Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown infection on Dell Inspiron 9300 running XP


  • This topic is locked This topic is locked
21 replies to this topic

#1 efris

efris

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 20 December 2009 - 11:40 PM

I've got a sick laptop ... hoping you can help. It's a four year old Dell Inspiron 9300 running XP/SP3. The infection is preventing me from accessing any Microsoft or anti-virus company web sites. Also, as the PC runs it eventually disables the Windows managed wireless network. Two other symptoms...
- When using Explorer the screen will flash and then the menus get blacked out.
- The sound card gets spontaneously disabled.

This all started happening during a period of time when I had no anti-virus software running. I've had the Firewall running on my router and the Windows XP Firewall running all along and I stay away from obvious problem websites (no porn ... really!). Now I can't get updated virus protection loaded to the machine. I was able to install Malwarebytes software but it couldn't update the definitions and it didn't find any problems.

I have an external drive I use for backups that I was concerned might be infected but I've scanned it using McAfee on another PC and it hasn't found anything. (Fortunately that machine isn't showing any signs of being sick, either.)

I've been preparing to do a full Windows restore if necessary, but that's a pain and I don't know if it'll even solve the problem.

I've run SDFix, ComboFix and RootRepeal and have the reports available.

Thanks!!

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/20 21:53
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\DOCUME~1\Eric\LOCALS~1\Temp\catchme.sys
Address: 0xF7983000 Size: 30592 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF1370000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B65000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF7B2B000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEED68000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\eric\local settings\temp\~df200b.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\eric\local settings\temp\~df4256.tmp
Status: Allocation size mismatch (API: 32768, Raw: 16384)

Path: c:\documents and settings\eric\local settings\temp\~dfa0c2.tmp
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: c:\documents and settings\eric\local settings\temp\~dfa2ef.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\eric\local settings\temp\~dff2b6.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Hidden Services
-------------------
Service Name: esrlzeq
Image Path: %SystemRoot%\system32\svchost.exe -k netsvcs

BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:02 AM

Posted 03 January 2010 - 06:12 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:02 AM

Posted 09 January 2010 - 08:07 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:02 AM

Posted 09 January 2010 - 10:40 AM

Hi,

topic reopened, please post your logs.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 efris

efris
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 09 January 2010 - 12:03 PM

Thanks for reopening this topic! Hopefully the description of my problem in my first post is a good start. I've attached the two logs from OTL, let me know if you need anything else.

Attached Files



#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:02 AM

Posted 09 January 2010 - 12:23 PM

Hi,
please do not attach the logs, but paste them into your replies.

Please provide the logs from Combofix and SDFix which you ran earlier.

PLease also run gmer:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 efris

efris
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 09 January 2010 - 03:34 PM

Sorry 'bout attaching instead of pasting. The two logs are pasted below.
I'll run GMER and post that soon.
- Eric



Log from SDFix:

SDFix: Version 1.240
Run by Administrator on Sun 12/20/2009 at 08:19 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-20 20:34:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158315a22d]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\esrlzeq]
"DisplayName"="Helper Network"
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"%SystemRoot%\system32\svchost.exe -k netsvcs"
"ObjectName"="LocalSystem"
"Description"="Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\esrlzeq\Parameters]
"ServiceDll"=str(2):"C:\WINDOWS\system32\fwoeknl.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00158315a22d]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\esrlzeq]
"DisplayName"="Helper Network"
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"%SystemRoot%\system32\svchost.exe -k netsvcs"
"ObjectName"="LocalSystem"
"Description"="Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start."

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\esrlzeq\Parameters]
"ServiceDll"=str(2):"C:\WINDOWS\system32\fwoeknl.dll"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Disabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Disabled:AOL"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe:*:Enabled:Render Manager"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe:*:Enabled:Studio"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe:*:Enabled:umi"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Pinnacle\\MediaCenter\\PMC.exe"="C:\\Program Files\\Pinnacle\\MediaCenter\\PMC.exe:LocalSubNet:Enabled:Pmc.exe"
"C:\\Program Files\\Pinnacle\\Shared Files\\Programs\\MediaCenterService\\PMC.Service.Main.exe"="C:\\Program Files\\Pinnacle\\Shared Files\\Programs\\MediaCenterService\\PMC.Service.Main.exe:LocalSubNet:Enabled:PMC.Service.Main.exe"
"C:\\Program Files\\Pinnacle\\MediaCenter\\PMSInstallInit.exe"="C:\\Program Files\\Pinnacle\\MediaCenter\\PMSInstallInit.exe:LocalSubNet:Enabled:PMSInstallInit.exe"
"C:\\Program Files\\Pinnacle\\MediaCenter\\PSST.exe"="C:\\Program Files\\Pinnacle\\MediaCenter\\PSST.exe:LocalSubNet:Enabled:PSST.exe"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Program Files\\Vsk5Online\\Vsk5Online.exe"="C:\\Program Files\\Vsk5Online\\Vsk5Online.exe:*:Enabled:Vsk5Online"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

Remaining Files :



Files with Hidden Attributes :

Sat 21 Mar 2009 167,765 A.SHR --- "C:\WINDOWS\system32\fwoeknl.dll"
Mon 19 Sep 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 24 Apr 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Eric\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Fri 13 Apr 2007 8 A..H. --- "C:\Documents and Settings\Eric\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Thu 19 Apr 2007 8 A..H. --- "C:\Documents and Settings\Eric\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Thu 19 Apr 2007 8 A..H. --- "C:\Documents and Settings\Eric\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Sun 16 Nov 2008 0 A..H. --- "C:\Documents and Settings\Eric\Local Settings\Application Data\SupportSoft\DellSupportCenter\Eric\data\BIT2.tmp"
Thu 6 Aug 2009 0 A..H. --- "C:\Documents and Settings\Eric\Local Settings\Application Data\SupportSoft\DellSupportCenter\Eric\data\BITD4.tmp"

Finished!


#################################################################################

Log from ComboFix

ComboFix 10-01-04.01 - Eric 01/09/2010 13:22:56.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.574 [GMT -6:00]
Running from: c:\documents and settings\Eric\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
c:\windows\system32\fwoeknl.dll
c:\windows\unins000.dat
c:\windows\unins000.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ESRLZEQ
-------\Service_esrlzeq


((((((((((((((((((((((((( Files Created from 2009-12-09 to 2010-01-09 )))))))))))))))))))))))))))))))
.

2009-12-21 02:16 . 2009-12-21 02:16 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2009-12-21 02:13 . 2009-12-21 02:13 -------- d-----w- c:\windows\ERUNT
2009-12-21 02:12 . 2008-11-06 08:03 -------- d-----w- C:\SDFix
2009-12-21 00:48 . 2009-12-21 00:48 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-12-20 07:29 . 2009-12-22 01:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Vsk5Online
2009-12-20 07:22 . 2009-12-20 07:28 -------- d-----w- c:\program files\Vsk5Online
2009-12-20 03:53 . 2000-08-08 18:34 274432 ----a-w- c:\windows\d3dxas.dll
2009-12-20 03:53 . 2009-12-20 06:57 -------- d-----w- c:\program files\Stentec
2009-12-20 03:39 . 2009-12-20 03:39 -------- d-----w- c:\documents and settings\Eric\Application Data\Uniblue

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-30 07:14 . 2007-03-12 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2009-12-21 12:37 . 2009-09-20 02:21 -------- d-----w- c:\documents and settings\Eric\Application Data\Move Networks
2009-12-21 12:33 . 2009-09-20 02:21 143976 ----a-w- c:\documents and settings\Eric\Application Data\Move Networks\uninstall.exe
2009-12-21 12:33 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\Eric\Application Data\Move Networks\plugins\npqmp071701000002.dll
2009-12-21 12:33 . 2009-12-21 12:33 1794456 ----a-w- c:\documents and settings\Eric\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe
2009-12-17 00:50 . 2009-02-03 02:24 574344 ----a-w- c:\documents and settings\Eric\Application Data\SanDisk\Sansa Updater\SansaUpdater.exe
2009-12-13 04:52 . 2005-10-26 01:24 -------- d-----w- c:\program files\QUICKENW
2009-11-05 01:25 . 2009-11-05 01:25 152576 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-15 00:50 . 2009-10-15 00:50 97216 ----a-w- c:\documents and settings\Eric\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2008-04-11 03:31 . 2008-04-11 03:30 336 ----a-w- c:\program files\temp995.bat
2005-04-01 03:17 . 2005-10-20 01:37 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Google Update"="c:\documents and settings\Eric\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]
"SansaDispatch"="c:\documents and settings\Eric\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-03-29 79872]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech BT Wizard"="LBTWiz.exe -silent" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-09-13 98304]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-12-20 28160]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-10 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"StartupDelayer"="c:\program files\Startup Delayer\Startup Launcher.exe" [2007-12-14 26112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"ISUSScheduler"="c:\program files\common files\installshield\updateservice\issch.exe" [2004-07-27 81920]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-9-13 24576]
SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2006-12-17 532480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-06-15 23:14 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2006-04-27 16:30 53248 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWlgn.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Vsk5Online\\Vsk5Online.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"4219:TCP"= 4219:TCP:algvgqlc

.
Contents of the 'Scheduled Tasks' folder

2010-01-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1120129017-1111112472-1293862711-1005Core.job
- c:\documents and settings\Eric\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 04:01]

2010-01-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1120129017-1111112472-1293862711-1005UA.job
- c:\documents and settings\Eric\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 04:01]

2010-01-09 c:\windows\Tasks\User_Feed_Synchronization-{CB13CA8D-2756-47F2-8992-2BD3B32E6C24}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.4/GarminAxControl.CAB
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://138.237.46.59/activex/AMC.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-{184EB198-1DBA-46DB-B728-7A5FC13D5C2B}_is1 - c:\windows\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-09 13:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = c:\documents and settings\Eric\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?520Files%25252520-%25252520TEST%25252520ONLY!%252526url%25253dhttp%2525253a%2525252f%252

scanning hidden files ...


c:\windows\system32\wuaueng.dll.wusetup.259171.bak 1809944 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(328)
c:\windows\system32\WININET.dll
c:\program files\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\SetPoint\LBTWiz.exe
c:\windows\system32\rundll32.exe
c:\progra~1\MI3AA1~1\wcescomm.exe
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
c:\program files\DellSupport\DSAgnt.exe
.
**************************************************************************
.
Completion time: 2010-01-09 13:48:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-09 19:48
ComboFix2.txt 2009-12-21 02:57

Pre-Run: 7,658,024,960 bytes free
Post-Run: 7,635,767,296 bytes free

- - End Of File - - 73576EAD4A9858AA34A9FFC494ACAD32

#8 efris

efris
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 09 January 2010 - 03:41 PM

Myrti,

The SDFix log I sent a few minutes ago was from mid-December when I first posted to BleepingComputer. I wasn't able to find the ComboFix log so I reran it. Now it looks like my problem has been repaired!

The Automatic Updates app in the system tray is suddenly showing a huge backlog of updates ready to load and I can access both the Microsoft and McAfee website. I'll try to get the upgrades and McAfee installed to see if the problem is resolved, then I'll post an update.

Thanks,
Eric

#9 efris

efris
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 10 January 2010 - 12:52 AM

Myrti,

I can't explain it, but after running ComboFix everything appears to be good. I've downloaded all the latest MS security patches, the McAfee Security Suite with all the latest components and scanned the PC. I see no signs of any problems at this time. When I ran the full scan with McAfee it quarantined W32/Conficker.worm.gen.a, but this was after the PC had already started working correctly (allowing access to MS and anti-virus sites and not shutting resources down).

Thanks for your help!

- Eric

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:02 AM

Posted 10 January 2010 - 07:33 AM

Hi,

ComboFix took out ConFicker, which is probably the reason, why you can access all sites again and use your PC as you used to.

There are a couple of things still left to do:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\program files\temp995.bat
Registry::

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4219:TCP"=-


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Please also run gmer and post the log here.
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 efris

efris
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 10 January 2010 - 10:24 AM

Thanks.
The new ComboFix log is poted below. I'll run GMER later and post it, too, but I've got a time conflict for the next couple of hours.
Thanks again for your help!
- Eric

ComboFix 10-01-04.01 - Eric 01/10/2010 8:44.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.556 [GMT -6:00]
Running from: c:\documents and settings\Eric\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Eric\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\program files\temp995.bat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\temp995.bat

.
((((((((((((((((((((((((( Files Created from 2009-12-10 to 2010-01-10 )))))))))))))))))))))))))))))))
.

2010-01-09 23:51 . 2010-01-09 23:51 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-01-09 21:39 . 2010-01-09 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-01-09 21:35 . 2009-11-04 22:54 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-01-09 21:35 . 2009-11-04 22:54 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-01-09 21:35 . 2009-11-04 22:54 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-01-09 21:33 . 2010-01-09 21:34 -------- d-----w- c:\program files\McAfee.com
2010-01-09 21:29 . 2009-11-04 22:53 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-12-21 12:33 . 2009-12-21 12:33 1794456 ----a-w- c:\documents and settings\Eric\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe
2009-12-21 02:16 . 2009-12-21 02:16 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2009-12-21 02:13 . 2009-12-21 02:13 -------- d-----w- c:\windows\ERUNT
2009-12-21 02:12 . 2008-11-06 08:03 -------- d-----w- C:\SDFix
2009-12-21 00:48 . 2009-12-21 00:48 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-12-20 07:29 . 2009-12-22 01:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Vsk5Online
2009-12-20 07:22 . 2009-12-20 07:28 -------- d-----w- c:\program files\Vsk5Online
2009-12-20 03:53 . 2000-08-08 18:34 274432 ----a-w- c:\windows\d3dxas.dll
2009-12-20 03:53 . 2009-12-20 06:57 -------- d-----w- c:\program files\Stentec
2009-12-20 03:39 . 2009-12-20 03:39 -------- d-----w- c:\documents and settings\Eric\Application Data\Uniblue

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-10 04:34 . 2007-02-27 03:34 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-01-10 04:27 . 2005-09-21 02:33 -------- d-----w- c:\program files\McAfee
2010-01-09 21:35 . 2007-02-27 03:40 -------- d-----w- c:\program files\Common Files\McAfee
2009-12-30 07:14 . 2007-03-12 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2009-12-21 12:37 . 2009-09-20 02:21 -------- d-----w- c:\documents and settings\Eric\Application Data\Move Networks
2009-12-21 12:33 . 2009-09-20 02:21 143976 ----a-w- c:\documents and settings\Eric\Application Data\Move Networks\uninstall.exe
2009-12-21 12:33 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\Eric\Application Data\Move Networks\plugins\npqmp071701000002.dll
2009-12-17 00:50 . 2009-02-03 02:24 574344 ----a-w- c:\documents and settings\Eric\Application Data\SanDisk\Sansa Updater\SansaUpdater.exe
2009-12-13 04:52 . 2005-10-26 01:24 -------- d-----w- c:\program files\QUICKENW
2009-11-05 01:25 . 2009-11-05 01:25 152576 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-04 22:54 . 2009-11-04 22:54 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-10-29 07:45 . 2004-08-19 20:49 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-19 20:49 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-19 20:49 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 04:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-15 00:50 . 2009-10-15 00:50 97216 ----a-w- c:\documents and settings\Eric\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-10-13 10:30 . 2004-08-19 20:49 270336 ----a-w- c:\windows\system32\oakley.dll
2005-04-01 03:17 . 2005-10-20 01:37 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-12-21_02.55.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-10 14:18 . 2010-01-10 14:18 16384 c:\windows\Temp\Perflib_Perfdata_698.dat
+ 2005-05-26 09:16 . 2009-08-07 01:24 44768 c:\windows\system32\wups2.dll
+ 2004-08-19 21:04 . 2009-08-07 01:24 35552 c:\windows\system32\wups.dll
+ 2004-08-19 21:04 . 2009-08-07 01:24 53472 c:\windows\system32\wuauclt.exe
- 2007-01-29 08:58 . 2009-07-14 11:03 46080 c:\windows\system32\tzchange.exe
+ 2007-01-29 08:58 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
+ 2010-01-09 19:39 . 2009-08-07 01:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2010-01-09 19:39 . 2009-08-07 01:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
- 2004-08-19 20:49 . 2008-04-14 00:12 79872 c:\windows\system32\raschap.dll
+ 2004-08-19 20:49 . 2009-10-12 13:38 79872 c:\windows\system32\raschap.dll
- 2004-08-19 20:49 . 2009-11-01 14:29 73496 c:\windows\system32\perfc009.dat
+ 2004-08-19 20:49 . 2010-01-09 21:15 73496 c:\windows\system32\perfc009.dat
+ 2006-11-08 03:03 . 2009-10-29 07:45 55296 c:\windows\system32\msfeedsbs.dll
- 2006-11-08 03:03 . 2009-07-03 17:09 55296 c:\windows\system32\msfeedsbs.dll
+ 2004-08-19 20:49 . 2009-09-04 21:03 58880 c:\windows\system32\msasn1.dll
+ 2007-09-04 01:05 . 2009-12-24 04:52 84507 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
- 2004-08-19 20:49 . 2009-07-03 17:09 25600 c:\windows\system32\jsproxy.dll
+ 2004-08-19 20:49 . 2009-10-29 07:45 25600 c:\windows\system32\jsproxy.dll
+ 2009-06-29 10:39 . 2009-10-29 07:45 12800 c:\windows\system32\dllcache\xpshims.dll
- 2009-06-29 10:39 . 2009-07-03 17:09 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2004-08-19 21:04 . 2009-08-07 01:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2004-08-19 21:04 . 2009-08-07 01:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2009-10-21 05:38 . 2009-10-21 05:38 75776 c:\windows\system32\dllcache\strmfilt.dll
+ 2009-10-12 13:38 . 2009-10-12 13:38 79872 c:\windows\system32\dllcache\raschap.dll
+ 2007-05-18 01:56 . 2009-10-29 07:45 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-05-18 01:56 . 2009-07-03 17:09 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2009-09-04 21:03 . 2009-09-04 21:03 58880 c:\windows\system32\dllcache\msasn1.dll
- 2006-05-10 05:25 . 2009-07-03 17:09 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2006-05-10 05:25 . 2009-10-29 07:45 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2009-10-21 05:38 . 2009-10-21 05:38 25088 c:\windows\system32\dllcache\httpapi.dll
+ 2004-08-19 20:49 . 2009-08-07 01:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2010-01-09 23:58 . 2010-01-10 14:24 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-09-19 22:17 . 2009-04-02 00:35 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-09-19 22:17 . 2010-01-10 14:24 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-09-19 22:17 . 2009-04-02 00:35 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-01-09 23:58 . 2010-01-10 14:24 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-19 20:49 . 2009-08-07 01:24 96480 c:\windows\system32\cdm.dll
+ 2009-06-25 01:56 . 2009-06-25 01:56 73728 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe
+ 2008-05-28 06:49 . 2008-05-28 06:49 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2007-04-14 01:58 . 2007-04-14 01:58 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2007-04-14 01:57 . 2007-04-14 01:57 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2008-05-28 06:49 . 2008-05-28 06:49 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2007-04-14 01:57 . 2007-04-14 01:57 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2008-05-28 06:49 . 2008-05-28 06:49 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2007-04-14 02:30 . 2007-04-14 02:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2008-05-28 07:30 . 2008-05-28 07:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2004-09-29 23:11 . 2009-06-24 18:56 86016 c:\windows\Microsoft.NET\Framework\v1.0.3705\ToGac.exe
+ 2004-10-07 22:36 . 2009-06-24 18:56 73728 c:\windows\Microsoft.NET\Framework\v1.0.3705\SetRegNI.exe
+ 2004-08-19 21:02 . 2009-06-24 04:01 86016 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorld.dll
- 2004-08-19 21:02 . 2007-01-02 21:29 86016 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorld.dll
+ 2004-08-19 21:02 . 2009-06-24 04:01 73728 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorie.dll
- 2004-08-19 21:02 . 2007-01-02 21:29 73728 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorie.dll
+ 2004-08-19 21:02 . 2009-06-24 04:12 32768 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_wp.exe
- 2004-08-19 21:02 . 2008-04-13 16:10 32768 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_wp.exe
- 2004-08-19 21:02 . 2008-04-13 16:10 32768 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_state.exe
+ 2004-08-19 21:02 . 2009-06-24 04:12 32768 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_state.exe
+ 2010-01-09 20:48 . 2010-01-09 20:48 32768 c:\windows\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe
+ 2010-01-09 20:54 . 2009-07-03 17:09 12800 c:\windows\ie8updates\KB976325-IE8\xpshims.dll
+ 2010-01-09 20:54 . 2009-07-03 17:09 55296 c:\windows\ie8updates\KB976325-IE8\msfeedsbs.dll
+ 2010-01-09 20:54 . 2009-07-03 17:09 25600 c:\windows\ie8updates\KB976325-IE8\jsproxy.dll
+ 2010-01-09 20:52 . 2010-01-09 20:52 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_4978af44\System.Drawing.Design.dll
+ 2010-01-09 20:52 . 2010-01-09 20:52 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_c9d0ca2e\CustomMarshalers.dll
+ 2010-01-09 20:48 . 2010-01-09 20:48 90112 c:\windows\assembly\NativeImages1_v1.0.3705\System.Drawing.Design\1.0.3300.0__b03f5f7f11d50a3a_4333a2e1\System.Drawing.Design.dll
+ 2010-01-09 20:48 . 2010-01-09 20:48 61440 c:\windows\assembly\NativeImages1_v1.0.3705\CustomMarshalers\1.0.3300.0__b03f5f7f11d50a3a_39961f2e\CustomMarshalers.dll
- 2004-08-19 21:02 . 2007-01-02 21:29 8192 c:\windows\Microsoft.NET\Framework\v1.0.3705\IEExec.exe
+ 2004-08-19 21:02 . 2009-06-29 17:57 8192 c:\windows\Microsoft.NET\Framework\v1.0.3705\IEExec.exe
+ 2004-08-19 21:04 . 2009-08-07 01:24 209632 c:\windows\system32\wuweb.dll
+ 2004-08-19 21:04 . 2009-08-07 01:24 327896 c:\windows\system32\wucltui.dll
+ 2004-08-19 21:04 . 2009-08-07 01:23 575704 c:\windows\system32\wuapi.dll
+ 2004-08-19 20:50 . 2009-04-10 07:01 413032 c:\windows\system32\wmspdmod.dll
+ 2004-08-19 20:49 . 2009-08-25 09:17 354816 c:\windows\system32\winhttp.dll
- 2004-08-19 20:50 . 2008-10-03 10:02 247326 c:\windows\system32\strmdll.dll
+ 2004-08-19 20:50 . 2009-08-26 08:00 247326 c:\windows\system32\strmdll.dll
+ 2004-08-19 20:49 . 2009-10-12 13:38 149504 c:\windows\system32\rastls.dll
- 2004-08-19 20:49 . 2009-11-01 14:29 446814 c:\windows\system32\perfh009.dat
+ 2004-08-19 20:49 . 2010-01-09 21:15 446814 c:\windows\system32\perfh009.dat
- 2004-08-19 20:49 . 2009-07-03 17:09 206848 c:\windows\system32\occache.dll
+ 2004-08-19 20:49 . 2009-10-29 07:45 206848 c:\windows\system32\occache.dll
+ 2004-08-19 20:49 . 2009-09-11 14:18 136192 c:\windows\system32\msv1_0.dll
- 2004-08-19 20:49 . 2009-06-25 08:25 136192 c:\windows\system32\msv1_0.dll
- 2006-11-08 03:03 . 2009-07-03 17:09 594432 c:\windows\system32\msfeeds.dll
+ 2006-11-08 03:03 . 2009-10-29 07:45 594432 c:\windows\system32\msfeeds.dll
+ 2009-10-28 03:31 . 2009-10-28 03:31 257440 c:\windows\system32\Macromed\Flash\FlashUtil10d.exe
+ 2004-08-19 20:49 . 2009-10-29 07:45 184320 c:\windows\system32\iepeers.dll
- 2004-08-19 20:49 . 2009-07-03 17:09 184320 c:\windows\system32\iepeers.dll
+ 2004-08-19 20:49 . 2009-10-29 07:45 387584 c:\windows\system32\iedkcs32.dll
- 2004-08-19 20:49 . 2009-07-03 11:01 173056 c:\windows\system32\ie4uinit.exe
+ 2004-08-19 20:49 . 2009-10-28 14:40 173056 c:\windows\system32\ie4uinit.exe
+ 2004-08-19 20:57 . 2010-01-09 21:13 251088 c:\windows\system32\FNTCACHE.DAT
- 2004-08-19 20:57 . 2009-06-10 11:28 251088 c:\windows\system32\FNTCACHE.DAT
+ 2007-02-27 03:42 . 2009-07-16 18:32 120136 c:\windows\system32\drivers\Mpfp.sys
+ 2004-08-19 21:04 . 2009-08-07 01:24 209632 c:\windows\system32\dllcache\wuweb.dll
+ 2004-08-19 21:04 . 2009-08-07 01:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2004-08-19 21:04 . 2009-08-07 01:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2004-08-19 20:50 . 2009-04-10 07:01 413032 c:\windows\system32\dllcache\wmspdmod.dll
+ 2006-05-10 05:25 . 2009-10-29 07:45 916480 c:\windows\system32\dllcache\wininet.dll
+ 2008-12-16 12:30 . 2009-08-25 09:17 354816 c:\windows\system32\dllcache\winhttp.dll
- 2006-08-21 15:52 . 2008-10-03 10:02 247326 c:\windows\system32\dllcache\strmdll.dll
+ 2006-08-21 15:52 . 2009-08-26 08:00 247326 c:\windows\system32\dllcache\strmdll.dll
+ 2009-10-12 13:38 . 2009-10-12 13:38 149504 c:\windows\system32\dllcache\rastls.dll
- 2006-10-17 18:04 . 2009-07-03 17:09 206848 c:\windows\system32\dllcache\occache.dll
+ 2006-10-17 18:04 . 2009-10-29 07:45 206848 c:\windows\system32\dllcache\occache.dll
+ 2009-10-13 10:30 . 2009-10-13 10:30 270336 c:\windows\system32\dllcache\oakley.dll
+ 2009-06-25 08:25 . 2009-09-11 14:18 136192 c:\windows\system32\dllcache\msv1_0.dll
- 2009-06-25 08:25 . 2009-06-25 08:25 136192 c:\windows\system32\dllcache\msv1_0.dll
+ 2007-05-18 01:56 . 2009-10-29 07:45 594432 c:\windows\system32\dllcache\msfeeds.dll
- 2007-05-18 01:56 . 2009-07-03 17:09 594432 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-06-29 10:39 . 2009-10-29 07:45 246272 c:\windows\system32\dllcache\ieproxy.dll
- 2009-06-29 10:39 . 2009-07-03 17:09 246272 c:\windows\system32\dllcache\ieproxy.dll
- 2006-05-10 05:25 . 2009-07-03 17:09 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2006-05-10 05:25 . 2009-10-29 07:45 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2006-11-07 09:27 . 2009-10-29 07:45 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2006-11-07 09:26 . 2009-10-28 14:40 173056 c:\windows\system32\dllcache\ie4uinit.exe
- 2006-11-07 09:26 . 2009-07-03 11:01 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-10-20 16:20 . 2009-10-20 16:20 265728 c:\windows\system32\dllcache\http.sys
+ 2008-05-28 06:49 . 2008-05-28 06:49 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2007-04-14 01:58 . 2007-04-14 01:58 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2008-05-28 06:48 . 2008-05-28 06:48 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2007-04-14 01:56 . 2007-04-14 01:56 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2008-05-28 07:30 . 2008-05-28 07:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2007-04-14 02:30 . 2007-04-14 02:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2004-08-19 21:02 . 2004-07-19 23:54 303104 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorjit.dll
+ 2004-08-19 21:02 . 2009-06-24 03:59 303104 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorjit.dll
+ 2004-08-19 21:02 . 2009-06-24 04:12 200704 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_isapi.dll
- 2004-08-19 21:02 . 2008-04-13 16:09 200704 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_isapi.dll
+ 2010-01-09 20:48 . 2010-01-09 20:48 429568 c:\windows\Installer\42e1ca.msi
+ 2010-01-09 20:54 . 2009-07-03 17:09 915456 c:\windows\ie8updates\KB976325-IE8\wininet.dll
+ 2010-01-09 20:54 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB976325-IE8\spuninst\updspapi.dll
+ 2010-01-09 20:54 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB976325-IE8\spuninst\spuninst.exe
+ 2010-01-09 20:54 . 2009-07-03 17:09 206848 c:\windows\ie8updates\KB976325-IE8\occache.dll
+ 2010-01-09 20:54 . 2009-07-03 17:09 594432 c:\windows\ie8updates\KB976325-IE8\msfeeds.dll
+ 2010-01-09 20:54 . 2009-07-03 17:09 246272 c:\windows\ie8updates\KB976325-IE8\ieproxy.dll
+ 2010-01-09 20:54 . 2009-07-03 17:09 184320 c:\windows\ie8updates\KB976325-IE8\iepeers.dll
+ 2010-01-09 20:54 . 2009-07-03 17:09 386048 c:\windows\ie8updates\KB976325-IE8\iedkcs32.dll
+ 2010-01-09 20:54 . 2009-07-03 11:01 173056 c:\windows\ie8updates\KB976325-IE8\ie4uinit.exe
+ 2009-10-20 16:20 . 2009-10-20 16:20 265728 c:\windows\Driver Cache\i386\http.sys
+ 2010-01-09 20:53 . 2010-01-09 20:53 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_72538107\System.Drawing.dll
+ 2010-01-09 20:53 . 2010-01-09 20:53 192512 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_c41c1db4\System.Drawing.Design.dll
+ 2010-01-09 20:53 . 2010-01-09 20:53 118784 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_9e1345b4\CustomMarshalers.dll
+ 2010-01-09 20:48 . 2010-01-09 20:48 847872 c:\windows\assembly\NativeImages1_v1.0.3705\System.Drawing\1.0.3300.0__b03f5f7f11d50a3a_61735f14\System.Drawing.dll
+ 2010-01-09 19:49 . 2009-08-13 13:55 1748992 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll
+ 2009-07-21 06:03 . 2009-07-21 06:03 1348432 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9876.0_x-ww_a621d1d5\msxml4.dll
+ 2004-08-19 21:04 . 2009-08-07 01:23 1929952 c:\windows\system32\wuaueng.dll
+ 2004-08-19 20:49 . 2009-08-14 13:21 1850624 c:\windows\system32\win32k.sys
+ 2004-08-19 20:49 . 2009-10-29 07:45 1208832 c:\windows\system32\urlmon.dll
- 2004-08-19 20:49 . 2009-07-03 17:09 1208832 c:\windows\system32\urlmon.dll
- 2004-08-19 20:49 . 2008-04-14 00:12 1435648 c:\windows\system32\query.dll
+ 2004-08-19 20:49 . 2009-07-17 16:22 1435648 c:\windows\system32\query.dll
+ 2004-08-19 20:49 . 2009-08-05 02:44 2189184 c:\windows\system32\ntoskrnl.exe
+ 2004-08-04 03:59 . 2009-08-04 14:20 2066048 c:\windows\system32\ntkrnlpa.exe
- 2004-08-04 03:59 . 2009-02-08 00:02 2066048 c:\windows\system32\ntkrnlpa.exe
+ 2008-08-19 01:31 . 2009-07-31 16:05 1372672 c:\windows\system32\msxml6.dll
+ 2009-07-21 06:05 . 2009-07-21 06:05 1348432 c:\windows\system32\msxml4.dll
+ 2004-08-19 20:49 . 2009-07-31 04:35 1172480 c:\windows\system32\msxml3.dll
+ 2004-08-19 20:49 . 2009-10-29 07:45 5940736 c:\windows\system32\mshtml.dll
- 2006-10-17 17:57 . 2009-07-03 17:09 1985536 c:\windows\system32\iertutil.dll
+ 2006-10-17 17:57 . 2009-10-29 07:45 1985536 c:\windows\system32\iertutil.dll
+ 2004-08-19 21:04 . 2009-08-07 01:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
+ 2008-10-16 04:19 . 2009-08-14 13:21 1850624 c:\windows\system32\dllcache\win32k.sys
- 2006-05-10 05:25 . 2009-07-03 17:09 1208832 c:\windows\system32\dllcache\urlmon.dll
+ 2006-05-10 05:25 . 2009-10-29 07:45 1208832 c:\windows\system32\dllcache\urlmon.dll
+ 2009-07-17 16:22 . 2009-07-17 16:22 1435648 c:\windows\system32\dllcache\query.dll
+ 2008-10-16 04:19 . 2009-08-05 02:44 2189184 c:\windows\system32\dllcache\ntoskrnl.exe
- 2008-10-16 04:19 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-16 04:19 . 2009-08-04 14:20 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-16 04:19 . 2009-08-04 14:20 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
- 2008-10-16 04:19 . 2009-02-08 00:02 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
- 2008-10-16 04:19 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2008-10-16 04:19 . 2009-08-04 15:13 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2008-08-19 01:31 . 2009-07-31 16:05 1372672 c:\windows\system32\dllcache\msxml6.dll
+ 2008-11-13 00:06 . 2009-07-31 04:35 1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2006-05-19 15:06 . 2009-10-29 07:45 5940736 c:\windows\system32\dllcache\mshtml.dll
+ 2007-05-18 01:56 . 2009-10-29 07:45 1985536 c:\windows\system32\dllcache\iertutil.dll
- 2007-05-18 01:56 . 2009-07-03 17:09 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2008-05-28 07:35 . 2008-05-28 07:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2007-04-14 02:35 . 2007-04-14 02:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2007-04-14 02:35 . 2007-04-14 02:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2008-05-28 07:35 . 2008-05-28 07:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2008-05-28 06:48 . 2008-05-28 06:48 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2007-04-14 01:57 . 2007-04-14 01:57 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2007-04-14 01:57 . 2007-04-14 01:57 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2008-05-28 06:48 . 2008-05-28 06:48 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2008-05-28 06:43 . 2008-05-28 06:43 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
- 2007-04-14 01:50 . 2007-04-14 01:50 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2004-08-19 21:02 . 2009-06-29 17:58 1200128 c:\windows\Microsoft.NET\Framework\v1.0.3705\System.Web.dll
- 2004-08-19 21:02 . 2007-01-02 21:40 1200128 c:\windows\Microsoft.NET\Framework\v1.0.3705\System.Web.dll
- 2004-08-19 21:02 . 2007-12-17 11:59 2281472 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
+ 2004-08-19 21:02 . 2009-06-24 04:00 2281472 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
+ 2004-08-19 21:02 . 2009-06-24 04:00 2273280 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorsvr.dll
- 2004-08-19 21:02 . 2007-12-17 11:58 2273280 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorsvr.dll
- 2004-08-19 21:02 . 2007-01-02 21:21 1998848 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorlib.dll
+ 2004-08-19 21:02 . 2009-06-29 17:58 1998848 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorlib.dll
+ 2010-01-09 20:54 . 2009-07-03 17:09 1208832 c:\windows\ie8updates\KB976325-IE8\urlmon.dll
+ 2010-01-09 20:54 . 2009-07-19 13:18 5937152 c:\windows\ie8updates\KB976325-IE8\mshtml.dll
+ 2010-01-09 20:54 . 2009-07-03 17:09 1985536 c:\windows\ie8updates\KB976325-IE8\iertutil.dll
+ 2008-10-16 04:19 . 2009-08-05 02:44 2189184 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-10-16 04:19 . 2009-08-04 14:20 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2008-10-16 04:19 . 2009-02-06 10:32 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-16 04:19 . 2009-08-04 14:20 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-10-16 04:19 . 2009-02-08 00:02 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-16 04:19 . 2009-08-04 15:13 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
- 2008-10-16 04:19 . 2009-02-06 11:06 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2007-07-21 08:38 . 2007-07-21 08:38 2088960 c:\windows\assembly\temp\LU2AHPW4CJ\System.Xml.dll
+ 2007-07-21 08:39 . 2007-07-21 08:39 3391488 c:\windows\assembly\temp\CLU2BKT2BK\mscorlib.dll
+ 2007-07-21 08:38 . 2007-07-21 08:38 1232896 c:\windows\assembly\temp\CKRY6DKRZ6\System.dll
+ 2007-07-21 08:38 . 2007-07-21 08:38 1966080 c:\windows\assembly\temp\6GOX6FNW5E\System.dll
+ 2010-01-09 20:53 . 2010-01-09 20:53 4792320 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_a2f32c07\System.dll
+ 2010-01-09 20:52 . 2010-01-09 20:52 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_84b7dfce\System.dll
+ 2010-01-09 20:53 . 2010-01-09 20:53 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_f8223a0b\System.Xml.dll
+ 2010-01-09 20:53 . 2010-01-09 20:53 5513216 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_4c67691d\System.Xml.dll
+ 2010-01-09 20:53 . 2010-01-09 20:53 7884800 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_505e6d81\System.Windows.Forms.dll
+ 2010-01-09 20:53 . 2010-01-09 20:53 3018752 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_354d784a\System.Windows.Forms.dll
+ 2010-01-09 20:53 . 2010-01-09 20:53 2244608 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_e9d3e124\System.Drawing.dll
+ 2010-01-09 20:53 . 2010-01-09 20:53 3395584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_7f9960b8\System.Design.dll
+ 2010-01-09 20:53 . 2010-01-09 20:53 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_477ae9b7\System.Design.dll
+ 2010-01-09 20:53 . 2010-01-09 20:53 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_969573a5\mscorlib.dll
+ 2010-01-09 20:54 . 2010-01-09 20:54 8908800 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_337680e3\mscorlib.dll
+ 2010-01-09 20:48 . 2010-01-09 20:48 1855488 c:\windows\assembly\NativeImages1_v1.0.3705\System\1.0.3300.0__b77a5c561934e089_a52063c0\System.dll
+ 2010-01-09 20:48 . 2010-01-09 20:48 2027520 c:\windows\assembly\NativeImages1_v1.0.3705\System.Xml\1.0.3300.0__b77a5c561934e089_f278585b\System.Xml.dll
+ 2010-01-09 20:48 . 2010-01-09 20:48 2953216 c:\windows\assembly\NativeImages1_v1.0.3705\System.Windows.Forms\1.0.3300.0__b77a5c561934e089_8683db4b\System.Windows.Forms.dll
+ 2010-01-09 20:48 . 2010-01-09 20:48 1454080 c:\windows\assembly\NativeImages1_v1.0.3705\System.Design\1.0.3300.0__b03f5f7f11d50a3a_faf646e3\System.Design.dll
+ 2010-01-09 20:48 . 2010-01-09 20:48 3301376 c:\windows\assembly\NativeImages1_v1.0.3705\mscorlib\1.0.3300.0__b77a5c561934e089_120aa647\mscorlib.dll
- 2007-07-21 08:38 . 2007-07-21 08:38 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2010-01-09 20:52 . 2010-01-09 20:52 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
- 2007-07-21 08:38 . 2007-07-21 08:38 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2010-01-09 20:52 . 2010-01-09 20:52 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2010-01-09 20:47 . 2010-01-09 20:47 1200128 c:\windows\assembly\GAC\System.Web\1.0.3300.0__b03f5f7f11d50a3a\System.Web.dll
- 2008-08-29 05:19 . 2008-08-29 05:19 1200128 c:\windows\assembly\GAC\System.Web\1.0.3300.0__b03f5f7f11d50a3a\System.Web.dll
+ 2005-09-19 23:52 . 2009-12-01 18:06 25966024 c:\windows\system32\MRT.exe
+ 2006-11-08 03:03 . 2009-10-29 07:45 11069952 c:\windows\system32\ieframe.dll
+ 2007-05-18 01:56 . 2009-10-29 07:45 11069952 c:\windows\system32\dllcache\ieframe.dll
+ 2009-08-11 03:08 . 2009-08-11 03:08 11315712 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp
+ 2009-08-10 20:09 . 2009-08-10 20:09 17254912 c:\windows\Installer\42e1e0.msp
+ 2010-01-09 20:54 . 2009-07-19 23:48 11067392 c:\windows\ie8updates\KB976325-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Google Update"="c:\documents and settings\Eric\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]
"SansaDispatch"="c:\documents and settings\Eric\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-03-29 79872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech BT Wizard"="LBTWiz.exe -silent" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-09-13 98304]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-12-20 28160]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-10 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"StartupDelayer"="c:\program files\Startup Delayer\Startup Launcher.exe" [2007-12-14 26112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"ISUSScheduler"="c:\program files\common files\installshield\updateservice\issch.exe" [2004-07-27 81920]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-9-13 24576]
SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2006-12-17 532480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-06-15 23:14 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2006-04-27 16:30 53248 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWlgn.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Vsk5Online\\Vsk5Online.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [1/9/2010 3:38 PM 203280]
.
Contents of the 'Scheduled Tasks' folder

2010-01-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1120129017-1111112472-1293862711-1005Core.job
- c:\documents and settings\Eric\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 04:01]

2010-01-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1120129017-1111112472-1293862711-1005UA.job
- c:\documents and settings\Eric\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 04:01]

2010-01-09 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-09 18:22]

2010-01-09 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-09 18:22]

2010-01-10 c:\windows\Tasks\User_Feed_Synchronization-{CB13CA8D-2756-47F2-8992-2BD3B32E6C24}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.4/GarminAxControl.CAB
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://138.237.46.59/activex/AMC.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-10 08:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = c:\documents and settings\Eric\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?520Files%25252520-%25252520TEST%25252520ONLY!%252526url%25253dhttp%2525253a%2525252f%252

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1024)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2010-01-10 08:58:49
ComboFix-quarantined-files.txt 2010-01-10 14:58
ComboFix2.txt 2010-01-09 19:48
ComboFix3.txt 2009-12-21 02:57

Pre-Run: 7,042,482,176 bytes free
Post-Run: 7,007,629,312 bytes free

- - End Of File - - 198B24D08F3A805A35E51B4F63D7663F

#12 efris

efris
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 10 January 2010 - 03:19 PM

Here's the GMER log. This thing ran for several hours.
Thanks.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-10 14:01:49
Windows 5.1.2600 Service Pack 3
Running: 5dhd4uhp.exe; Driver: C:\DOCUME~1\Eric\LOCALS~1\Temp\pwtiqkoc.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF1FCD78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF1FCD738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF1FCD74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF1FCD7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF1FCD710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF1FCD724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF1FCD79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF1FCD776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF1FCD762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF1FCD7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF1FCD7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF1FCD7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 8050223C 7 Bytes JMP F1FCD7B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8056E2FC 5 Bytes JMP F1FCD78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A74FE 7 Bytes JMP F1FCD7CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8314 5 Bytes JMP F1FCD7E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA96 7 Bytes JMP F1FCD7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C1324 5 Bytes JMP F1FCD714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C15B0 5 Bytes JMP F1FCD728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805C3DE2 5 Bytes JMP F1FCD766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73F8 7 Bytes JMP F1FCD750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805C74AE 5 Bytes JMP F1FCD73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805C79B8 5 Bytes JMP F1FCD77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CB8 5 Bytes JMP F1FCD7FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[416] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D40000
.text C:\WINDOWS\Explorer.EXE[416] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D40F63
.text C:\WINDOWS\Explorer.EXE[416] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D40F7E
.text C:\WINDOWS\Explorer.EXE[416] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D40058
.text C:\WINDOWS\Explorer.EXE[416] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D40F9B
.text C:\WINDOWS\Explorer.EXE[416] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D40FDB
.text C:\WINDOWS\Explorer.EXE[416] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D40F06
.text C:\WINDOWS\Explorer.EXE[416] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D40F21
.text C:\WINDOWS\Explorer.EXE[416] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D40EDA
.text C:\WINDOWS\Explorer.EXE[416] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D40EEB
.text C:\WINDOWS\Explorer.EXE[416] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D4008E
.text C:\WINDOWS\Explorer.EXE[416] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D40FB6
.text C:\WINDOWS\Explorer.EXE[416] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D40011
.text C:\WINDOWS\Explorer.EXE[416] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D40F48
.text C:\WINDOWS\Explorer.EXE[416] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D40047
.text C:\WINDOWS\Explorer.EXE[416] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D40022
.text C:\WINDOWS\Explorer.EXE[416] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D40073
.text C:\WINDOWS\Explorer.EXE[416] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D20FCA
.text C:\WINDOWS\Explorer.EXE[416] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D20036
.text C:\WINDOWS\Explorer.EXE[416] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D20025
.text C:\WINDOWS\Explorer.EXE[416] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\Explorer.EXE[416] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D20F83
.text C:\WINDOWS\Explorer.EXE[416] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D2000A
.text C:\WINDOWS\Explorer.EXE[416] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D20F9E
.text C:\WINDOWS\Explorer.EXE[416] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F2, 88]
.text C:\WINDOWS\Explorer.EXE[416] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D20FAF
.text C:\WINDOWS\Explorer.EXE[416] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D10F9C
.text C:\WINDOWS\Explorer.EXE[416] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D10027
.text C:\WINDOWS\Explorer.EXE[416] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D10FB7
.text C:\WINDOWS\Explorer.EXE[416] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D10FEF
.text C:\WINDOWS\Explorer.EXE[416] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D1000C
.text C:\WINDOWS\Explorer.EXE[416] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D10FD2
.text C:\WINDOWS\Explorer.EXE[416] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\Explorer.EXE[416] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00BE000A
.text C:\WINDOWS\Explorer.EXE[416] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00BE0FD4
.text C:\WINDOWS\Explorer.EXE[416] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00BE0FC3
.text C:\WINDOWS\Explorer.EXE[416] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01280FE5
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01280F55
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0128004A
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01280F70
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01280039
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01280F97
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01280F02
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01280F1F
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01280091
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01280076
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01280EDD
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0128001E
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01280FD4
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01280F3A
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01280FA8
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01280FB9
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01280065
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01270FCD
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01270F9E
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01270FDE
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01270FEF
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0127005B
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0127000A
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0127004A
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01270039
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01260FAD
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!system 77C293C7 5 Bytes JMP 01260042
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0126001D
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01260FEF
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01260FD2
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0126000C
.text C:\WINDOWS\system32\services.exe[1068] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F00FEF
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F0006C
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F0005B
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F00F81
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F00040
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F00025
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F0009F
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F0008E
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F000E6
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F000CB
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F000F7
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F00F9E
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F0000A
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F0007D
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F00FB9
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F00FD4
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F000BA
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EF0025
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EF0F94
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EF000A
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EF0FDE
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EF0FAF
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EF0FEF
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EF0051
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EF0036
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EE0F77
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EE0F9C
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EE000C
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EE0FEF
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EE0FAD
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EE0FD2
.text C:\WINDOWS\system32\lsass.exe[1080] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C00000
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C00086
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C00075
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C00F9B
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C00058
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C00FB6
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C00F48
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C00F59
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C00F12
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C000AB
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C00EF7
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C0003D
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C00011
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C00F76
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C00FD1
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C00022
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C00F37
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF0025
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF004A
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF0FD4
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF0F8D
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BF0FA8
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DF, 88]
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF0FC3
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0038
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0027
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE000C
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0FE3
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0FB7
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0FD2
.text C:\WINDOWS\system32\svchost.exe[1256] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B60F77
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B60F88
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B60F99
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B60062
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B60036
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B600A4
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B60087
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B600DA
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B60F37
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B600EB
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B60047
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B6000A
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B60F5C
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B60025
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B60FD4
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B600BF
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B50FB9
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B50F80
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B50FCA
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B50FE5
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B50047
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B50000
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B5002C
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B5001B
.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B40FB2
.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B4003D
.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B40011
.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B40FEF
.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B4002C
.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B40000
.text C:\WINDOWS\system32\svchost.exe[1360] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B30FEF
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 023E0FEF
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 023E0F79
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 023E0078
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 023E005B
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 023E0040
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 023E0025
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 023E00A4
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 023E0F5C
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 023E00C6
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 023E00B5
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 023E00D7
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 023E0F9E
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 023E0FDE
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 023E0089
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 023E0FC3
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 023E0014
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 023E0F41
.text C:\WINDOWS\System32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 023D0025
.text C:\WINDOWS\System32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 023D0F8D
.text C:\WINDOWS\System32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 023D0FD4
.text C:\WINDOWS\System32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 023D0FE5
.text C:\WINDOWS\System32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 023D0FA8
.text C:\WINDOWS\System32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 023D000A
.text C:\WINDOWS\System32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 023D0FB9
.text C:\WINDOWS\System32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [5D, 8A]
.text C:\WINDOWS\System32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 023D0040
.text C:\WINDOWS\System32\svchost.exe[1404] msvcrt.dll!_wsystem 77C2931E 1 Byte [E9]
.text C:\WINDOWS\System32\svchost.exe[1404] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 023C0022
.text C:\WINDOWS\System32\svchost.exe[1404] msvcrt.dll!system 77C293C7 5 Bytes JMP 023C0F97
.text C:\WINDOWS\System32\svchost.exe[1404] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 023C0FD7
.text C:\WINDOWS\System32\svchost.exe[1404] msvcrt.dll!_open 77C2F566 5 Bytes JMP 023C0000
.text C:\WINDOWS\System32\svchost.exe[1404] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 023C0FB2
.text C:\WINDOWS\System32\svchost.exe[1404] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 023C0011
.text C:\WINDOWS\System32\svchost.exe[1404] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01630FEF
.text C:\WINDOWS\System32\svchost.exe[1404] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01620FEF
.text C:\WINDOWS\System32\svchost.exe[1404] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01620FD4
.text C:\WINDOWS\System32\svchost.exe[1404] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01620014
.text C:\WINDOWS\System32\svchost.exe[1404] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01620FC3
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007B0FEF
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007B0082
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007B0F8D
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007B0067
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007B0F9E
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007B0FB9
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007B0F4E
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007B0F6B
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007B0F33
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007B00CC
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007B0F18
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007B0040
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007B000A
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007B0F7C
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007B001B
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007B0FCA
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007B00B1
.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007A0FC0
.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007A0F80
.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007A001B
.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007A0FE5
.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007A003D
.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007A0000
.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 007A002C
.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007A0FAF
.text C:\WINDOWS\system32\svchost.exe[1712] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00790F9E
.text C:\WINDOWS\system32\svchost.exe[1712] msvcrt.dll!system 77C293C7 5 Bytes JMP 00790FB9
.text C:\WINDOWS\system32\svchost.exe[1712] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00790029
.text C:\WINDOWS\system32\svchost.exe[1712] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00790000
.text C:\WINDOWS\system32\svchost.exe[1712] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00790FD4
.text C:\WINDOWS\system32\svchost.exe[1712] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00790FEF
.text C:\WINDOWS\system32\svchost.exe[1712] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00780FEF
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009C0000
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009C007D
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009C0F88
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009C0F99
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009C0062
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009C0FCA
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009C0F3F
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009C0F50
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009C00BD
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009C0F24
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009C00D8
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009C0051
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009C0011
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009C0F6D
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009C0036
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009C0FE5
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009C00A2
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009B001B
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009B0051
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009B0FCA
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009B0FEF
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009B0F94
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009B000A
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009B0FA5
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BB, 88]
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009B002C
.text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009A0FC3
.text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!system 77C293C7 5 Bytes JMP 009A004E
.text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009A0FEF
.text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009A0000
.text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009A0FDE
.text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009A0029
.text C:\WINDOWS\system32\svchost.exe[1864] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\wuauclt.exe[1932] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02690000
.text C:\WINDOWS\system32\wuauclt.exe[1932] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0269009D
.text C:\WINDOWS\system32\wuauclt.exe[1932] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02690FA8
.text C:\WINDOWS\system32\wuauclt.exe[1932] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02690082
.text C:\WINDOWS\system32\wuauclt.exe[1932] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02690065
.text C:\WINDOWS\system32\wuauclt.exe[1932] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02690040
.text C:\WINDOWS\system32\wuauclt.exe[1932] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02690F83
.text C:\WINDOWS\system32\wuauclt.exe[1932] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 026900D5
.text C:\WINDOWS\system32\wuauclt.exe[1932] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02690F5E
.text C:\WINDOWS\system32\wuauclt.exe[1932] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02690101
.text C:\WINDOWS\system32\wuauclt.exe[1932] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02690112
.text C:\WINDOWS\system32\wuauclt.exe[1932] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02690FB9
.text C:\WINDOWS\system32\wuauclt.exe[1932] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02690FEF
.text C:\WINDOWS\system32\wuauclt.exe[1932] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 026900AE
.text C:\WINDOWS\system32\wuauclt.exe[1932] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02690025
.text C:\WINDOWS\system32\wuauclt.exe[1932] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02690FD4
.text C:\WINDOWS\system32\wuauclt.exe[1932] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 026900E6
.text C:\WINDOWS\system32\wuauclt.exe[1932] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02670F90
.text C:\WINDOWS\system32\wuauclt.exe[1932] msvcrt.dll!system 77C293C7 5 Bytes JMP 02670FAB
.text C:\WINDOWS\system32\wuauclt.exe[1932] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02670FC6
.text C:\WINDOWS\system32\wuauclt.exe[1932] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02670FE3
.text C:\WINDOWS\system32\wuauclt.exe[1932] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0267001B
.text C:\WINDOWS\system32\wuauclt.exe[1932] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02670000
.text C:\WINDOWS\system32\wuauclt.exe[1932] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0268001B
.text C:\WINDOWS\system32\wuauclt.exe[1932] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02680F6F
.text C:\WINDOWS\system32\wuauclt.exe[1932] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0268000A
.text C:\WINDOWS\system32\wuauclt.exe[1932] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02680FD4
.text C:\WINDOWS\system32\wuauclt.exe[1932] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02680F8A
.text C:\WINDOWS\system32\wuauclt.exe[1932] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02680FEF
.text C:\WINDOWS\system32\wuauclt.exe[1932] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0268002C
.text C:\WINDOWS\system32\wuauclt.exe[1932] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02680FAF
.text C:\WINDOWS\system32\wuauclt.exe[1932] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02660FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2260] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2260] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\dllhost.exe[2460] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\system32\dllhost.exe[2460] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F72
.text C:\WINDOWS\system32\dllhost.exe[2460] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A005D
.text C:\WINDOWS\system32\dllhost.exe[2460] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A004C
.text C:\WINDOWS\system32\dllhost.exe[2460] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A002F
.text C:\WINDOWS\system32\dllhost.exe[2460] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A001E
.text C:\WINDOWS\system32\dllhost.exe[2460] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F4B
.text C:\WINDOWS\system32\dllhost.exe[2460] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0093
.text C:\WINDOWS\system32\dllhost.exe[2460] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00C2
.text C:\WINDOWS\system32\dllhost.exe[2460] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F29
.text C:\WINDOWS\system32\dllhost.exe[2460] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00DD
.text C:\WINDOWS\system32\dllhost.exe[2460] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0F8D
.text C:\WINDOWS\system32\dllhost.exe[2460] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FDE
.text C:\WINDOWS\system32\dllhost.exe[2460] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0082
.text C:\WINDOWS\system32\dllhost.exe[2460] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FB2
.text C:\WINDOWS\system32\dllhost.exe[2460] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FC3
.text C:\WINDOWS\system32\dllhost.exe[2460] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0F3A
.text C:\WINDOWS\system32\dllhost.exe[2460] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290FCA
.text C:\WINDOWS\system32\dllhost.exe[2460] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290055
.text C:\WINDOWS\system32\dllhost.exe[2460] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290FEF
.text C:\WINDOWS\system32\dllhost.exe[2460] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290000
.text C:\WINDOWS\system32\dllhost.exe[2460] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0029003A
.text C:\WINDOWS\system32\dllhost.exe[2460] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0029001D
.text C:\WINDOWS\system32\dllhost.exe[2460] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0FB2
.text C:\WINDOWS\system32\dllhost.exe[2460] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0F64
.text C:\WINDOWS\system32\dllhost.exe[2460] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0FCD
.text C:\WINDOWS\system32\dllhost.exe[2460] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0FDE
.text C:\WINDOWS\system32\dllhost.exe[2460] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0F75
.text C:\WINDOWS\system32\dllhost.exe[2460] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\system32\dllhost.exe[2460] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002A0F86
.text C:\WINDOWS\system32\dllhost.exe[2460] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4A, 88]
.text C:\WINDOWS\system32\dllhost.exe[2460] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0F97
.text C:\WINDOWS\system32\dllhost.exe[2460] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A70FEF
.text C:\WINDOWS\system32\svchost.exe[3148] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B40FEF
.text C:\WINDOWS\system32\svchost.exe[3148] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B40F99
.text C:\WINDOWS\system32\svchost.exe[3148] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B4008E
.text C:\WINDOWS\system32\svchost.exe[3148] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B4007D
.text C:\WINDOWS\system32\svchost.exe[3148] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B4006C
.text C:\WINDOWS\system32\svchost.exe[3148] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B40FD4
.text C:\WINDOWS\system32\svchost.exe[3148] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B400C6
.text C:\WINDOWS\system32\svchost.exe[3148] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B4009F
.text C:\WINDOWS\system32\svchost.exe[3148] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B40F3E
.text C:\WINDOWS\system32\svchost.exe[3148] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B40F4F
.text C:\WINDOWS\system32\svchost.exe[3148] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B40F23
.text C:\WINDOWS\system32\svchost.exe[3148] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B40051
.text C:\WINDOWS\system32\svchost.exe[3148] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B40014
.text C:\WINDOWS\system32\svchost.exe[3148] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B40F74
.text C:\WINDOWS\system32\svchost.exe[3148] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B40036
.text C:\WINDOWS\system32\svchost.exe[3148] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B40025
.text C:\WINDOWS\system32\svchost.exe[3148] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B400D7
.text C:\WINDOWS\system32\svchost.exe[3148] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B30047
.text C:\WINDOWS\system32\svchost.exe[3148] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B30FD1
.text C:\WINDOWS\system32\svchost.exe[3148] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B3002C
.text C:\WINDOWS\system32\svchost.exe[3148] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B3001B
.text C:\WINDOWS\system32\svchost.exe[3148] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B30098
.text C:\WINDOWS\system32\svchost.exe[3148] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B30000
.text C:\WINDOWS\system32\svchost.exe[3148] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B3007D
.text C:\WINDOWS\system32\svchost.exe[3148] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B3006C
.text C:\WINDOWS\system32\svchost.exe[3148] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B2003D
.text C:\WINDOWS\system32\svchost.exe[3148] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B2002C
.text C:\WINDOWS\system32\svchost.exe[3148] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B20011
.text C:\WINDOWS\system32\svchost.exe[3148] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B20000
.text C:\WINDOWS\system32\svchost.exe[3148] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B20FC6
.text C:\WINDOWS\system32\svchost.exe[3148] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B20FD7
.text C:\WINDOWS\system32\svchost.exe[3832] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\svchost.exe[3832] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA006C
.text C:\WINDOWS\system32\svchost.exe[3832] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0F81
.text C:\WINDOWS\system32\svchost.exe[3832] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA005B
.text C:\WINDOWS\system32\svchost.exe[3832] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0FA8
.text C:\WINDOWS\system32\svchost.exe[3832] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0FC3
.text C:\WINDOWS\system32\svchost.exe[3832] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA0F2B
.text C:\WINDOWS\system32\svchost.exe[3832] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0F52
.text C:\WINDOWS\system32\svchost.exe[3832] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA0098
.text C:\WINDOWS\system32\svchost.exe[3832] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA0EFF
.text C:\WINDOWS\system32\svchost.exe[3832] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA00B3
.text C:\WINDOWS\system32\svchost.exe[3832] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0040
.text C:\WINDOWS\system32\svchost.exe[3832] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA0FDE
.text C:\WINDOWS\system32\svchost.exe[3832] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA007D
.text C:\WINDOWS\system32\svchost.exe[3832] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA002F
.text C:\WINDOWS\system32\svchost.exe[3832] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0014
.text C:\WINDOWS\system32\svchost.exe[3832] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA0F10
.text C:\WINDOWS\system32\svchost.exe[3832] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930036
.text C:\WINDOWS\system32\svchost.exe[3832] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930F94
.text C:\WINDOWS\system32\svchost.exe[3832] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930025
.text C:\WINDOWS\system32\svchost.exe[3832] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930FEF
.text C:\WINDOWS\system32\svchost.exe[3832] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930FAF
.text C:\WINDOWS\system32\svchost.exe[3832] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[3832] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00930047
.text C:\WINDOWS\system32\svchost.exe[3832] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930FCA
.text C:\WINDOWS\system32\svchost.exe[3832] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920F88
.text C:\WINDOWS\system32\svchost.exe[3832] msvcrt.dll!system 77C293C7 5 Bytes JMP 0092001D
.text C:\WINDOWS\system32\svchost.exe[3832] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FC8
.text C:\WINDOWS\system32\svchost.exe[3832] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\svchost.exe[3832] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FB7
.text C:\WINDOWS\system32\svchost.exe[3832] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0092000C
.text C:\WINDOWS\system32\svchost.exe[3832] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00900FE5
.text C:\WINDOWS\system32\svchost.exe[3832] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0090000A
.text C:\WINDOWS\system32\svchost.exe[3832] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00900FD4
.text C:\WINDOWS\system32\svchost.exe[3832] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00900FC3
.text C:\WINDOWS\system32\svchost.exe[3832] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910FEF
.text C:\WINDOWS\system32\svchost.exe[3864] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00880000
.text C:\WINDOWS\system32\svchost.exe[3864] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008800D5
.text C:\WINDOWS\system32\svchost.exe[3864] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008800BA
.text C:\WINDOWS\system32\svchost.exe[3864] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008800A9
.text C:\WINDOWS\system32\svchost.exe[3864] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0088008E
.text C:\WINDOWS\system32\svchost.exe[3864] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00880058
.text C:\WINDOWS\system32\svchost.exe[3864] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00880F9E
.text C:\WINDOWS\system32\svchost.exe[3864] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00880FBB
.text C:\WINDOWS\system32\svchost.exe[3864] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00880123
.text C:\WINDOWS\system32\svchost.exe[3864] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00880112
.text C:\WINDOWS\system32\svchost.exe[3864] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00880F6F
.text C:\WINDOWS\system32\svchost.exe[3864] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0088007D
.text C:\WINDOWS\system32\svchost.exe[3864] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00880025
.text C:\WINDOWS\system32\svchost.exe[3864] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008800E6
.text C:\WINDOWS\system32\svchost.exe[3864] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00880047
.text C:\WINDOWS\system32\svchost.exe[3864] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00880036
.text C:\WINDOWS\system32\svchost.exe[3864] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00880101
.text C:\WINDOWS\system32\svchost.exe[3864] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0087001B
.text C:\WINDOWS\system32\svchost.exe[3864] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00870F97
.text C:\WINDOWS\system32\svchost.exe[3864] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00870FCA
.text C:\WINDOWS\system32\svchost.exe[3864] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00870000
.text C:\WINDOWS\system32\svchost.exe[3864] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00870FA8
.text C:\WINDOWS\system32\svchost.exe[3864] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00870FEF
.text C:\WINDOWS\system32\svchost.exe[3864] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00870FB9
.text C:\WINDOWS\system32\svchost.exe[3864] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A7, 88]
.text C:\WINDOWS\system32\svchost.exe[3864] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00870036
.text C:\WINDOWS\system32\svchost.exe[3864] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0086004B
.text C:\WINDOWS\system32\svchost.exe[3864] msvcrt.dll!system 77C293C7 5 Bytes JMP 0086003A
.text C:\WINDOWS\system32\svchost.exe[3864] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00860FDE
.text C:\WINDOWS\system32\svchost.exe[3864] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00860000
.text C:\WINDOWS\system32\svchost.exe[3864] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00860029
.text C:\WINDOWS\system32\svchost.exe[3864] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00860FEF
.text C:\WINDOWS\system32\svchost.exe[3864] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0085000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat EE52AD20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158315a22d
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00158315a22d (not active ControlSet)
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xE9 0x02 0x6C 0xFA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...

---- EOF - GMER 1.0.15 ----

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:02 AM

Posted 10 January 2010 - 04:07 PM

Hi,

looks like we got the bugger. :( To confirm this, I would like you to run a scan with Eset:

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 efris

efris
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 11 January 2010 - 01:20 AM

ESET Online Scanner ran for just over three hours. The progress bar reached 100% and the timer stopped counting up but it never indicated that it was complete. The headers still say "Scanning..." and "Computer scan in progress..." and the message in the upper-right corner of the screen says, "Step 3 out of 4". The message below the progress bar says, "Current scan results: No threats found." There are no other buttons to click or menu options to select. I'll leave it in this state overnight and let you know if anything new comes up.

Thanks again for all your support!

- Eric

#15 efris

efris
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 11 January 2010 - 07:31 AM

Nothing has changed after six hours so it appears that the "No threats found" message is the bottom line result. I clicked "Stop" and it went to Step 4 of 4 which was a screen recommending that I purchase their products.
Any thoughts?

Edited by efris, 11 January 2010 - 07:35 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users