon Physics Deluxe Demo
2009-10-11 15:35 . 2009-10-11 15:34 -------- d-----w- c:\documents and settings\Cooper\Application Data\Crayon Physics Deluxe
2009-10-06 17:36 . 2005-03-03 05:18 -------- d-----w- c:\documents and settings\Pamela\Application Data\Apple Computer
2009-10-06 17:15 . 2007-07-10 22:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-10-01 02:13 . 2009-10-01 02:13 64000 ----a-w- c:\documents and settings\Pamela\Application Data\Real\Update\setup\RUP\inst_config\gcapi_dll.dll
2009-10-01 02:13 . 2009-10-01 02:13 52288 ----a-w- c:\documents and settings\Pamela\Application Data\Real\Update\setup\RUP\inst_config\gtapi.dll
2009-10-01 02:13 . 2009-10-01 02:13 50688 ----a-w- c:\documents and settings\Pamela\Application Data\Real\Update\setup\RUP\inst_config\fftbapi.dll
2009-10-01 02:13 . 2009-10-01 02:13 114688 ----a-w- c:\documents and settings\Pamela\Application Data\Real\Update\setup\RUP\inst_config\compat.dll
2009-09-16 17:22 . 2007-03-26 18:32 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 17:22 . 2007-03-26 18:32 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 17:22 . 2007-03-26 18:32 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 17:22 . 2007-03-26 18:32 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 17:22 . 2007-03-26 18:32 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-15 20:54 . 2009-09-15 20:54 8406648 ----a-w- c:\documents and settings\Pamela\Application Data\Real\Update\setup\gtb_us\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2009-09-15 20:54 . 2009-09-15 20:54 10309448 ----a-w- c:\documents and settings\Pamela\Application Data\Real\Update\setup\chr\ChromeInstaller.exe
2009-09-15 15:09 . 2009-09-15 15:09 83712 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-15 14:38 . 2009-09-15 14:38 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2009-09-11 14:33 . 2002-08-29 11:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-07 16:14 . 2008-04-22 19:43 488968 ----a-w- c:\documents and settings\Pamela\Application Data\Real\Update\setup\setup.exe
2009-09-04 20:45 . 2003-09-19 17:37 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-02-07 01:05 916480 ------w- c:\windows\system32\wininet.dll
2009-08-29 02:42 . 2009-04-01 03:25 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-29 02:42 . 2008-02-06 04:49 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-26 08:16 . 2002-08-29 11:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2005-09-26 20:31 . 2005-09-26 20:31 3523520 ----a-w- c:\program files\easypdf_setup.exe
2001-11-30 18:09 . 2004-07-29 04:43 49152 ----a-r- c:\program files\Common Files\HDvAvi.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\84adafa ----

2009-10-26 18:01 . 2009-10-26 18:01 4286 ----a-w- c:\documents and settings\All Users\Application Data\84adafa\WED.ico
2009-10-26 18:01 . 2007-01-18 20:27 1757 ----a-w- c:\documents and settings\All Users\Application Data\84adafa\BackUp\Adobe Reader Speed Launch.lnk
2009-10-26 18:01 . 2002-09-03 15:00 84 --sha-w- c:\documents and settings\All Users\Application Data\84adafa\BackUp\DESKTOP.INI
2009-10-26 18:00 . 2009-10-26 18:00 11374 ----a-w- c:\documents and settings\All Users\Application Data\84adafa\WEDDSys\vd952342.bd

---- Directory of c:\documents and settings\Pamela\Local Settings\Application Data\lunwne ----


---- Directory of c:\program files\fyhqoc ----


---- Directory of c:\program files\hcvcok ----


---- Directory of c:\program files\ynqnhh ----



((((((((((((((((((((((((((((( SnapShot@2009-11-14_03.12.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-15 15:33 . 2009-11-15 15:33 16384 c:\windows\Temp\Perflib_Perfdata_84.dat
+ 2002-09-03 08:08 . 2009-11-15 14:21 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2002-09-03 08:08 . 2009-11-14 01:47 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2009-11-14 19:25 . 2009-11-15 14:21 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2002-09-03 08:08 . 2009-11-14 01:47 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"RealPlayer"="c:\program files\Real\RealPlayer\realplay.exe" [2006-05-23 208941]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2003-10-03 61440]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-04-09 184320]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2005-08-28 98304]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-23 180269]
"SiteAdvisor"="c:\program files\SiteAdvisor\6172\SiteAdv.exe" [2007-02-09 36904]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-10-26 122880]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/01/2007 8:57 PM 24652]
S3 palmusb;USB Comm driver (WDM);c:\windows\SYSTEM32\DRIVERS\palmusb.sys [20/12/2001 9:21 PM 72800]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:34]

2004-03-13 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 07:56]

2009-11-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-26 19:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-26 19:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.passport.net/uilogin.srf?id=2
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_A54B7D6FB1DA63EA.dll/cmsidewiki.html
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-15 07:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(292)
c:\windows\system32\WININET.dll
c:\program files\SiteAdvisor\6172\saHook.dll
c:\program files\Google\Quick Search Box\bin\1.2.1150.162\qsb.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\windows\system32\wdfmgr.exe
c:\windows\System32\MsPMSPSv.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-15 07:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-15 15:44
ComboFix2.txt 2009-11-14 16:49
ComboFix3.txt 2009-11-14 03:21

Pre-Run: 26,228,809,728 bytes free
Post-Run: 26,121,846,784 bytes free

- - End Of File - - 4FD9D7E3F2CF415F8437DE15B6FEAFEC
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:51:33 AM, on 15/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Cooper\My Documents\Downloaded Files\Anti-Malware\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?id=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_A54B7D6FB1DA63EA.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer...SWebManager.CAB
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://westmap.westvancouver.ca/westmapviewer/mgaxctrl.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {AD08A333-609E-11D3-950C-008098601567} - http://wordreference.com/Install/ItalianToEnglish.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 10905 bytes

#8 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:59 PM

Posted 15 November 2009 - 11:36 AM

Hello

The logs are looking better :(

Let's remove those five bad folders and Viewpoint folder.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

c:\program files\ynqnhh
c:\program files\hcvcok
c:\program files\fyhqoc
c:\program files\Viewpoint
c:\documents and settings\Pamela\Local Settings\Application Data\lunwne
c:\documents and settings\All Users\Application Data\84adafa

After removing please empty your trashbin on desktop.


Let's run Eset online scan to make sure you are clean :(

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Post Eset results back here.
How's your computer working?
Posted Image

#9 UbreBlanca

UbreBlanca
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 15 November 2009 - 08:24 PM

Hi there - OK I've completed all of that. After testing - Google search appears to be running properly - no redirect search links. Computer seems to be running a little bit faster - however, I never noticed a slow down in response time before the infection - so not sure if there is much to that.

I've tried accessing my hosts file - it's still locked. I get an access denied message when I try to change from read only. The redirect of the google address to www.securesoftwarebill.com is still there. Not sure if it's having any affect.

Here's the log file from the ESET Online Scanner:

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\atapi.sys.vir Win32/Olmarik.OF virus deleted - quarantined
C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\2B.tmp a variant of Win32/Kryptik.BCL trojan cleaned by deleting - quarantined

What do you think?

#10 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:59 PM

Posted 16 November 2009 - 12:14 AM

Hello :(

We can try restore original hosts file if that helps.

Please download HostsXpert 4.2
  • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Restore MS Hosts File".
  • Click OK at the confirmation box.
  • Click "Make Read Only".
  • Click the X to exit the program.
-- Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


Then let's run Gmer:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Please post Gmer log back here :(
Posted Image

#11 UbreBlanca

UbreBlanca
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 16 November 2009 - 10:04 AM

Hello - I tried using HostsXpert - but when I attempted to restore the original MS Hosts file - I received an error message - "Cannot create C:\Windows\System32\DRIVERS\ETC\hosts"

Here's the GMER log:

GMER 1.0.15.15227 - http://www.gmer.net
Rootkit scan 2009-11-16 06:53:19
Windows 5.1.2600 Service Pack 2
Running: i848opo4.exe; Driver: C:\DOCUME~1\Cooper\LOCALS~1\Temp\pxtdipow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB25E56FC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB25E5821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB25E5726]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB25E57CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB25E5835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB25E5861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB25E58CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB25E58B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB25E5750]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB25E58FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB25E580D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB25E57A7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB25E57BB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB25E5710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB25E5937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB25E58A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB25E588D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB25E584B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB25E5923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB25E590F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB25E57F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB25E57E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB25E5877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB25E5793]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB25E58E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB25E5766]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB25E573A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F8B8D 7 Bytes JMP B25E573E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80567D6B 5 Bytes JMP B25E5811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056B173 7 Bytes JMP B25E5891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056BDBD 5 Bytes JMP B25E57E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 8056E819 5 Bytes JMP B25E5825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 8056EC29 7 Bytes JMP B25E593B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 8056EF20 7 Bytes JMP B25E58D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056FC68 5 Bytes JMP B25E5700 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80571F61 5 Bytes JMP B25E576A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 805723DC 7 Bytes JMP B25E5754 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 80572D76 5 Bytes JMP B25E57AB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80573125 7 Bytes JMP B25E5714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80573CFD 7 Bytes JMP B25E587B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 8057FBF4 7 Bytes JMP B25E58BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 80581EFE 7 Bytes JMP B25E57D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805847BC 5 Bytes JMP B25E5797 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058C882 5 Bytes JMP B25E57BF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 80590E92 5 Bytes JMP B25E58FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80593B28 7 Bytes JMP B25E5865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 805951B2 7 Bytes JMP B25E5839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B0B24 5 Bytes JMP B25E572A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062C4EB 5 Bytes JMP B25E57FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064C122 5 Bytes JMP B25E5913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064C3F7 7 Bytes JMP B25E58E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064CCC4 7 Bytes JMP B25E58A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064D109 7 Bytes JMP B25E584F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064D5FE 5 Bytes JMP B25E5927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? Combo-Fix.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00DB000A
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00DB009D
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00DB0078
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00DB0F9E
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00DB0051
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00DB0FCA
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00DB00BF
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00DB00AE
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00DB00EB
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00DB0F48
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00DB0F2D
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00DB0FB9
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00DB0025
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00DB0F83
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00DB0036
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00DB0FE5
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00DB00D0
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] ADVAPI32.DLL!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00DA0047
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] ADVAPI32.DLL!RegCreateKeyExW 77DD774C 5 Bytes JMP 00DA0087
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] ADVAPI32.DLL!RegOpenKeyExA 77DD7832 5 Bytes JMP 00DA002C
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] ADVAPI32.DLL!RegOpenKeyW 77DD7926 5 Bytes JMP 00DA001B
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] ADVAPI32.DLL!RegCreateKeyExA 77DDE834 5 Bytes JMP 00DA0076
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] ADVAPI32.DLL!RegOpenKeyA 77DDEE08 5 Bytes JMP 00DA000A
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] ADVAPI32.DLL!RegCreateKeyW 77DE45EE 5 Bytes JMP 00DA0FCA
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] ADVAPI32.DLL!RegCreateKeyA 77DE4706 5 Bytes JMP 00DA0FDB
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] MSVCRT.DLL!_wsystem 77C2931E 5 Bytes JMP 00D9005D
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] MSVCRT.DLL!system 77C293C7 5 Bytes JMP 00D90042
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] MSVCRT.DLL!_creat 77C2D40F 5 Bytes JMP 00D90FD2
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] MSVCRT.DLL!_open 77C2F566 5 Bytes JMP 00D90FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] MSVCRT.DLL!_wcreat 77C2FC9B 5 Bytes JMP 00D9001D
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] MSVCRT.DLL!_wopen 77C30055 5 Bytes JMP 00D9000C
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[132] WS2_32.dll!socket 11103B91 5 Bytes JMP 00D80FEF
.text C:\WINDOWS\explorer.exe[292] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\explorer.exe[292] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001A0F5E
.text C:\WINDOWS\explorer.exe[292] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001A0053
.text C:\WINDOWS\explorer.exe[292] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001A0F79
.text C:\WINDOWS\explorer.exe[292] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001A0F8A
.text C:\WINDOWS\explorer.exe[292] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001A0022
.text C:\WINDOWS\explorer.exe[292] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001A007F
.text C:\WINDOWS\explorer.exe[292] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001A0F43
.text C:\WINDOWS\explorer.exe[292] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001A0F01
.text C:\WINDOWS\explorer.exe[292] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001A0F1C
.text C:\WINDOWS\explorer.exe[292] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 001A0EF0
.text C:\WINDOWS\explorer.exe[292] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 001A0F9B
.text C:\WINDOWS\explorer.exe[292] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 001A0000
.text C:\WINDOWS\explorer.exe[292] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 001A006E
.text C:\WINDOWS\explorer.exe[292] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 001A0011
.text C:\WINDOWS\explorer.exe[292] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 001A0FCA
.text C:\WINDOWS\explorer.exe[292] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 001A009A
.text C:\WINDOWS\explorer.exe[292] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00280FB6
.text C:\WINDOWS\explorer.exe[292] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00280051
.text C:\WINDOWS\explorer.exe[292] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00280011
.text C:\WINDOWS\explorer.exe[292] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00280000
.text C:\WINDOWS\explorer.exe[292] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00280040
.text C:\WINDOWS\explorer.exe[292] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00280FE5
.text C:\WINDOWS\explorer.exe[292] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00280F94
.text C:\WINDOWS\explorer.exe[292] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00280FA5
.text C:\WINDOWS\explorer.exe[292] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290027
.text C:\WINDOWS\explorer.exe[292] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290F9C
.text C:\WINDOWS\explorer.exe[292] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290FD2
.text C:\WINDOWS\explorer.exe[292] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290000
.text C:\WINDOWS\explorer.exe[292] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290FB7
.text C:\WINDOWS\explorer.exe[292] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290FE3
.text C:\WINDOWS\explorer.exe[292] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\explorer.exe[292] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002B000A
.text C:\WINDOWS\explorer.exe[292] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002B0FCA
.text C:\WINDOWS\explorer.exe[292] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 002B001B
.text C:\WINDOWS\explorer.exe[292] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01380000
.text C:\Program Files\Messenger\msmsgs.exe[444] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001A0000
.text C:\Program Files\Messenger\msmsgs.exe[444] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001A0FAF
.text C:\Program Files\Messenger\msmsgs.exe[444] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001A009A
.text C:\Program Files\Messenger\msmsgs.exe[444] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001A0FC0
.text C:\Program Files\Messenger\msmsgs.exe[444] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001A007D
.text C:\Program Files\Messenger\msmsgs.exe[444] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001A0062
.text C:\Program Files\Messenger\msmsgs.exe[444] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001A0F83
.text C:\Program Files\Messenger\msmsgs.exe[444] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001A00C9
.text C:\Program Files\Messenger\msmsgs.exe[444] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001A0F57
.text C:\Program Files\Messenger\msmsgs.exe[444] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001A00F0
.text C:\Program Files\Messenger\msmsgs.exe[444] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 001A0F46
.text C:\Program Files\Messenger\msmsgs.exe[444] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 001A0FDB
.text C:\Program Files\Messenger\msmsgs.exe[444] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 001A0011
.text C:\Program Files\Messenger\msmsgs.exe[444] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 001A0F9E
.text C:\Program Files\Messenger\msmsgs.exe[444] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 001A0047
.text C:\Program Files\Messenger\msmsgs.exe[444] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 001A002C
.text C:\Program Files\Messenger\msmsgs.exe[444] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 001A0F68
.text C:\Program Files\Messenger\msmsgs.exe[444] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0028002C
.text C:\Program Files\Messenger\msmsgs.exe[444] msvcrt.dll!system 77C293C7 5 Bytes JMP 00280FA1
.text C:\Program Files\Messenger\msmsgs.exe[444] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00280FBC
.text C:\Program Files\Messenger\msmsgs.exe[444] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00280FE3
.text C:\Program Files\Messenger\msmsgs.exe[444] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00280011
.text C:\Program Files\Messenger\msmsgs.exe[444] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00280000
.text C:\Program Files\Messenger\msmsgs.exe[444] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00290051
.text C:\Program Files\Messenger\msmsgs.exe[444] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 0029006C
.text C:\Program Files\Messenger\msmsgs.exe[444] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 0029002C
.text C:\Program Files\Messenger\msmsgs.exe[444] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 0029001B
.text C:\Program Files\Messenger\msmsgs.exe[444] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00290FB9
.text C:\Program Files\Messenger\msmsgs.exe[444] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00290000
.text C:\Program Files\Messenger\msmsgs.exe[444] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00290FD4
.text C:\Program Files\Messenger\msmsgs.exe[444] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00290FE5
.text C:\Program Files\Messenger\msmsgs.exe[444] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 002A0FE5
.text C:\Program Files\Messenger\msmsgs.exe[444] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002B0FEF
.text C:\Program Files\Messenger\msmsgs.exe[444] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002B000A
.text C:\Program Files\Messenger\msmsgs.exe[444] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002B0FD4
.text C:\Program Files\Messenger\msmsgs.exe[444] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 002B001B
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01170FE5
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01170069
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01170F74
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01170058
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01170F9B
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01170036
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 011700A1
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01170F59
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01170F37
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 011700D0
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 01170F1C
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 01170047
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 0117000A
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 01170084
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 01170025
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 01170FD4
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 01170F48
.text C:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 01160F9E
.text C:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 01160F4D
.text C:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 01160FB9
.text C:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 01160FCA
.text C:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 01160F68
.text C:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 01160FE5
.text C:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 01160014
.text C:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 01160F83
.text C:\WINDOWS\system32\services.exe[688] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A50F8B
.text C:\WINDOWS\system32\services.exe[688] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A50FA6
.text C:\WINDOWS\system32\services.exe[688] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A50FD2
.text C:\WINDOWS\system32\services.exe[688] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\system32\services.exe[688] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A50FC1
.text C:\WINDOWS\system32\services.exe[688] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A5000C
.text C:\WINDOWS\system32\services.exe[688] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A20FEF
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00EF0FEF
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00EF0091
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00EF0080
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00EF006F
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00EF0FB2
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00EF0054
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00EF0F4B
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00EF0F66
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00EF00C9
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00EF00B8
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00EF00E4
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00EF0FC3
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00EF0FDE
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00EF0F81
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00EF002F
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00EF001E
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00EF0F3A
.text C:\WINDOWS\system32\lsass.exe[700] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00EE0039
.text C:\WINDOWS\system32\lsass.exe[700] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00EE0FA8
.text C:\WINDOWS\system32\lsass.exe[700] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00EE001E
.text C:\WINDOWS\system32\lsass.exe[700] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00EE0FDE
.text C:\WINDOWS\system32\lsass.exe[700] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00EE0065
.text C:\WINDOWS\system32\lsass.exe[700] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00EE0FEF
.text C:\WINDOWS\system32\lsass.exe[700] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00EE0054
.text C:\WINDOWS\system32\lsass.exe[700] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00EE0FCD
.text C:\WINDOWS\system32\lsass.exe[700] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00ED0044
.text C:\WINDOWS\system32\lsass.exe[700] msvcrt.dll!system 77C293C7 5 Bytes JMP 00ED0FB9
.text C:\WINDOWS\system32\lsass.exe[700] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00ED0FDE
.text C:\WINDOWS\system32\lsass.exe[700] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00ED0FEF
.text C:\WINDOWS\system32\lsass.exe[700] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00ED0029
.text C:\WINDOWS\system32\lsass.exe[700] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00ED000C
.text C:\WINDOWS\system32\lsass.exe[700] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00EC0000
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00820FEF
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00820F5D
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00820F6E
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00820052
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00820F89
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00820FAB
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00820088
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00820F42
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00820EEF
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00820F00
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 008200AD
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00820F9A
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00820FDE
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 0082006D
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00820FBC
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00820FCD
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00820F25
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00810FB9
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00810F8D
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 0081000A
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00810FD4
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 0081004A
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00810FEF
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 0081002F
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00810FA8
.text C:\WINDOWS\system32\svchost.exe[852] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00800F8B
.text C:\WINDOWS\system32\svchost.exe[852] msvcrt.dll!system 77C293C7 5 Bytes JMP 00800F9C
.text C:\WINDOWS\system32\svchost.exe[852] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00800FB7
.text C:\WINDOWS\system32\svchost.exe[852] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00800FEF
.text C:\WINDOWS\system32\svchost.exe[852] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00800016
.text C:\WINDOWS\system32\svchost.exe[852] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00800FD2
.text C:\WINDOWS\system32\svchost.exe[852] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 007D0FE5
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 008E000A
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 008E007F
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 008E0F80
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 008E0F9B
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 008E0FAC
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 008E0047
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008E0F48
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008E0F6F
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008E0F26
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008E0F37
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 008E0F0B
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 008E0058
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 008E0FE5
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 008E0090
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 008E0036
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 008E001B
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 008E00B5
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 008D0FCA
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 008D0087
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 008D001B
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 008D0FE5
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 008D0062
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 008D0000
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 008D0051
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 008D0040
.text C:\WINDOWS\system32\svchost.exe[956] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008C0042
.text C:\WINDOWS\system32\svchost.exe[956] msvcrt.dll!system 77C293C7 5 Bytes JMP 008C0027
.text C:\WINDOWS\system32\svchost.exe[956] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008C0FC8
.text C:\WINDOWS\system32\svchost.exe[956] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008C0000
.text C:\WINDOWS\system32\svchost.exe[956] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008C0FAD
.text C:\WINDOWS\system32\svchost.exe[956] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008C0FE3
.text C:\WINDOWS\system32\svchost.exe[956] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 008B0000
.text C:\WINDOWS\System32\svchost.exe[1064] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 023C0FEF
.text C:\WINDOWS\System32\svchost.exe[1064] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 023C0057
.text C:\WINDOWS\System32\svchost.exe[1064] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 023C003C
.text C:\WINDOWS\System32\svchost.exe[1064] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 023C0F6E
.text C:\WINDOWS\System32\svchost.exe[1064] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 023C0F7F
.text C:\WINDOWS\System32\svchost.exe[1064] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 023C0FA1
.text C:\WINDOWS\System32\svchost.exe[1064] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 023C0F31
.text C:\WINDOWS\System32\svchost.exe[1064] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 023C0083
.text C:\WINDOWS\System32\svchost.exe[1064] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 023C0F16
.text C:\WINDOWS\System32\svchost.exe[1064] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 023C00A5
.text C:\WINDOWS\System32\svchost.exe[1064] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 023C0EFB
.text C:\WINDOWS\System32\svchost.exe[1064] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 023C0F90
.text C:\WINDOWS\System32\svchost.exe[1064] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 023C0FDE
.text C:\WINDOWS\System32\svchost.exe[1064] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 023C0072
.text C:\WINDOWS\System32\svchost.exe[1064] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 023C0FB2
.text C:\WINDOWS\System32\svchost.exe[1064] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 023C0FC3
.text C:\WINDOWS\System32\svchost.exe[1064] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 023C0094
.text C:\WINDOWS\System32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 023B0040
.text C:\WINDOWS\System32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 023B0FB9
.text C:\WINDOWS\System32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 023B0025
.text C:\WINDOWS\System32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 023B0000
.text C:\WINDOWS\System32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 023B006C
.text C:\WINDOWS\System32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 023B0FEF
.text C:\WINDOWS\System32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 023B0FCA
.text C:\WINDOWS\System32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 023B0051
.text C:\WINDOWS\System32\svchost.exe[1064] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 023A0042
.text C:\WINDOWS\System32\svchost.exe[1064] msvcrt.dll!system 77C293C7 5 Bytes JMP 023A0027
.text C:\WINDOWS\System32\svchost.exe[1064] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 023A0FC1
.text C:\WINDOWS\System32\svchost.exe[1064] msvcrt.dll!_open 77C2F566 5 Bytes JMP 023A0FE3
.text C:\WINDOWS\System32\svchost.exe[1064] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 023A000C
.text C:\WINDOWS\System32\svchost.exe[1064] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 023A0FD2
.text C:\WINDOWS\System32\svchost.exe[1064] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 02390000
.text C:\WINDOWS\System32\svchost.exe[1064] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02380FE5
.text C:\WINDOWS\System32\svchost.exe[1064] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02380FD4
.text C:\WINDOWS\System32\svchost.exe[1064] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02380FC3
.text C:\WINDOWS\System32\svchost.exe[1064] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02380014
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00760000
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0076007D
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00760F7E
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00760062
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00760FA5
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00760047
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 007600AE
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00760F5C
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00760F37
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 007600D0
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 007600E1
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00760FC0
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 0076001B
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00760F6D
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00760FDB
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00760036
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 007600BF
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 0075002F
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00750065
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00750FD4
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00750014
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00750054
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00750FEF
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00750FA8
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00750FC3
.text C:\WINDOWS\System32\svchost.exe[1124] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00740FA6
.text C:\WINDOWS\System32\svchost.exe[1124] msvcrt.dll!system 77C293C7 5 Bytes JMP 00740FB7
.text C:\WINDOWS\System32\svchost.exe[1124] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0074001D
.text C:\WINDOWS\System32\svchost.exe[1124] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00740000
.text C:\WINDOWS\System32\svchost.exe[1124] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00740FC8
.text C:\WINDOWS\System32\svchost.exe[1124] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00740FE3
.text C:\WINDOWS\System32\svchost.exe[1124] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00730000
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 006E0000
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 006E0067
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 006E0056
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 006E0045
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 006E0F7C
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 006E0FA8
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 006E009F
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 006E0F57
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 006E0F1A
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 006E0F2B
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 006E00CE
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 006E0F97
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 006E0FE5
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 006E0082
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 006E0FB9
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 006E0FD4
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 006E0F3C
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 006D0025
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 006D006C
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 006D0FD4
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 006D000A
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 006D005B
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 006D004A
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 006D0FC3
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006C0F9E
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!system 77C293C7 5 Bytes JMP 006C0FB9
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006C0018
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006C0FEF
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006C0029
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006C0FDE
.text C:\WINDOWS\system32\svchost.exe[1284] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 006B0000
.text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 009C0000
.text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 009C00A1
.text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 009C0090
.text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 009C0073
.text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 009C0062
.text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 009C003D
.text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009C00D7
.text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009C0F9B
.text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009C0114
.text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009C0103
.text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 009C0F60
.text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 009C0FC0
.text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 009C001B
.text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 009C00BC
.text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 009C002C
.text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 009C0FE5
.text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 009C00F2
.text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 009B0FD4
.text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 009B0065
.text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 009B0025
.text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 009B0014
.text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 009B0054
.text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 009B0FEF
.text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 009B0FB2
.text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 009B0FC3
.text C:\WINDOWS\System32\svchost.exe[1308] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009A0F92
.text C:\WINDOWS\System32\svchost.exe[1308] msvcrt.dll!system 77C293C7 5 Bytes JMP 009A0FAD
.text C:\WINDOWS\System32\svchost.exe[1308] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009A000C
.text C:\WINDOWS\System32\svchost.exe[1308] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009A0FEF
.text C:\WINDOWS\System32\svchost.exe[1308] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009A001D
.text C:\WINDOWS\System32\svchost.exe[1308] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009A0FD2
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 008C0FEF
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 008C0F77
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 008C006C
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 008C005B
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 008C0040
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 008C0FAF
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008C0F55
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008C009D
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008C0F29
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008C00C2
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 008C0F18
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 008C0F9E
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 008C0FD4
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 008C0F66
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 008C001B
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 008C000A
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 008C0F44
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00650FA8
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00650054
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00650FB9
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00650FD4
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00650F8D
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00650FE5
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00650025
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00650014
.text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00640031
.text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!system 77C293C7 5 Bytes JMP 00640FA6
.text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00640FC1
.text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00640FE3
.text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00640016
.text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00640FD2
.text C:\WINDOWS\System32\svchost.exe[1528] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00620000
.text C:\WINDOWS\System32\svchost.exe[1528] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00620FEF
.text C:\WINDOWS\System32\svchost.exe[1528] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00620FD4
.text C:\WINDOWS\System32\svchost.exe[1528] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0062001B
.text C:\WINDOWS\System32\svchost.exe[1528] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00630000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1828] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1828] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\wuauclt.exe[3536] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3536] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001B0F54
.text C:\WINDOWS\system32\wuauclt.exe[3536] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001B0F79
.text C:\WINDOWS\system32\wuauclt.exe[3536] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001B0047
.text C:\WINDOWS\system32\wuauclt.exe[3536] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001B0F8A
.text C:\WINDOWS\system32\wuauclt.exe[3536] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001B0FAF
.text C:\WINDOWS\system32\wuauclt.exe[3536] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001B0075
.text C:\WINDOWS\system32\wuauclt.exe[3536] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001B0064
.text C:\WINDOWS\system32\wuauclt.exe[3536] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001B0F12
.text C:\WINDOWS\system32\wuauclt.exe[3536] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001B00A1
.text C:\WINDOWS\system32\wuauclt.exe[3536] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 001B0EED
.text C:\WINDOWS\system32\wuauclt.exe[3536] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 001B002C
.text C:\WINDOWS\system32\wuauclt.exe[3536] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 001B0FDE
.text C:\WINDOWS\system32\wuauclt.exe[3536] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 001B0F43
.text C:\WINDOWS\system32\wuauclt.exe[3536] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\wuauclt.exe[3536] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 001B000A
.text C:\WINDOWS\system32\wuauclt.exe[3536] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 001B0090
.text C:\WINDOWS\system32\wuauclt.exe[3536] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290F8B
.text C:\WINDOWS\system32\wuauclt.exe[3536] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290FA6
.text C:\WINDOWS\system32\wuauclt.exe[3536] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290FD2
.text C:\WINDOWS\system32\wuauclt.exe[3536] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290000
.text C:\WINDOWS\system32\wuauclt.exe[3536] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290FB7
.text C:\WINDOWS\system32\wuauclt.exe[3536] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290FE3
.text C:\WINDOWS\system32\wuauclt.exe[3536] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 002A0FD4
.text C:\WINDOWS\system32\wuauclt.exe[3536] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 002A0F83
.text C:\WINDOWS\system32\wuauclt.exe[3536] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 002A0FE5
.text C:\WINDOWS\system32\wuauclt.exe[3536] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 002A001B
.text C:\WINDOWS\system32\wuauclt.exe[3536] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 002A0F94
.text C:\WINDOWS\system32\wuauclt.exe[3536] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 002A0000
.text C:\WINDOWS\system32\wuauclt.exe[3536] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 002A0040
.text C:\WINDOWS\system32\wuauclt.exe[3536] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 002A0FB9

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat B07F8C8A
Device \FileSystem\Fastfat \Fat B080838A

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

#12 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:59 PM

Posted 16 November 2009 - 12:08 PM

Hello Gmer looks fine.

Have you tried acces to hosts file in safe mode?
Posted Image

#13 UbreBlanca

UbreBlanca
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 16 November 2009 - 11:17 PM

OK - just tried it in safe mode. Same error messages when I try to change the hosts file manually. HostsXpert didn't let me change the entry either (however the restore MS Hosts button didn't show up - might have been the screen resolution in safe mode).

#14 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:59 PM

Posted 18 November 2009 - 08:42 AM

Hello

OTMoveIt3
  • Download OTMoveIt3 and save it to your desktop. Then run it.
  • Copy and paste the lines in the code box below into the input field at the bottom left corner:
    :processes
    explorer.exe
    
    :files
    C:\Windows\System32\DRIVERS\ETC\hosts
  • Now click the red button that says MoveIt!
  • To the right, the results show up. Copy and paste them all into a notepad file and post the notepad file in your next reply.
Then please run HostsXpert and try restore ms hosts file :(
Posted Image

#15 UbreBlanca

UbreBlanca
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 18 November 2009 - 10:30 AM

That DID the trick!!! :(

Here's the file:

========== PROCESSES ==========
Process explorer.exe killed successfully!
========== FILES ==========
C:\Windows\System32\DRIVERS\ETC\hosts moved successfully.

OTM by OldTimer - Version 3.1.2.0 log created on 11182009_071739

Thanks so much for all your time and effort - I really appreciate it. Is there any way to contribute to the functioning of this site? You are doing an amazing community service.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users