Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

links redirected from Google searches


  • This topic is locked This topic is locked
19 replies to this topic

#1 florgat91

florgat91

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 11 January 2010 - 12:07 PM

Hello - I was hit with a fake anti-spyware virus .. I removed a good chunk of it using Malwarebytes, Spybot and Super AntiSpyware .. but, I'm still getting browser redirects when clicking on links from inside a Google search .. I can open the link in a new tab correctly, the redirect happens when clicking on it. It appears to happen only in Google/Yahoo searches - clicking on links within specific websites work fine ..

also, I notice that the file, mcafeedatabackup.exe opens every time I boot up and consumes a large amount of cpu power .. I can close it in Task Manager but it will reopen on next boot..

I'm attaching the necessary logs -- Thank You very much for your help ! .. GM


DDS (Ver_09-12-01.01) - NTFSx86
Run by Greg Matses at 11:28:10.09 on Mon 01/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.485 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\MXOALDR.EXE
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Roland\VSC32\vsc32cnf.exe
C:\Program Files\Roland\VSC32\vscvol.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\MOTU\FireWire Audio\MFWAKeys.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Greg Matses\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: {5ca3d70e-1895-11cf-8e15-001234567890}: This BHO has been enabled by BHODemon.
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {EF45B8E6-C662-4819-88B5-3C2AC20EF9DE} - No File
TB: {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MXO Auto Loader] c:\windows\MXOALDR.EXE
mRun: [MaxtorOneTouch] c:\progra~1\maxtor\onetouch\utils\OneTouch.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [Dell AIO Printer A940] "c:\program files\dell aio printer a940\dlbabmgr.exe"
mRun: [DadApp] c:\program files\dell\accessdirect\dadapp.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [vsc32cnf.exe] c:\program files\roland\vsc32\vsc32cnf.exe
mRun: [vscvol.exe] c:\program files\roland\vsc32\vscvol.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRun: [inhlcvlk] c:\windows\system32\config\systemprofile\local settings\application data\irahnn\vfnssysguard.exe
dRun: [xbfnwgqy] c:\windows\system32\config\systemprofile\local settings\application data\cyfpav\oapisysguard.exe
dRun: [qxdfxedv] c:\windows\system32\config\systemprofile\local settings\application data\fhuxce\uuxisysguard.exe
dRun: [inhlcvlk] c:\windows\system32\config\systemprofile\local settings\application data\irahnn\vfnssysguard.exe
StartupFolder: c:\docume~1\gregma~1\startm~1\programs\startup\micros~1.lnk - c:\windows\installer\{91130409-6000-11d3-8cfe-0150048383c9}\outicon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mfwakeys.lnk - c:\program files\motu\firewire audio\MFWAKeys.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
uPolicies-explorer: SpecifyDefaultButtons = 0 (0x0)
mPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
Trusted Zone: internet
Trusted Zone: line6.net
Trusted Zone: mcafee.com
DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8}
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://berklee.webex.com/client/T27L/nbr/ieatgpc.cab
DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1}
DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7}
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gregma~1\applic~1\mozilla\firefox\profiles\b88qdql9.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\documents and settings\greg matses\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2003-12-28 11264]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-7-28 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-7-28 144704]
R2 RVIEGVST;VSC VST Engine;c:\program files\roland\virtual sound canvas vst\RVIEg01VST.sys [2009-4-12 188276]
R3 L6DP;L6DP;c:\windows\system32\drivers\l6dp.sys [2002-7-15 26496]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-7-28 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-7-28 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-7-28 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-7-28 40552]
R3 motubus;MOTU Audio MIDI Extension;c:\windows\system32\drivers\motubus.sys [2004-6-21 15488]
R3 vsc32;Virtual Sound Canvas 3.2;c:\windows\system32\drivers\vsc.sys [2009-4-12 951284]
S3 DfSdkS;Defragmentation-Service;c:\program files\ashampoo\ashampoo winoptimizer 6\DfSdkS.exe [2009-8-24 410976]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-7-28 34248]
S3 MFWAGSIF;MOTU FireWire Audio GSIF;c:\windows\system32\drivers\mfwagsif.sys [2004-6-21 12800]
S3 MFWAMIDI;MOTU FireWire Audio MIDI;c:\windows\system32\drivers\MFWAMIDI.sys [2004-6-21 18560]
S3 MFWAWAVE;MOTU FireWire Audio Wave;c:\windows\system32\drivers\MFWAWave.sys [2004-6-21 24320]
S3 MotuFWA;MotuFWA;c:\windows\system32\drivers\motufwa.sys [2004-6-21 131456]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]

=============== Created Last 30 ================

2010-01-09 01:16:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-09 01:16:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-09 01:16:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-08 18:56:16 0 ----a-w- c:\windows\system32\6334.exe
2010-01-08 18:36:16 0 ----a-w- c:\windows\system32\18467.exe
2010-01-08 17:59:22 0 ----a-w- c:\windows\system32\IS15.exe
2010-01-07 17:09:22 0 d-----w- c:\program files\Way Out Ware
2010-01-04 16:50:19 0 d-----w- c:\program files\Toontrack
2010-01-04 05:09:50 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
2010-01-04 02:05:52 0 d-----w- c:\program files\IK Multimedia
2010-01-03 22:22:28 16 ----a-w- c:\windows\system32\w3data.vss
2010-01-03 22:22:28 16 ----a-w- c:\windows\system32\msvcsv60.dll
2010-01-03 22:22:28 16 ----a-w- c:\windows\msocreg32.dat
2009-12-29 02:02:05 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-28 02:44:20 0 d-----w- c:\program files\FLAC to MP3 Converter
2009-12-28 01:46:10 0 d-----w- c:\program files\MusEdit v3.95
2009-12-28 00:42:43 0 d-----w- c:\program files\iPod
2009-12-28 00:42:38 0 d-----w- c:\program files\iTunes
2009-12-27 23:14:18 0 d-----w- c:\windows\system32\wbem\Repository
2009-12-16 23:07:55 0 d-----w- c:\program files\SpywareBlaster

==================== Find3M ====================

2010-01-11 03:19:56 37472 ---ha-w- c:\windows\fonts\infoview.fon
2009-12-15 06:02:40 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-12-15 06:02:40 96512 ------w- c:\windows\system32\drivers\atapi.sys
2009-11-10 06:42:40 81212 ---h--w- c:\windows\system32\mlfcache.dat
2009-11-06 15:53:52 267264 ----a-w- c:\windows\PEV.exe
2009-11-03 00:47:08 17384 ------w- c:\windows\system32\nvModes.dat
2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-25 11:11:34 77312 ----a-w- c:\windows\MBR.exe
2009-10-22 02:53:25 177766 ----a-w- c:\windows\fonts\AdobeFnt09.lst
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
2008-09-01 17:29:34 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090120080902\index.dat

============= FINISH: 11:31:10.14 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 florgat91

florgat91
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 12 January 2010 - 08:44 PM

update - on subsequent scans, Spybot continues to find and remove 2 registry keys infected with Fraud-Sysguard malware .. also, Mcafee Virus Scan continues to find and quarantine a trojan in C:\Windows\Temp ..

also - Mcafeedatabackup.exe is still opening on boot but not taking up any cpu ..

thx - g

#3 florgat91

florgat91
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 12 January 2010 - 11:53 PM

update #2 - as of today, links out of a Google search that I try to open in a new tab are also being hijacked.

thx - g

===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Elise - forum moderator

Edited by elise025, 16 January 2010 - 01:50 PM.


#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:10 PM

Posted 16 January 2010 - 04:14 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 florgat91

florgat91
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 17 January 2010 - 06:38 PM

Hi schrauber and thank you for your help - I'm still getting browser redirects from google or yahoo searches -- either when a click on a link or try to open in a new tab -- I 've run Malwarebytes, Spybot, SuperAntiSpware and Mcafee Viruscan and cleaned up a bunch of remnants of a fake spyware attack -- DDS log follows and I've attached the accompanying zip file .. thanks - GM


DDS (Ver_09-12-01.01) - NTFSx86
Run by Greg Matses at 18:17:07.64 on Sun 01/17/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.551 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\MXOALDR.EXE
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Roland\VSC32\vsc32cnf.exe
C:\Program Files\Roland\VSC32\vscvol.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\MOTU\FireWire Audio\MFWAKeys.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Greg Matses\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: {5ca3d70e-1895-11cf-8e15-001234567890}: This BHO has been enabled by BHODemon.
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {EF45B8E6-C662-4819-88B5-3C2AC20EF9DE} - No File
TB: {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MXO Auto Loader] c:\windows\MXOALDR.EXE
mRun: [MaxtorOneTouch] c:\progra~1\maxtor\onetouch\utils\OneTouch.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [Dell AIO Printer A940] "c:\program files\dell aio printer a940\dlbabmgr.exe"
mRun: [DadApp] c:\program files\dell\accessdirect\dadapp.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [vsc32cnf.exe] c:\program files\roland\vsc32\vsc32cnf.exe
mRun: [vscvol.exe] c:\program files\roland\vsc32\vscvol.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
dRun: [xbfnwgqy] c:\windows\system32\config\systemprofile\local settings\application data\cyfpav\oapisysguard.exe
dRun: [qxdfxedv] c:\windows\system32\config\systemprofile\local settings\application data\fhuxce\uuxisysguard.exe
dRun: [inhlcvlk] c:\windows\system32\config\systemprofile\local settings\application data\irahnn\vfnssysguard.exe
dRun: [utbxlyjq] c:\windows\system32\config\systemprofile\local settings\application data\uvlcqo\dtpnsysguard.exe
StartupFolder: c:\docume~1\gregma~1\startm~1\programs\startup\micros~1.lnk - c:\windows\installer\{91130409-6000-11d3-8cfe-0150048383c9}\outicon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mfwakeys.lnk - c:\program files\motu\firewire audio\MFWAKeys.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
uPolicies-explorer: SpecifyDefaultButtons = 0 (0x0)
mPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
Trusted Zone: internet
Trusted Zone: line6.net
Trusted Zone: mcafee.com
DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8}
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://berklee.webex.com/client/T27L/nbr/ieatgpc.cab
DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1}
DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7}
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gregma~1\applic~1\mozilla\firefox\profiles\b88qdql9.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\documents and settings\greg matses\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2003-12-28 11264]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-7-28 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-7-28 144704]
R2 RVIEGVST;VSC VST Engine;c:\program files\roland\virtual sound canvas vst\RVIEg01VST.sys [2009-4-12 188276]
R3 L6DP;L6DP;c:\windows\system32\drivers\l6dp.sys [2002-7-15 26496]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-7-28 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-7-28 35272]
R3 motubus;MOTU Audio MIDI Extension;c:\windows\system32\drivers\motubus.sys [2004-6-21 15488]
R3 vsc32;Virtual Sound Canvas 3.2;c:\windows\system32\drivers\vsc.sys [2009-4-12 951284]
S3 DfSdkS;Defragmentation-Service;c:\program files\ashampoo\ashampoo winoptimizer 6\DfSdkS.exe [2009-8-24 410976]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-7-28 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-7-28 40552]
S3 MFWAGSIF;MOTU FireWire Audio GSIF;c:\windows\system32\drivers\mfwagsif.sys [2004-6-21 12800]
S3 MFWAMIDI;MOTU FireWire Audio MIDI;c:\windows\system32\drivers\MFWAMIDI.sys [2004-6-21 18560]
S3 MFWAWAVE;MOTU FireWire Audio Wave;c:\windows\system32\drivers\MFWAWave.sys [2004-6-21 24320]
S3 MotuFWA;MotuFWA;c:\windows\system32\drivers\motufwa.sys [2004-6-21 131456]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-7-28 606736]

=============== Created Last 30 ================

2010-01-13 16:11:35 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-09 01:16:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-09 01:16:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-09 01:16:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-08 18:56:16 0 ----a-w- c:\windows\system32\6334.exe
2010-01-08 18:36:16 0 ----a-w- c:\windows\system32\18467.exe
2010-01-07 17:09:22 0 d-----w- c:\program files\Way Out Ware
2010-01-04 16:50:19 0 d-----w- c:\program files\Toontrack
2010-01-04 05:09:50 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
2010-01-04 02:05:52 0 d-----w- c:\program files\IK Multimedia
2010-01-03 22:22:28 16 ----a-w- c:\windows\system32\w3data.vss
2010-01-03 22:22:28 16 ----a-w- c:\windows\system32\msvcsv60.dll
2010-01-03 22:22:28 16 ----a-w- c:\windows\msocreg32.dat
2009-12-29 02:02:05 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-28 02:44:20 0 d-----w- c:\program files\FLAC to MP3 Converter
2009-12-28 01:46:10 0 d-----w- c:\program files\MusEdit v3.95
2009-12-28 00:42:43 0 d-----w- c:\program files\iPod
2009-12-28 00:42:38 0 d-----w- c:\program files\iTunes
2009-12-27 23:14:18 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-01-11 03:19:56 37472 ---ha-w- c:\windows\fonts\infoview.fon
2009-12-15 06:02:40 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-12-15 06:02:40 96512 ------w- c:\windows\system32\drivers\atapi.sys
2009-11-10 06:42:40 81212 ---h--w- c:\windows\system32\mlfcache.dat
2009-11-06 15:53:52 267264 ----a-w- c:\windows\PEV.exe
2009-11-03 00:47:08 17384 ------w- c:\windows\system32\nvModes.dat
2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-25 11:11:34 77312 ----a-w- c:\windows\MBR.exe
2009-10-22 02:53:25 177766 ----a-w- c:\windows\fonts\AdobeFnt09.lst
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
2008-09-01 17:29:34 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090120080902\index.dat

============= FINISH: 18:19:27.07 ===============

Attached Files



#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:10 PM

Posted 18 January 2010 - 02:02 PM

Hello, florgat91 and again
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.




Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 florgat91

florgat91
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 18 January 2010 - 11:51 PM

Hi Tom - I had a lot of problems running GMER - it kept locking up my computer or crashing it when I tried to save the log - also, no luck in Safe Mode - couldn't access all the buttons due to GMER's screen size in safe mode... anyhow, I did manage to save a Rootkit quickscan log and a Rootkit scan that was almost finished ... they follow:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-01-18 22:59:37
Windows 5.1.2600 Service Pack 3
Running: 1hz9u7hh.exe; Driver: C:\DOCUME~1\GREGMA~1\LOCALS~1\Temp\pwdorkod.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAE02E78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAE02E738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xAE02E74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAE02E7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAE02E710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAE02E724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAE02E79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAE02E776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAE02E762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAE02E7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAE02E7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAE02E7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A3D0618

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


********************************************************************************************

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-18 23:02:39
Windows 5.1.2600 Service Pack 3
Running: 1hz9u7hh.exe; Driver: C:\DOCUME~1\GREGMA~1\LOCALS~1\Temp\pwdorkod.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAE02E78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAE02E738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xAE02E74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAE02E7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAE02E710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAE02E724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAE02E79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAE02E776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAE02E762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAE02E7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAE02E7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAE02E7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 80515A6A 7 Bytes JMP AE02E7B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8057C328 5 Bytes JMP AE02E78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8057CFC0 5 Bytes JMP AE02E766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8057DEF1 5 Bytes JMP AE02E7E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 8057E369 7 Bytes JMP AE02E7CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 80581702 5 Bytes JMP AE02E714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80581889 7 Bytes JMP AE02E7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8058B7CD 7 Bytes JMP AE02E750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 8058E695 5 Bytes JMP AE02E7FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B0470 5 Bytes JMP AE02E73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 805E1941 5 Bytes JMP AE02E728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 80635977 5 Bytes JMP AE02E77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF74B87A4]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D30F83
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D3006E
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D30051
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D30F94
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D3002C
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D300B3
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D30F61
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D300F0
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D300DF
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D30F3C
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D30FAF
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D3000A
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D30F72
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D30FC0
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D3001B
.text C:\WINDOWS\System32\svchost.exe[260] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D300C4
.text C:\WINDOWS\System32\svchost.exe[260] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006C0FB9
.text C:\WINDOWS\System32\svchost.exe[260] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006C006F
.text C:\WINDOWS\System32\svchost.exe[260] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006C0FD4
.text C:\WINDOWS\System32\svchost.exe[260] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006C0FE5
.text C:\WINDOWS\System32\svchost.exe[260] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006C0FA8
.text C:\WINDOWS\System32\svchost.exe[260] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006C0000
.text C:\WINDOWS\System32\svchost.exe[260] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 006C0040
.text C:\WINDOWS\System32\svchost.exe[260] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006C0025
.text C:\WINDOWS\System32\svchost.exe[260] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006B0FA6
.text C:\WINDOWS\System32\svchost.exe[260] msvcrt.dll!system 77C293C7 5 Bytes JMP 006B0FB7
.text C:\WINDOWS\System32\svchost.exe[260] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006B0FD2
.text C:\WINDOWS\System32\svchost.exe[260] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006B0FE3
.text C:\WINDOWS\System32\svchost.exe[260] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006B0027
.text C:\WINDOWS\System32\svchost.exe[260] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006B000C
.text C:\WINDOWS\System32\svchost.exe[260] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006A0FEF
.text C:\WINDOWS\System32\svchost.exe[260] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006A000A
.text C:\WINDOWS\System32\svchost.exe[260] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006A0FD4
.text C:\WINDOWS\System32\svchost.exe[260] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 006A0FB9
.text C:\WINDOWS\system32\wuauclt.exe[444] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02980000
.text C:\WINDOWS\system32\wuauclt.exe[444] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02980098
.text C:\WINDOWS\system32\wuauclt.exe[444] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02980FA3
.text C:\WINDOWS\system32\wuauclt.exe[444] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0298007D
.text C:\WINDOWS\system32\wuauclt.exe[444] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02980062
.text C:\WINDOWS\system32\wuauclt.exe[444] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0298003D
.text C:\WINDOWS\system32\wuauclt.exe[444] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 029800DA
.text C:\WINDOWS\system32\wuauclt.exe[444] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 029800BF
.text C:\WINDOWS\system32\wuauclt.exe[444] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02980F63
.text C:\WINDOWS\system32\wuauclt.exe[444] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 029800FC
.text C:\WINDOWS\system32\wuauclt.exe[444] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02980F52
.text C:\WINDOWS\system32\wuauclt.exe[444] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02980FC0
.text C:\WINDOWS\system32\wuauclt.exe[444] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02980FE5
.text C:\WINDOWS\system32\wuauclt.exe[444] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02980F88
.text C:\WINDOWS\system32\wuauclt.exe[444] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0298002C
.text C:\WINDOWS\system32\wuauclt.exe[444] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02980011
.text C:\WINDOWS\system32\wuauclt.exe[444] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 029800EB
.text C:\WINDOWS\system32\wuauclt.exe[444] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02960F95
.text C:\WINDOWS\system32\wuauclt.exe[444] msvcrt.dll!system 77C293C7 5 Bytes JMP 02960FB0
.text C:\WINDOWS\system32\wuauclt.exe[444] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0296000C
.text C:\WINDOWS\system32\wuauclt.exe[444] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02960FEF
.text C:\WINDOWS\system32\wuauclt.exe[444] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02960FC1
.text C:\WINDOWS\system32\wuauclt.exe[444] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02960FD2
.text C:\WINDOWS\system32\wuauclt.exe[444] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02970051
.text C:\WINDOWS\system32\wuauclt.exe[444] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02970091
.text C:\WINDOWS\system32\wuauclt.exe[444] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02970040
.text C:\WINDOWS\system32\wuauclt.exe[444] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0297001B
.text C:\WINDOWS\system32\wuauclt.exe[444] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02970FD4
.text C:\WINDOWS\system32\wuauclt.exe[444] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02970000
.text C:\WINDOWS\system32\wuauclt.exe[444] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02970FEF
.text C:\WINDOWS\system32\wuauclt.exe[444] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B7, 8A] {MOV BH, 0x8a}
.text C:\WINDOWS\system32\wuauclt.exe[444] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0297006C
.text C:\WINDOWS\system32\wuauclt.exe[444] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02940000
.text C:\WINDOWS\system32\wuauclt.exe[444] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02940FE5
.text C:\WINDOWS\system32\wuauclt.exe[444] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02940FD4
.text C:\WINDOWS\system32\wuauclt.exe[444] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02940FC3
.text C:\WINDOWS\system32\wuauclt.exe[444] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02950FE5
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF0087
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF0F92
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF006C
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF005B
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0040
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF0F4B
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF0F5C
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF0F1C
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF00B5
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF0F01
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF0FB9
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF001B
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF0F6D
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF0FCA
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF0FE5
.text C:\WINDOWS\system32\services.exe[688] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF00A4
.text C:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070F83
.text C:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070F94
.text C:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[688] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0006004B
.text C:\WINDOWS\system32\services.exe[688] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060FCA
.text C:\WINDOWS\system32\services.exe[688] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0006003A
.text C:\WINDOWS\system32\services.exe[688] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[688] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060FE5
.text C:\WINDOWS\system32\services.exe[688] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060029
.text C:\WINDOWS\system32\services.exe[688] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0004000A
.text C:\WINDOWS\system32\services.exe[688] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[688] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0004001B
.text C:\WINDOWS\system32\services.exe[688] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0004002C
.text C:\WINDOWS\system32\services.exe[688] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0005000A
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01200000
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01200F8B
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01200FA6
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01200080
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01200FC3
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01200FD4
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01200F4E
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01200F5F
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 012000C5
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01200F2C
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 012000D6
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0120005B
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01200011
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01200F7A
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01200FE5
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0120002C
.text C:\WINDOWS\system32\lsass.exe[700] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01200F3D
.text C:\WINDOWS\system32\lsass.exe[700] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01170FAF
.text C:\WINDOWS\system32\lsass.exe[700] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0117005B
.text C:\WINDOWS\system32\lsass.exe[700] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01170000
.text C:\WINDOWS\system32\lsass.exe[700] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01170FCA
.text C:\WINDOWS\system32\lsass.exe[700] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01170040
.text C:\WINDOWS\system32\lsass.exe[700] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01170FE5
.text C:\WINDOWS\system32\lsass.exe[700] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01170025
.text C:\WINDOWS\system32\lsass.exe[700] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01170F9E
.text C:\WINDOWS\system32\lsass.exe[700] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0116005D
.text C:\WINDOWS\system32\lsass.exe[700] msvcrt.dll!system 77C293C7 5 Bytes JMP 01160FD2
.text C:\WINDOWS\system32\lsass.exe[700] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0116002E
.text C:\WINDOWS\system32\lsass.exe[700] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01160000
.text C:\WINDOWS\system32\lsass.exe[700] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01160FE3
.text C:\WINDOWS\system32\lsass.exe[700] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01160011
.text C:\WINDOWS\system32\lsass.exe[700] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01150000
.text C:\WINDOWS\system32\lsass.exe[700] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0114000A
.text C:\WINDOWS\system32\lsass.exe[700] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01140FEF
.text C:\WINDOWS\system32\lsass.exe[700] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01140FD4
.text C:\WINDOWS\system32\lsass.exe[700] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01140FC3
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EC000A
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EC0098
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EC0FA3
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EC0FCA
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EC007D
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EC0051
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EC00DF
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EC00CE
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EC0F46
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EC0F61
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EC0F35
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EC006C
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EC0025
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EC00B3
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EC0040
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EC0F7C
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EB0014
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EB0F72
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EB0FC3
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EB0FD4
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EB0F83
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EB0FEF
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EB0025
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EB0FA8
.text C:\WINDOWS\system32\svchost.exe[892] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EA0FBE
.text C:\WINDOWS\system32\svchost.exe[892] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EA003F
.text C:\WINDOWS\system32\svchost.exe[892] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EA001D
.text C:\WINDOWS\system32\svchost.exe[892] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EA0000
.text C:\WINDOWS\system32\svchost.exe[892] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EA002E
.text C:\WINDOWS\system32\svchost.exe[892] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EA0FE3
.text C:\WINDOWS\system32\svchost.exe[892] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E80000
.text C:\WINDOWS\system32\svchost.exe[892] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E80FE5
.text C:\WINDOWS\system32\svchost.exe[892] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E80FD4
.text C:\WINDOWS\system32\svchost.exe[892] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00E80FB9
.text C:\WINDOWS\system32\svchost.exe[892] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E9000A
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EB0FE5
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EB0071
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EB0F72
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EB004C
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EB0F83
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EB0F9E
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EB0F46
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EB0082
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EB00BD
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EB0F1A
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EB00D8
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EB0025
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EB0FD4
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EB0F57
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EB0FAF
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EB000A
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EB0F35
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EA0FD1
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EA0F80
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EA0022
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EA0011
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EA003D
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EA0000
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00EA0F9B
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [0A, 89]
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EA0FB6
.text C:\WINDOWS\system32\svchost.exe[972] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E90FA8
.text C:\WINDOWS\system32\svchost.exe[972] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E90FB9
.text C:\WINDOWS\system32\svchost.exe[972] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E90FE5
.text C:\WINDOWS\system32\svchost.exe[972] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E90000
.text C:\WINDOWS\system32\svchost.exe[972] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E90FCA
.text C:\WINDOWS\system32\svchost.exe[972] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E9001D
.text C:\WINDOWS\system32\svchost.exe[972] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E70FE5
.text C:\WINDOWS\system32\svchost.exe[972] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\svchost.exe[972] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E70FD4
.text C:\WINDOWS\system32\svchost.exe[972] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00E70025
.text C:\WINDOWS\system32\svchost.exe[972] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E80000
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 028F0FEF
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 028F0049
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 028F0F54
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 028F0F6F
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 028F0F8A
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 028F0FAF
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 028F0F28
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 028F006E
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 028F0EFC
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 028F0095
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 028F00B0
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 028F002C
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 028F0000
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!CreatePipe 7C81D83F 1 Byte [E9]
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 028F0F43
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 028F001B
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 028F0FCA
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 028F0F17
.text C:\WINDOWS\System32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 026C0047
.text C:\WINDOWS\System32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 026C0FAF
.text C:\WINDOWS\System32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 026C002C
.text C:\WINDOWS\System32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 026C001B
.text C:\WINDOWS\System32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 026C0FC0
.text C:\WINDOWS\System32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 026C0000
.text C:\WINDOWS\System32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 026C0062
.text C:\WINDOWS\System32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 026C0FDB
.text C:\WINDOWS\System32\svchost.exe[1016] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02380027
.text C:\WINDOWS\System32\svchost.exe[1016] msvcrt.dll!system 77C293C7 5 Bytes JMP 02380F9C
.text C:\WINDOWS\System32\svchost.exe[1016] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02380FC1
.text C:\WINDOWS\System32\svchost.exe[1016] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02380FE3
.text C:\WINDOWS\System32\svchost.exe[1016] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02380016
.text C:\WINDOWS\System32\svchost.exe[1016] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02380FD2
.text C:\WINDOWS\System32\svchost.exe[1016] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02360FE5
.text C:\WINDOWS\System32\svchost.exe[1016] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02360000
.text C:\WINDOWS\System32\svchost.exe[1016] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02360FCA
.text C:\WINDOWS\System32\svchost.exe[1016] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02360FAF
.text C:\WINDOWS\System32\svchost.exe[1016] WS2_32.dll!socket 71AB4211 3 Bytes JMP 02370000
.text C:\WINDOWS\System32\svchost.exe[1016] WS2_32.dll!socket + 4 71AB4215 1 Byte [90]
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A60FEF
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A60082
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A60071
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A60F97
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A60FA8
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A6002F
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A600C4
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A600A9
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A600FA
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A600E9
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A60115
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A6004A
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A60014
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A60F72
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A60FC3
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A60FDE
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A60F61
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A50FC3
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A50F8D
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A50FD4
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A50FE5
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A50054
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A50000
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A50FA8
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C5, 88]
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A5002F
.text C:\WINDOWS\System32\svchost.exe[1072] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A40075
.text C:\WINDOWS\System32\svchost.exe[1072] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A4005A
.text C:\WINDOWS\System32\svchost.exe[1072] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A4002E
.text C:\WINDOWS\System32\svchost.exe[1072] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A40000
.text C:\WINDOWS\System32\svchost.exe[1072] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A4003F
.text C:\WINDOWS\System32\svchost.exe[1072] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A4001D
.text C:\WINDOWS\System32\svchost.exe[1072] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00A20FE5
.text C:\WINDOWS\System32\svchost.exe[1072] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00A2000A
.text C:\WINDOWS\System32\svchost.exe[1072] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00A2001B
.text C:\WINDOWS\System32\svchost.exe[1072] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00A20036
.text C:\WINDOWS\System32\svchost.exe[1072] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A30000
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CB0FEF
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CB0082
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CB0F83
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CB0051
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CB0F94
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CB0040
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CB0F61
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CB00A9
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CB0F10
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CB0F35
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CB00C4
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CB0FAF
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CB0FDE
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CB0F72
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CB002F
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CB0014
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CB0F46
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CA0FDB
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CA0069
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CA002C
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CA001B
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CA0058
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CA000A
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00CA0047
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CA0FC0
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C90058
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C90FCD
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C90022
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C9003D
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C90FDE
.text C:\WINDOWS\system32\svchost.exe[1108] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\svchost.exe[1108] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00C70FD4
.text C:\WINDOWS\system32\svchost.exe[1108] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00C7000A
.text C:\WINDOWS\system32\svchost.exe[1108] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00C70FB9
.text C:\WINDOWS\system32\svchost.exe[1108] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C80000
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D10000
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D10092
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D10081
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D10070
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D10FBD
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D1004E
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D10F76
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D100BE
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D100E0
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D10F47
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D10105
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D1005F
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D1001B
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D100A3
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D1003D
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D1002C
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D100CF
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00680FDE
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00680FAF
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0068002F
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00680FEF
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0068006C
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00680000
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0068005B
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0068004A
.text C:\WINDOWS\System32\svchost.exe[1432] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00670FB2
.text C:\WINDOWS\System32\svchost.exe[1432] msvcrt.dll!system 77C293C7 5 Bytes JMP 00670FC3
.text C:\WINDOWS\System32\svchost.exe[1432] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00670FEF
.text C:\WINDOWS\System32\svchost.exe[1432] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0067000C
.text C:\WINDOWS\System32\svchost.exe[1432] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00670FDE
.text C:\WINDOWS\System32\svchost.exe[1432] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00670029
.text C:\WINDOWS\System32\svchost.exe[1432] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00650FEF
.text C:\WINDOWS\System32\svchost.exe[1432] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00650000
.text C:\WINDOWS\System32\svchost.exe[1432] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0065001B
.text C:\WINDOWS\System32\svchost.exe[1432] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00650FCA
.text C:\WINDOWS\System32\svchost.exe[1432] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00660000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1800] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1800] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\Explorer.EXE[2304] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0000
.text C:\WINDOWS\Explorer.EXE[2304] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C00AB
.text C:\WINDOWS\Explorer.EXE[2304] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0086
.text C:\WINDOWS\Explorer.EXE[2304] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0FAC
.text C:\WINDOWS\Explorer.EXE[2304] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C0069
.text C:\WINDOWS\Explorer.EXE[2304] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0FC7
.text C:\WINDOWS\Explorer.EXE[2304] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C0F79
.text C:\WINDOWS\Explorer.EXE[2304] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0F8A
.text C:\WINDOWS\Explorer.EXE[2304] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C0F3C
.text C:\WINDOWS\Explorer.EXE[2304] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C0F4D
.text C:\WINDOWS\Explorer.EXE[2304] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C00E6
.text C:\WINDOWS\Explorer.EXE[2304] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C004E
.text C:\WINDOWS\Explorer.EXE[2304] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C0011
.text C:\WINDOWS\Explorer.EXE[2304] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C0F9B
.text C:\WINDOWS\Explorer.EXE[2304] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C003D
.text C:\WINDOWS\Explorer.EXE[2304] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C002C
.text C:\WINDOWS\Explorer.EXE[2304] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C0F5E
.text C:\WINDOWS\Explorer.EXE[2304] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0014
.text C:\WINDOWS\Explorer.EXE[2304] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0F7C
.text C:\WINDOWS\Explorer.EXE[2304] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0FC3
.text C:\WINDOWS\Explorer.EXE[2304] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B0FD4
.text C:\WINDOWS\Explorer.EXE[2304] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0F97
.text C:\WINDOWS\Explorer.EXE[2304] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\Explorer.EXE[2304] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002B0039
.text C:\WINDOWS\Explorer.EXE[2304] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0FB2
.text C:\WINDOWS\Explorer.EXE[2304] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002C006E
.text C:\WINDOWS\Explorer.EXE[2304] msvcrt.dll!system 77C293C7 5 Bytes JMP 002C005D
.text C:\WINDOWS\Explorer.EXE[2304] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002C0FE3
.text C:\WINDOWS\Explorer.EXE[2304] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002C0000
.text C:\WINDOWS\Explorer.EXE[2304] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002C0042
.text C:\WINDOWS\Explorer.EXE[2304] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002C001D
.text C:\WINDOWS\Explorer.EXE[2304] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002E0000
.text C:\WINDOWS\Explorer.EXE[2304] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002E0FE5
.text C:\WINDOWS\Explorer.EXE[2304] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002E0FD4
.text C:\WINDOWS\Explorer.EXE[2304] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 002E0FC3
.text C:\WINDOWS\Explorer.EXE[2304] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E00FEF

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat A8143D20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A3D0618

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:10 PM

Posted 20 January 2010 - 12:44 PM

Hi,


Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 florgat91

florgat91
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 20 January 2010 - 11:32 PM

Hi Tom - I can't download combofix.exe (even when renaming it) - I get a "Cannot Copy Combofix[1].exe. Access is Denied ... " message -- also, McAfee blocks an Artemis Trojan that seems to be attached to the file .. it seems to download ok, the message happens just when it's copying to the desktop .. any other way to download it .. thanks - GM

#10 florgat91

florgat91
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 21 January 2010 - 11:23 AM

Hi Tom - I was able to download Combofix so you can disregard my last post ... Combofix log follows .. thanks!


ComboFix 10-01-20.06 - Greg Matses 01/21/2010 11:01:12.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.758 [GMT -5:00]
Running from: c:\documents and settings\Greg Matses\Desktop\schrauber.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Java\jre6\bin\jucheck.exe
c:\windows\system32\18467.exe
c:\windows\system32\6334.exe
c:\windows\system32\msvcsv60.dll

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2009-12-21 to 2010-01-21 )))))))))))))))))))))))))))))))
.

2010-01-13 16:11 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-12 20:17 . 2010-01-12 20:17 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\uvlcqo
2010-01-12 14:34 . 2010-01-12 14:34 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Apple Computer
2010-01-09 23:59 . 2010-01-09 23:59 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AdobeUM
2010-01-09 19:05 . 2010-01-09 19:05 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\irahnn
2010-01-09 01:18 . 2010-01-09 01:18 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-09 01:16 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-09 01:16 . 2010-01-09 01:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-09 01:16 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-08 01:08 . 2010-01-08 01:08 3128 ----a-r- c:\documents and settings\Greg Matses\Application Data\Microsoft\Installer\{DB1299AF-9EE0-422B-959E-F4171B2AE0F7}\ARPPRODUCTICON.exe
2010-01-07 22:20 . 2010-01-07 22:20 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\fhuxce
2010-01-07 18:13 . 2010-01-07 18:13 3128 ----a-r- c:\documents and settings\Greg Matses\Application Data\Microsoft\Installer\{2CC4BC82-41CF-43D3-B533-7283AA8BB86F}\ARPPRODUCTICON.exe
2010-01-07 17:26 . 2010-01-07 17:26 3128 ----a-r- c:\documents and settings\Greg Matses\Application Data\Microsoft\Installer\{430399DC-98BC-4A7F-8F8E-77981CABAE05}\ARPPRODUCTICON.exe
2010-01-07 17:09 . 2010-01-07 17:09 -------- d-----w- c:\program files\Way Out Ware
2010-01-04 19:16 . 2010-01-04 19:16 3128 ----a-r- c:\documents and settings\Greg Matses\Application Data\Microsoft\Installer\{147567F0-8575-4BE0-B5B3-62706C67FA5A}\ARPPRODUCTICON.exe
2010-01-04 16:56 . 2010-01-04 16:56 3128 ----a-r- c:\documents and settings\Greg Matses\Application Data\Microsoft\Installer\{43E8D9E7-AFC9-4BA3-8106-B95E02B87AB7}\ARPPRODUCTICON.exe
2010-01-04 16:50 . 2010-01-04 16:50 -------- d-----w- c:\program files\Toontrack
2010-01-04 05:09 . 2004-09-30 18:13 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
2010-01-04 02:05 . 2010-01-04 02:05 -------- d-----w- c:\program files\IK Multimedia
2010-01-03 22:22 . 2010-01-11 02:07 16 ----a-w- c:\windows\msocreg32.dat
2010-01-02 05:09 . 2010-01-02 05:09 -------- d-----w- c:\documents and settings\Greg Matses\Application Data\MSN6
2010-01-02 02:40 . 2010-01-02 02:40 -------- d-----w- c:\program files\7-Zip
2010-01-02 02:15 . 2010-01-02 02:15 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\cyfpav
2010-01-02 02:13 . 2010-01-09 23:59 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2009-12-29 02:02 . 2010-01-09 23:58 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-28 02:44 . 2009-12-28 02:45 -------- d-----w- c:\program files\FLAC to MP3 Converter
2009-12-28 01:46 . 2009-12-28 01:46 -------- d-----w- c:\program files\MusEdit v3.95
2009-12-28 00:42 . 2009-12-28 00:42 -------- d-----w- c:\program files\iPod
2009-12-28 00:42 . 2009-12-28 00:43 -------- d-----w- c:\program files\iTunes
2009-12-28 00:37 . 2009-12-28 00:38 -------- d-----w- c:\program files\QuickTime
2009-12-28 00:28 . 2009-12-28 00:28 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-27 23:14 . 2009-12-27 23:14 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-18 16:17 . 2007-07-02 03:07 3954 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys
2010-01-16 16:02 . 2009-10-31 04:38 117760 ----a-w- c:\documents and settings\Greg Matses\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-15 23:19 . 2005-01-30 03:21 -------- d-----w- c:\program files\SampleTank 2
2010-01-15 00:48 . 2009-12-16 23:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-15 00:47 . 2009-12-16 23:07 -------- d-----w- c:\program files\SpywareBlaster
2010-01-12 17:38 . 2009-12-18 19:54 52224 ----a-w- c:\documents and settings\Greg Matses\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-11 03:19 . 2003-12-29 05:08 37472 ---ha-w- c:\windows\Fonts\infoview.fon
2010-01-09 04:01 . 2009-10-24 19:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-09 03:58 . 2009-10-24 19:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-08 23:01 . 2009-10-31 04:37 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-05 03:37 . 2003-12-29 04:45 -------- d-----w- c:\program files\Steinberg
2010-01-04 02:06 . 2003-12-08 13:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-29 16:02 . 2004-01-06 22:33 -------- d-----w- c:\program files\Wavelab
2009-12-28 00:42 . 2007-10-20 13:36 -------- d-----w- c:\program files\Common Files\Apple
2009-12-28 00:08 . 2005-11-14 01:25 -------- d-----w- c:\program files\Rhapsody
2009-12-26 20:47 . 2009-08-30 01:35 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-26 20:47 . 2008-12-25 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-26 20:43 . 2003-12-08 13:16 -------- d-----w- c:\program files\Microsoft Money
2009-12-17 21:21 . 2008-12-15 02:49 -------- d-----w- c:\program files\Windows Live Safety Center
2009-12-15 06:02 . 2003-04-23 15:29 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-15 06:02 . 2003-04-23 15:29 96512 ----a-w- c:\windows\system32\drivers\atapi.svs
2009-12-12 22:03 . 2009-12-05 16:39 -------- d-----w- c:\documents and settings\Greg Matses\Application Data\webex
2009-12-10 22:41 . 2004-07-08 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Retrospect
2009-11-21 15:51 . 2002-08-29 11:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-10 06:42 . 2009-11-10 06:42 81212 ---h--w- c:\windows\system32\mlfcache.dat
2009-11-04 03:50 . 2009-11-04 03:50 152576 ----a-w- c:\documents and settings\Greg Matses\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-03 00:47 . 2003-12-08 12:54 17384 ------w- c:\windows\system32\nvModes.dat
2009-10-29 07:45 . 2004-02-06 22:05 916480 ------w- c:\windows\system32\wininet.dll
2006-05-03 09:06 . 2009-08-31 01:24 163328 --sh--r- c:\windows\SYSTEM32\flvDX.dll
2007-02-21 10:47 . 2009-08-31 01:24 31232 --sh--r- c:\windows\SYSTEM32\msfDX.dll
2008-03-16 12:30 . 2009-08-31 01:24 216064 --sh--r- c:\windows\SYSTEM32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-09-23 204800]
"nwiz"="nwiz.exe" [2004-08-19 921600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-08-19 4554752]
"MXO Auto Loader"="c:\windows\MXOALDR.EXE" [2003-04-07 118784]
"MaxtorOneTouch"="c:\progra~1\Maxtor\OneTouch\Utils\OneTouch.exe" [2003-05-21 45056]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-06-25 294998]
"DadApp"="c:\program files\Dell\AccessDirect\dadapp.exe" [2003-03-07 209800]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-03-13 185896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"vsc32cnf.exe"="c:\program files\Roland\VSC32\vsc32cnf.exe" [2000-02-07 36864]
"vscvol.exe"="c:\program files\Roland\VSC32\vscvol.exe" [2000-02-09 36864]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184]

c:\documents and settings\Greg Matses\Start Menu\Programs\Startup\
Microsoft Office Outlook 2003.lnk - c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\outicon.exe [2003-12-8 794624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-8-24 25214]
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-5-16 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-12-8 24576]
MFWAKeys.lnk - c:\program files\MOTU\FireWire Audio\MFWAKeys.exe [2004-6-21 126976]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-9-16 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI6"=vscapi.dll
"WAVE6"=vscapi.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Dell Computer\\Dell Picture Studio v2.0\\launch.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\hmremote\\WinVNC.exe"=
"c:\\Program Files\\Dell TrueMobile 2300\\ControlUtility.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 Asapi;Asapi;c:\windows\SYSTEM32\DRIVERS\asapi.sys [12/28/2003 11:46 PM 11264]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 8:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 8:24 PM 74480]
R2 RVIEGVST;VSC VST Engine;c:\program files\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys [4/12/2009 10:38 PM 188276]
R3 L6DP;L6DP;c:\windows\SYSTEM32\DRIVERS\l6dp.sys [7/15/2002 10:39 PM 26496]
R3 motubus;MOTU Audio MIDI Extension;c:\windows\SYSTEM32\DRIVERS\motubus.sys [6/21/2004 10:00 AM 15488]
R3 vsc32;Virtual Sound Canvas 3.2;c:\windows\SYSTEM32\DRIVERS\vsc.sys [4/12/2009 8:27 PM 951284]
S3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\DfSdkS.exe [8/24/2009 2:12 PM 410976]
S3 MFWAGSIF;MOTU FireWire Audio GSIF;c:\windows\SYSTEM32\DRIVERS\mfwagsif.sys [6/21/2004 10:00 AM 12800]
S3 MFWAMIDI;MOTU FireWire Audio MIDI;c:\windows\SYSTEM32\DRIVERS\MFWAMIDI.sys [6/21/2004 10:00 AM 18560]
S3 MFWAWAVE;MOTU FireWire Audio Wave;c:\windows\SYSTEM32\DRIVERS\MFWAWave.sys [6/21/2004 10:00 AM 24320]
S3 MotuFWA;MotuFWA;c:\windows\SYSTEM32\DRIVERS\motufwa.sys [6/21/2004 10:00 AM 131456]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 8:24 PM 7408]
.
Contents of the 'Scheduled Tasks' folder

2010-01-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-28 16:22]

2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-28 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: line6.net
Trusted Zone: mcafee.com
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1}
DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7}
FF - ProfilePath - c:\documents and settings\Greg Matses\Application Data\Mozilla\Firefox\Profiles\b88qdql9.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\documents and settings\Greg Matses\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{EF45B8E6-C662-4819-88B5-3C2AC20EF9DE} - (no file)
Notify-iifdDtrO - (no file)
Notify-WgaLogon - (no file)
AddRemove-TimewARP 2600 v1.10 - c:\progra~1\WAYOUT~1\TIMEWA~1\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-21 11:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-01-21 11:10:54
ComboFix-quarantined-files.txt 2010-01-21 16:10

Pre-Run: 20,391,866,368 bytes free
Post-Run: 20,542,328,832 bytes free

- - End Of File - - AC55B0C8BA2AFA9E03AB1347B1A6CDD2


#11 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:10 PM

Posted 22 January 2010 - 02:55 PM

Hi,

Please update your version of Malwarebytes and run a quick scan, post back with the content of the logfile, also please post back with a fresh Gmer logfile.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#12 florgat91

florgat91
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 23 January 2010 - 12:45 PM

Hi Tom - the logs follow .. GMER crashes my computer so I have to stop the scan before it finishes just to get anything. I'll post the quick GMER scn and the aborted full scan after the Malwarebytes quick scan log .. thanks - GM


Malwarebytes' Anti-Malware 1.44
Database version: 3618
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/22/2010 6:26:13 PM
mbam-log-2010-01-22 (18-26-13).txt

Scan type: Quick Scan
Objects scanned: 125599
Time elapsed: 9 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-01-23 12:12:20
Windows 5.1.2600 Service Pack 3
Running: 1hz9u7hh.exe; Driver: C:\DOCUME~1\GREGMA~1\LOCALS~1\Temp\pwdorkod.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB852678A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB8526738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB852674C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB85267CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB8526710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB8526724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB852679E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB8526776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB8526762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB85267F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB85267E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB85267B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-23 12:27:00
Windows 5.1.2600 Service Pack 3
Running: 1hz9u7hh.exe; Driver: C:\DOCUME~1\GREGMA~1\LOCALS~1\Temp\pwdorkod.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB8ACF78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB8ACF738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB8ACF74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB8ACF7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB8ACF710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB8ACF724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB8ACF79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB8ACF776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB8ACF762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB8ACF7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB8ACF7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB8ACF7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 80515A6A 7 Bytes JMP B8ACF7B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8057C328 5 Bytes JMP B8ACF78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8057CFC0 5 Bytes JMP B8ACF766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8057DEF1 5 Bytes JMP B8ACF7E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 8057E369 7 Bytes JMP B8ACF7CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 80581702 5 Bytes JMP B8ACF714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80581889 7 Bytes JMP B8ACF7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8058B7CD 7 Bytes JMP B8ACF750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 8058E695 5 Bytes JMP B8ACF7FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B0470 5 Bytes JMP B8ACF73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 805E1941 5 Bytes JMP B8ACF728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 80635977 5 Bytes JMP B8ACF77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\wuauclt.exe[328] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 027E000A
.text C:\WINDOWS\system32\wuauclt.exe[328] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 027E0098
.text C:\WINDOWS\system32\wuauclt.exe[328] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 027E007D
.text C:\WINDOWS\system32\wuauclt.exe[328] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 027E0F99
.text C:\WINDOWS\system32\wuauclt.exe[328] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 027E0062
.text C:\WINDOWS\system32\wuauclt.exe[328] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 027E0047
.text C:\WINDOWS\system32\wuauclt.exe[328] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 027E00B5
.text C:\WINDOWS\system32\wuauclt.exe[328] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 027E0F6D
.text C:\WINDOWS\system32\wuauclt.exe[328] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 027E00F2
.text C:\WINDOWS\system32\wuauclt.exe[328] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 027E00E1
.text C:\WINDOWS\system32\wuauclt.exe[328] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 027E0117
.text C:\WINDOWS\system32\wuauclt.exe[328] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 027E0FC0
.text C:\WINDOWS\system32\wuauclt.exe[328] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 027E0025
.text C:\WINDOWS\system32\wuauclt.exe[328] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 027E0F88
.text C:\WINDOWS\system32\wuauclt.exe[328] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 027E0FE5
.text C:\WINDOWS\system32\wuauclt.exe[328] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 027E0036
.text C:\WINDOWS\system32\wuauclt.exe[328] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 027E00D0
.text C:\WINDOWS\system32\wuauclt.exe[328] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 027C005A
.text C:\WINDOWS\system32\wuauclt.exe[328] msvcrt.dll!system 77C293C7 5 Bytes JMP 027C003F
.text C:\WINDOWS\system32\wuauclt.exe[328] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 027C001D
.text C:\WINDOWS\system32\wuauclt.exe[328] msvcrt.dll!_open 77C2F566 5 Bytes JMP 027C0FEF
.text C:\WINDOWS\system32\wuauclt.exe[328] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 027C002E
.text C:\WINDOWS\system32\wuauclt.exe[328] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 027C0000
.text C:\WINDOWS\system32\wuauclt.exe[328] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 027D002F
.text C:\WINDOWS\system32\wuauclt.exe[328] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 027D0076
.text C:\WINDOWS\system32\wuauclt.exe[328] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 027D0FD4
.text C:\WINDOWS\system32\wuauclt.exe[328] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 027D0FEF
.text C:\WINDOWS\system32\wuauclt.exe[328] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 027D005B
.text C:\WINDOWS\system32\wuauclt.exe[328] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 027D0000
.text C:\WINDOWS\system32\wuauclt.exe[328] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 027D0FB9
.text C:\WINDOWS\system32\wuauclt.exe[328] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9D, 8A]
.text C:\WINDOWS\system32\wuauclt.exe[328] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 027D0040
.text C:\WINDOWS\system32\wuauclt.exe[328] WS2_32.dll!socket 71AB4211 5 Bytes JMP 027B0000
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F72
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F8D
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0007005B
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F3A
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070082
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F18
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F29
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00070EFD
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070F9E
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070F57
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070FDE
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0007002F
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0007009D
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060FB9
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060040
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FCA
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060F8D
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0006000A
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00060FA8
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [26, 88]
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060025
.text C:\WINDOWS\system32\services.exe[684] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050031
.text C:\WINDOWS\system32\services.exe[684] msvcrt.dll!system 77C293C7 5 Bytes JMP 0005000C
.text C:\WINDOWS\system32\services.exe[684] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FC1
.text C:\WINDOWS\system32\services.exe[684] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[684] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FA6
.text C:\WINDOWS\system32\services.exe[684] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050FD2
.text C:\WINDOWS\system32\services.exe[684] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C3007D
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C30062
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C30051
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C30040
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C30025
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C300B5
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C30F63
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C300EB
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C300DA
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C300FC
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C30F9E
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C30FE5
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C3008E
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C30FC3
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C30FD4
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C30F52
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C20FCA
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C20F8A
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C20FDB
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C20011
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C20FA5
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C20000
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C20047
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C20036
.text C:\WINDOWS\system32\lsass.exe[696] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C1005A
.text C:\WINDOWS\system32\lsass.exe[696] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C10049
.text C:\WINDOWS\system32\lsass.exe[696] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C10FD9
.text C:\WINDOWS\system32\lsass.exe[696] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C10000
.text C:\WINDOWS\system32\lsass.exe[696] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C10038
.text C:\WINDOWS\system32\lsass.exe[696] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C1001D
.text C:\WINDOWS\system32\lsass.exe[696] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FE008D
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FE0F8E
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE0068
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FE004D
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FE0FBC
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FE0F7D
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FE00C5
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE0F3D
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE0F62
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FE00F1
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FE0FAB
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FE0FDE
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FE009E
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FE0FCD
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FE001E
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FE00E0
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B60047
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B60FA5
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B60036
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B60011
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B60FB6
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B60058
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B60FDB
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B50F81
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B50F9C
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B50FD2
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B50000
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B50FB7
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B50FE3
.text C:\WINDOWS\system32\svchost.exe[856] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B40FEF
.text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 031D0FEF
.text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 031D007D
.text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 031D006C
.text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 031D005B
.text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 031D0FA8
.text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 031D0FCA
.text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 031D0F5C
.text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 031D00A4
.text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 031D0F30
.text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 031D0F4B
.text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 031D0F1F
.text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 031D0FB9
.text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 031D0000
.text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 031D0F6D
.text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 031D0036
.text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 031D001B
.text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 031D00C9
.text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 031C002C
.text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 031C0062
.text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 031C0FDB
.text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 031C0011
.text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 031C0FA5
.text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 031C0000
.text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 031C0FC0
.text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [3C, 8B] {CMP AL, 0x8b}
.text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 031C0047
.text C:\WINDOWS\Explorer.EXE[872] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 031B0042
.text C:\WINDOWS\Explorer.EXE[872] msvcrt.dll!system 77C293C7 5 Bytes JMP 031B0FC1
.text C:\WINDOWS\Explorer.EXE[872] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 031B000C
.text C:\WINDOWS\Explorer.EXE[872] msvcrt.dll!_open 77C2F566 5 Bytes JMP 031B0FEF
.text C:\WINDOWS\Explorer.EXE[872] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 031B0027
.text C:\WINDOWS\Explorer.EXE[872] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 031B0FD2
.text C:\WINDOWS\Explorer.EXE[872] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0319000A
.text C:\WINDOWS\Explorer.EXE[872] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0319001B
.text C:\WINDOWS\Explorer.EXE[872] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 03190036
.text C:\WINDOWS\Explorer.EXE[872] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 03190FE5
.text C:\WINDOWS\Explorer.EXE[872] WS2_32.dll!socket 71AB4211 5 Bytes JMP 031A0FEF
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CE0000
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CE004C
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CE0F61
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CE002F
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CE0F7C
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CE0FA8
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CE0084
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CE0067
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CE00BA
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CE0F17
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CE00D5
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CE0F97
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CE0FE5
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CE0F3C
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CE0FB9
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CE0FD4
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CE0095
.text C:\WINDOWS\system32\svchost.exe[924] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CD0FDB
.text C:\WINDOWS\system32\svchost.exe[924] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CD0F97
.text C:\WINDOWS\system32\svchost.exe[924] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CD002C
.text C:\WINDOWS\system32\svchost.exe[924] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CD0011
.text C:\WINDOWS\system32\svchost.exe[924] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CD0FA8
.text C:\WINDOWS\system32\svchost.exe[924] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CD0000
.text C:\WINDOWS\system32\svchost.exe[924] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CD0FB9
.text C:\WINDOWS\system32\svchost.exe[924] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [ED, 88]
.text C:\WINDOWS\system32\svchost.exe[924] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CD0FCA
.text C:\WINDOWS\system32\svchost.exe[924] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CC0F86
.text C:\WINDOWS\system32\svchost.exe[924] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CC0F97
.text C:\WINDOWS\system32\svchost.exe[924] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CC0FC6
.text C:\WINDOWS\system32\svchost.exe[924] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CC0000
.text C:\WINDOWS\system32\svchost.exe[924] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CC0011
.text C:\WINDOWS\system32\svchost.exe[924] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CC0FD7
.text C:\WINDOWS\system32\svchost.exe[924] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CB0FEF
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03360FEF
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03360087
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03360076
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03360065
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03360FA8
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03360039
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 033600C9
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03360F77
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03360109
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03360F66
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03360F55
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0336004A
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03360FDE
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 033600A2
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03360FCD
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03360014
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 033600E4
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0335003D
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03350FB3
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0335002C
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03350011
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0335007A
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03350000
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0335005F
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0335004E
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_wsystem 77C2931E 1 Byte [E9]
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03340022
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!system 77C293C7 5 Bytes JMP 03340FA1
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03340FBC
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03340FEF
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03340011
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03340000
.text C:\WINDOWS\System32\svchost.exe[964] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03330FEF
.text C:\WINDOWS\System32\svchost.exe[964] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 03320FEF
.text C:\WINDOWS\System32\svchost.exe[964] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 03320FDE
.text C:\WINDOWS\System32\svchost.exe[964] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 03320FCD
.text C:\WINDOWS\System32\svchost.exe[964] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 03320FBC
.text C:\WINDOWS\System32\svchost.exe[1052] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007C0000
.text C:\WINDOWS\System32\svchost.exe[1052] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007C0F26
.text C:\WINDOWS\System32\svchost.exe[1052] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007C0F41
.text C:\WINDOWS\System32\svchost.exe[1052] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007C0F5C
.text C:\WINDOWS\System32\svchost.exe[1052] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007C0F79
.text C:\WINDOWS\System32\svchost.exe[1052] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007C001B
.text C:\WINDOWS\System32\svchost.exe[1052] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007C0EE7
.text C:\WINDOWS\System32\svchost.exe[1052] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007C0F04
.text C:\WINDOWS\System32\svchost.exe[1052] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007C0EB1
.text C:\WINDOWS\System32\svchost.exe[1052] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007C0040
.text C:\WINDOWS\System32\svchost.exe[1052] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007C005B
.text C:\WINDOWS\System32\svchost.exe[1052] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007C0F9E
.text C:\WINDOWS\System32\svchost.exe[1052] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007C0FDB
.text C:\WINDOWS\System32\svchost.exe[1052] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007C0F15
.text C:\WINDOWS\System32\svchost.exe[1052] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007C0FAF
.text C:\WINDOWS\System32\svchost.exe[1052] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007C0FCA
.text C:\WINDOWS\System32\svchost.exe[1052] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007C0EC2
.text C:\WINDOWS\System32\svchost.exe[1052] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007B0047
.text C:\WINDOWS\System32\svchost.exe[1052] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007B00B3
.text C:\WINDOWS\System32\svchost.exe[1052] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007B0036
.text C:\WINDOWS\System32\svchost.exe[1052] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007B0025
.text C:\WINDOWS\System32\svchost.exe[1052] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007B0098
.text C:\WINDOWS\System32\svchost.exe[1052] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007B000A
.text C:\WINDOWS\System32\svchost.exe[1052] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 007B007D
.text C:\WINDOWS\System32\svchost.exe[1052] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007B006C
.text C:\WINDOWS\System32\svchost.exe[1052] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007A0FA4
.text C:\WINDOWS\System32\svchost.exe[1052] msvcrt.dll!system 77C293C7 5 Bytes JMP 007A0025
.text C:\WINDOWS\System32\svchost.exe[1052] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007A000A
.text C:\WINDOWS\System32\svchost.exe[1052] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007A0FE3
.text C:\WINDOWS\System32\svchost.exe[1052] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007A0FB5
.text C:\WINDOWS\System32\svchost.exe[1052] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007A0FC6
.text C:\WINDOWS\System32\svchost.exe[1052] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006C0FEF
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A1000A
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A10F77
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A1006C
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A10F9E
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A10FAF
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A10FE5
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A10089
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A10F41
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A100D0
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A100B5
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A10F1C
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A10FCA
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A1001B
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A10F52
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A10051
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A1002C
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A100A4
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A00FD4
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A00076
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A00025
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A0000A
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A00065
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A00FEF
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A0004A
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A00FC3
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009F0FBE
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!system 77C293C7 5 Bytes JMP 009F0FD9
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009F002E
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009F0000
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009F003F
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009F001D
.text C:\WINDOWS\system32\svchost.exe[1080] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006C0000
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0000
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF0067
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0F72
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0F8D
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0040
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0025
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF0F46
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF0082
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF0F24
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF00B3
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF0F13
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF0FA8
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF0FDB
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF0F57
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0FB9
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF0FCA
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF0F35
.text C:\WINDOWS\System32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00660014
.text C:\WINDOWS\System32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0066004A
.text C:\WINDOWS\System32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00660FB9
.text C:\WINDOWS\System32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00660FD4
.text C:\WINDOWS\System32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00660F97
.text C:\WINDOWS\System32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00660FE5
.text C:\WINDOWS\System32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00660FA8
.text C:\WINDOWS\System32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [86, 88]
.text C:\WINDOWS\System32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0066002F
.text C:\WINDOWS\System32\svchost.exe[1376] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00650FA1
.text C:\WINDOWS\System32\svchost.exe[1376] msvcrt.dll!system 77C293C7 5 Bytes JMP 00650FBC
.text C:\WINDOWS\System32\svchost.exe[1376] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00650FDE
.text C:\WINDOWS\System32\svchost.exe[1376] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0065000C
.text C:\WINDOWS\System32\svchost.exe[1376] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00650FCD
.text C:\WINDOWS\System32\svchost.exe[1376] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00650FEF
.text C:\WINDOWS\System32\svchost.exe[1376] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00630000
.text C:\WINDOWS\System32\svchost.exe[1376] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00630FE5
.text C:\WINDOWS\System32\svchost.exe[1376] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00630025
.text C:\WINDOWS\System32\svchost.exe[1376] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00630FD4
.text C:\WINDOWS\System32\svchost.exe[1376] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00640000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1596] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1596] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B90042
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B90F57
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B90F68
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B90F79
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B90F94
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B90F10
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B90F21
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B90EDA
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B90073
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B90098
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B9001B
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B90FD4
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B90F32
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B90000
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B90FAF
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B90EFF
.text C:\WINDOWS\System32\svchost.exe[1992] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B80FA5
.text C:\WINDOWS\System32\svchost.exe[1992] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B80062
.text C:\WINDOWS\System32\svchost.exe[1992] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B80FCA
.text C:\WINDOWS\System32\svchost.exe[1992] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B80FE5
.text C:\WINDOWS\System32\svchost.exe[1992] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B80047
.text C:\WINDOWS\System32\svchost.exe[1992] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B80000
.text C:\WINDOWS\System32\svchost.exe[1992] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B80036
.text C:\WINDOWS\System32\svchost.exe[1992] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B80011
.text C:\WINDOWS\System32\svchost.exe[1992] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B70FA8
.text C:\WINDOWS\System32\svchost.exe[1992] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B70FB9
.text C:\WINDOWS\System32\svchost.exe[1992] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B70FDE
.text C:\WINDOWS\System32\svchost.exe[1992] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B7000C
.text C:\WINDOWS\System32\svchost.exe[1992] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B70033
.text C:\WINDOWS\System32\svchost.exe[1992] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B70FEF

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----


#13 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:10 PM

Posted 24 January 2010 - 07:49 AM

Hi,


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt




  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#14 florgat91

florgat91
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 24 January 2010 - 02:47 PM

Hi Tom - the ESET scan was clean so there is no log to post .. OTL logs follow - thanks, GM


OTL logfile created on: 1/24/2010 2:35:41 PM - Run 1
OTL by OldTimer - Version 3.1.26.0 Folder = C:\Documents and Settings\Greg Matses\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 0.00 Gb Available Physical Memory | 37.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 66.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.85 Gb Total Space | 18.74 Gb Free Space | 33.55% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GREGLAPTOP
Current User Name: Greg Matses
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/01/24 14:33:20 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Greg Matses\Desktop\OTL.exe
PRC - [2009/11/12 16:33:10 | 00,141,600 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/10/29 06:54:44 | 01,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/09/16 21:17:24 | 00,972,064 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
PRC - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/03/05 16:07:20 | 02,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/03/13 11:37:27 | 00,185,896 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2005/12/19 17:08:16 | 01,347,584 | ---- | M] (Dell Inc.) -- C:\WINDOWS\SYSTEM32\WLTRAY.EXE
PRC - [2005/12/19 17:08:16 | 00,018,944 | ---- | M] () -- C:\WINDOWS\SYSTEM32\WLTRYSVC.EXE
PRC - [2005/12/19 17:08:14 | 01,200,128 | ---- | M] (Dell Inc.) -- C:\WINDOWS\SYSTEM32\BCMWLTRY.EXE
PRC - [2004/12/14 01:12:02 | 00,483,328 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
PRC - [2004/07/27 16:50:18 | 00,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2004/05/14 08:35:50 | 00,536,576 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2004/05/13 18:23:56 | 00,098,304 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2004/02/25 07:17:52 | 00,126,976 | ---- | M] () -- C:\Program Files\MOTU\FireWire Audio\MFWAKeys.exe
PRC - [2003/09/23 12:23:24 | 00,204,800 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Dell\Media Experience\PCMService.exe
PRC - [2003/08/13 11:27:40 | 00,028,672 | ---- | M] (Dell - Advanced Desktop Engineering) -- C:\WINDOWS\SYSTEM32\DSentry.exe
PRC - [2003/06/25 11:11:04 | 00,057,344 | ---- | M] (Dell Computer Corporation) -- C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
PRC - [2003/06/25 10:32:48 | 00,303,104 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\SYSTEM32\LEXBCES.EXE
PRC - [2003/06/25 10:29:08 | 00,294,998 | ---- | M] (Dell Computer Corporation) -- C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
PRC - [2003/06/25 10:27:38 | 00,174,592 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\SYSTEM32\LEXPPS.EXE
PRC - [2003/06/20 04:43:00 | 00,024,576 | ---- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe
PRC - [2003/05/21 14:30:52 | 00,045,056 | ---- | M] (Maxtor) -- C:\Program Files\Maxtor\OneTouch\Utils\OneTouch.exe
PRC - [2003/04/07 17:09:48 | 00,118,784 | ---- | M] (Cypress Semiconductor) -- C:\WINDOWS\MXOALDR.EXE
PRC - [2003/03/07 13:36:30 | 00,209,800 | ---- | M] () -- C:\Program Files\Dell\AccessDirect\DadApp.exe
PRC - [2003/01/03 09:20:48 | 00,029,184 | ---- | M] (Dantz Development Corporation) -- C:\Program Files\Dantz\Retrospect\retrorun.exe
PRC - [2000/02/08 22:19:48 | 00,036,864 | ---- | M] (Roland) -- C:\Program Files\Roland\VSC32\vscvol.exe
PRC - [2000/02/07 02:02:44 | 00,036,864 | ---- | M] (Roland) -- C:\Program Files\Roland\VSC32\Vsc32Cnf.exe


========== Modules (SafeList) ==========

MOD - [2010/01/24 14:33:20 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Greg Matses\Desktop\OTL.exe
MOD - [2004/05/13 18:23:50 | 00,066,048 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\SYSTEM32\SynTPFcs.dll
MOD - [2002/11/01 17:48:12 | 00,061,440 | ---- | M] () -- C:\Program Files\Dell\AccessDirect\dadkeyb.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/09/16 17:01:16 | 00,020,480 | ---- | M] (Intuit) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2009/09/16 10:23:32 | 00,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/08/24 17:05:04 | 00,069,632 | ---- | M] (Adobe Systems) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service)
SRV - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/07/08 19:22:22 | 00,068,112 | ---- | M] (McAfee) [On_Demand | Stopped] -- C:\Program Files\McAfee\MBK\MBackMonitor.exe -- (MBackMonitor)
SRV - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/01/09 11:46:24 | 00,410,976 | ---- | M] (mst software GmbH, Germany) [On_Demand | Stopped] -- C:\Program Files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe -- (DfSdkS)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2006/11/09 18:30:14 | 00,065,536 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2005/12/19 17:08:16 | 00,018,944 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\WLTRYSVC.EXE -- (WLTRYSVC)
SRV - [2005/11/14 01:06:04 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/08/19 00:44:00 | 00,127,042 | ---- | M] (NVIDIA Corporation) [On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\nvsvc32.exe -- (NVSvc)
SRV - [2003/07/28 13:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2003/06/25 10:32:48 | 00,303,104 | ---- | M] (Lexmark International, Inc.) [Auto | Running] -- C:\WINDOWS\SYSTEM32\LEXBCES.EXE -- (LexBceS)
SRV - [2003/01/03 09:20:48 | 00,029,184 | ---- | M] (Dantz Development Corporation) [Auto | Running] -- C:\Program Files\Dantz\Retrospect\retrorun.exe -- (RetroLauncher)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/27 19:38:32 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/27 19:38:32 | 00,000,000 | ---D | M]

[2008/12/21 23:56:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Greg Matses\Application Data\Mozilla\Extensions
[2009/10/27 09:29:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Greg Matses\Application Data\Mozilla\Firefox\Profiles\b88qdql9.default\extensions
[2008/12/19 22:40:22 | 00,002,386 | ---- | M] () -- C:\Documents and Settings\Greg Matses\Application Data\Mozilla\Firefox\Profiles\b88qdql9.default\searchplugins\siteadvisor.xml
[2009/11/06 21:10:15 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2006/09/08 18:37:26 | 02,078,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll

O1 HOSTS File: ([2009/11/09 20:52:00 | 00,349,946 | R--- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 12022 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - Reg Error: Value error. File not found
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {EF45B8E6-C662-4819-88B5-3C2AC20EF9DE} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\SYSTEM32\WLTRAY.EXE (Dell Inc.)
O4 - HKLM..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\DadApp.exe ()
O4 - HKLM..\Run: [Dell AIO Printer A940] C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe (Dell Computer Corporation)
O4 - HKLM..\Run: [DVDSentry] C:\WINDOWS\SYSTEM32\DSentry.exe (Dell - Advanced Desktop Engineering)
O4 - HKLM..\Run: [ISUSPM Startup] c:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\Utils\OneTouch.exe (Maxtor)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE (Cypress Semiconductor)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [PCMService] C:\Program Files\Dell\Media Experience\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [vsc32cnf.exe] C:\Program Files\Roland\VSC32\Vsc32Cnf.exe (Roland)
O4 - HKLM..\Run: [vscvol.exe] C:\Program Files\Roland\VSC32\vscvol.exe (Roland)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MFWAKeys.lnk = C:\Program Files\MOTU\FireWire Audio\MFWAKeys.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\Greg Matses\Start Menu\Programs\Startup\Microsoft Office Outlook 2003.lnk = C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\outicon.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: SpecifyDefaultButtons = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Search = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoBandCustomize = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKCU\..Trusted Domains: line6.net ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: 64 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/4.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} Reg Error: Key error. (Reg Error: Key error.)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab (Windows Live Safety Center Base Module)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flash...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://berklee.webex.com/client/T27L/nbr/ieatgpc.cab (GpcContainer Class)
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} Reg Error: Value error. (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 68.87.73.242
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\iifdDtrO: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\WgaLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop Components:0 () - file:///C:/DOCUME~1/GREGMA~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
O24 - Desktop Components:1 () - file:///C:/DOCUME~1/GREGMA~1/LOCALS~1/Temp/msohtml1/01/clip_image001.gif
O24 - Desktop Components:2 () - file:///C:/DOCUME~1/GREGMA~1/LOCALS~1/Temp/msohtml1/01/clip_image002.gif
O24 - Desktop Components:3 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Greg Matses\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Greg Matses\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/09/03 09:59:58 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\SYSTEM32\IAS [2003/12/08 07:33:36 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\SYSTEM32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: Ip6FwHlp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891891626803200)

========== Files/Folders - Created Within 14 Days ==========

[2010/01/24 14:33:16 | 00,547,328 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Greg Matses\Desktop\OTL.exe
[2010/01/24 12:25:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/01/24 12:25:14 | 00,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/01/21 12:49:16 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2010/01/21 10:52:01 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/01/21 10:52:00 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/01/21 10:52:00 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/01/21 10:52:00 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/01/21 10:50:54 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/02/13 09:56:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2009/02/13 09:56:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/01/25 21:39:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2007/10/26 23:13:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Intuit
[2007/08/18 08:29:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/07/01 22:05:14 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2007/07/01 21:17:44 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2006/06/20 12:36:16 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\LocalService\Application Data\GTek
[2006/02/19 15:31:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Roxio
[2004/11/09 08:54:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2003/12/08 07:35:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

========== Files - Modified Within 14 Days ==========

[2010/01/24 14:33:20 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Greg Matses\Desktop\OTL.exe
[2010/01/24 12:06:53 | 00,002,533 | ---- | M] () -- C:\Documents and Settings\Greg Matses\Start Menu\Programs\Startup\Microsoft Office Outlook 2003.lnk
[2010/01/24 12:06:48 | 00,002,337 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2010/01/24 12:06:30 | 00,004,626 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/01/24 12:06:28 | 00,017,384 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2010/01/24 12:05:50 | 00,017,037 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/01/24 12:05:27 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/24 12:05:25 | 00,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2010/01/24 12:01:53 | 16,777,216 | ---- | M] () -- C:\Documents and Settings\Greg Matses\ntuser.dat
[2010/01/24 12:01:53 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Greg Matses\NTUSER.INI
[2010/01/23 18:54:38 | 00,000,771 | ---- | M] () -- C:\WINDOWS\MusEdit.INI
[2010/01/23 16:56:06 | 00,000,524 | ---- | M] () -- C:\WINDOWS\DELLSTAT.INI
[2010/01/21 11:13:59 | 00,106,912 | ---- | M] () -- C:\Documents and Settings\Greg Matses\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/01/21 11:08:51 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/01/19 17:47:02 | 00,870,128 | ---- | M] () -- C:\WINDOWS\System32\mcs.rma
[2010/01/19 17:47:02 | 00,000,004 | ---- | M] () -- C:\WINDOWS\System32\83A625
[2010/01/18 22:44:54 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/01/18 22:17:02 | 00,481,136 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/01/18 18:02:39 | 00,293,376 | ---- | M] () -- C:\Documents and Settings\Greg Matses\Desktop\1hz9u7hh.exe
[2010/01/17 18:23:15 | 00,004,118 | ---- | M] () -- C:\Documents and Settings\Greg Matses\Desktop\Attach.zip
[2010/01/15 01:12:04 | 00,000,352 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2010/01/13 11:33:17 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/12 09:39:38 | 00,000,642 | ---- | M] () -- C:\WINDOWS\WIN.INI
[2010/01/12 09:39:38 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2010/01/11 11:24:48 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Greg Matses\Desktop\dds.scr
[2010/01/10 22:08:08 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/01/10 21:44:31 | 00,046,056 | ---- | M] () -- C:\WINDOWS\cdplayer.ini
[2010/01/10 21:07:24 | 00,000,016 | ---- | M] () -- C:\WINDOWS\System32\w3data.vss
[2010/01/10 21:07:24 | 00,000,016 | ---- | M] () -- C:\WINDOWS\msocreg32.dat

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 00,049,362 | ---- | C] () -- C:\WINDOWS\System32\adwfil.dll
[2099/01/01 12:00:00 | 00,000,412 | ---- | C] () -- C:\WINDOWS\System32\usrfil.dll
[2099/01/01 12:00:00 | 00,000,256 | ---- | C] () -- C:\WINDOWS\System32\srchout.dll
[2010/01/21 10:52:00 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/01/21 10:52:00 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/01/21 10:52:00 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/01/18 18:02:34 | 00,293,376 | ---- | C] () -- C:\Documents and Settings\Greg Matses\Desktop\1hz9u7hh.exe
[2010/01/17 18:23:15 | 00,004,118 | ---- | C] () -- C:\Documents and Settings\Greg Matses\Desktop\Attach.zip
[2010/01/11 11:24:44 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Greg Matses\Desktop\dds.scr
[2009/08/30 20:32:12 | 00,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2009/08/20 18:43:27 | 00,000,002 | -HS- | C] () -- C:\Documents and Settings\Greg Matses\Application Data\evf
[2009/04/12 20:27:45 | 00,000,272 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[2009/04/12 11:32:56 | 00,001,582 | ---- | C] () -- C:\WINDOWS\tefview.ini
[2008/12/15 10:03:45 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2008/12/15 10:03:41 | 00,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2008/06/10 19:07:20 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/06/10 19:03:26 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/06/10 19:03:26 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/05/22 17:18:54 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2008/02/04 17:23:10 | 00,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/07/01 22:08:58 | 00,000,134 | ---- | C] () -- C:\Documents and Settings\Greg Matses\Local Settings\Application Data\fusioncache.dat
[2006/05/16 16:01:00 | 00,000,173 | ---- | C] () -- C:\WINDOWS\KPCMS.INI
[2006/05/16 16:00:32 | 00,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2006/01/10 13:34:40 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/11/21 12:08:41 | 00,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2004/11/27 17:23:56 | 00,000,031 | ---- | C] () -- C:\WINDOWS\bewin32.INI
[2004/10/26 17:39:05 | 03,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
[2004/10/15 04:10:00 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\besched.dll
[2004/08/11 15:16:17 | 00,000,446 | ---- | C] () -- C:\WINDOWS\System32\MSrev23.dll
[2004/08/11 15:16:15 | 00,000,398 | ---- | C] () -- C:\WINDOWS\System32\MSrev43.dll
[2004/07/01 13:40:32 | 00,000,045 | ---- | C] () -- C:\WINDOWS\DumpTool.INI
[2004/05/15 22:07:21 | 00,091,648 | ---- | C] () -- C:\WINDOWS\System32\Mros416.dll
[2004/04/12 22:10:04 | 00,000,766 | ---- | C] () -- C:\WINDOWS\System32\zxmsn.dll
[2004/04/12 22:10:04 | 00,000,766 | ---- | C] () -- C:\WINDOWS\System32\xcwer32.dll
[2004/04/12 22:10:04 | 00,000,766 | ---- | C] () -- C:\WINDOWS\System32\wecxg32.dll
[2004/04/12 22:10:04 | 00,000,766 | ---- | C] () -- C:\WINDOWS\System32\sdfup.dll
[2004/04/12 22:10:04 | 00,000,766 | ---- | C] () -- C:\WINDOWS\System32\icvbr.dll
[2004/04/12 22:10:04 | 00,000,766 | ---- | C] () -- C:\WINDOWS\System32\icqrt.dll
[2004/04/12 22:10:04 | 00,000,766 | ---- | C] () -- C:\WINDOWS\System32\icnfe.dll
[2004/04/12 22:10:04 | 00,000,766 | ---- | C] () -- C:\WINDOWS\System32\gupd.dll
[2004/04/12 22:10:04 | 00,000,766 | ---- | C] () -- C:\WINDOWS\System32\cidpoq32.dll
[2004/04/12 22:10:04 | 00,000,766 | ---- | C] () -- C:\WINDOWS\System32\cidft.dll
[2004/04/12 22:10:04 | 00,000,002 | ---- | C] () -- C:\WINDOWS\System32\nthst32.dll
[2004/01/12 13:04:37 | 00,000,044 | ---- | C] () -- C:\WINDOWS\liveup.ini
[2004/01/03 18:33:42 | 00,005,006 | ---- | C] () -- C:\WINDOWS\System32\wfileu.drv
[2004/01/03 17:57:00 | 00,000,400 | ---- | C] () -- C:\WINDOWS\bsnlst.dll
[2004/01/03 17:57:00 | 00,000,306 | ---- | C] () -- C:\WINDOWS\System32\picsfil.dll
[2004/01/03 13:19:57 | 00,000,524 | ---- | C] () -- C:\WINDOWS\DELLSTAT.INI
[2004/01/02 12:55:20 | 00,000,771 | ---- | C] () -- C:\WINDOWS\MusEdit.INI
[2004/01/02 12:53:23 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\MusEditC.dll
[2004/01/02 12:53:23 | 00,015,040 | ---- | C] () -- C:\WINDOWS\System32\MXMIDI16.DLL
[2003/12/29 11:18:01 | 00,000,174 | ---- | C] () -- C:\WINDOWS\System32\mcini.ini
[2003/12/28 20:34:57 | 00,142,848 | ---- | C] () -- C:\Documents and Settings\Greg Matses\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2003/12/24 23:05:34 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2003/12/16 22:10:44 | 00,046,056 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2003/12/08 08:23:25 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/12/08 08:21:56 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/12/08 08:11:50 | 00,000,430 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2003/12/08 08:08:03 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\SynTPCoI.dll
[2003/12/08 08:06:50 | 00,000,893 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/12/08 07:51:27 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/12/08 07:37:30 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2003/10/02 01:00:00 | 00,208,896 | ---- | C] () -- C:\WINDOWS\System32\lockout.dll
[2003/10/02 01:00:00 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\lockres.dll
[2003/01/07 16:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/11/13 14:40:22 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlbavs.dll
[2002/10/08 15:24:44 | 00,000,177 | ---- | C] () -- C:\WINDOWS\System32\dlbacoin.ini

========== LOP Check ==========

[2004/01/03 13:20:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2009/03/05 00:22:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2007/07/01 21:03:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2008/12/03 01:26:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Line 6
[2007/01/24 12:19:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Raize
[2009/12/10 17:41:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Retrospect
[2008/03/29 21:23:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2010/01/14 19:48:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2004/07/22 15:41:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/10/19 22:13:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/06/13 16:07:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2005/01/02 19:51:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Greg Matses\Application Data\Backup MyPC Deluxe
[2003/12/28 17:19:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Greg Matses\Application Data\Leadertech
[2005/06/14 00:02:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Greg Matses\Application Data\Line 6
[2004/05/15 01:26:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Greg Matses\Application Data\Lycos
[2008/09/02 22:18:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Greg Matses\Application Data\MusEdit
[2009/07/28 12:51:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Greg Matses\Application Data\OfficeUpdate12
[2005/01/14 12:28:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Greg Matses\Application Data\Steinberg
[2007/01/27 23:31:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Greg Matses\Application Data\Viewpoint
[2009/12/12 17:03:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Greg Matses\Application Data\webex
[2010/01/15 01:12:04 | 00,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job
[2010/01/01 01:00:11 | 00,000,344 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/24 17:04:11 | 22,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp2.cab:AGP440.sys
[2008/09/01 12:01:47 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp3.cab:AGP440.sys
[2004/08/24 17:04:11 | 22,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008/09/01 12:01:47 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SYSTEM32\DRIVERS\agp440.sys
[2004/08/04 01:07:41 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2001/08/17 14:58:00 | 00,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\I386\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2002/08/29 06:00:00 | 10,158,890 | ---- | M] () .cab file -- C:\I386\sp1.cab:atapi.sys
[2002/08/29 06:00:00 | 10,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp1.cab:atapi.sys
[2004/08/24 17:04:11 | 22,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp2.cab:atapi.sys
[2008/09/01 12:01:47 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp3.cab:atapi.sys
[2004/08/24 17:04:11 | 22,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2008/09/01 12:01:47 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2009/12/15 01:02:40 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2009/12/15 01:02:40 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SYSTEM32\DLLCACHE\atapi.sys
[2009/12/15 01:02:40 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys
[2004/08/04 00:59:42 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2003/04/23 10:29:54 | 00,087,296 | ---- | M] (Microsoft Corporation) MD5=E52B3B3F78C9AE85806CE49DCDD80C18 -- C:\I386\atapi.sys
[2003/04/23 10:29:54 | 00,087,296 | ---- | M] (Microsoft Corporation) MD5=E52B3B3F78C9AE85806CE49DCDD80C18 -- C:\WINDOWS\SYSTEM32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SYSTEM32\eventlog.dll
[2004/08/04 02:56:42 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
[2002/08/29 06:00:00 | 00,049,152 | ---- | M] (Microsoft Corporation) MD5=BF3C8CF53C77B48206B39910B6D6CBCC -- C:\I386\EVENTLOG.DLL

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SYSTEM32\netlogon.dll
[2002/08/29 06:00:00 | 00,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\I386\NETLOGON.DLL
[2004/08/04 02:56:44 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 02:56:44 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2002/08/29 06:00:00 | 00,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\I386\SCECLI.DLL
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SYSTEM32\scecli.dll

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Greg Matses\Desktop\desktop.ini:SummaryInformation
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >




OTL Extras logfile created on: 1/24/2010 2:35:41 PM - Run 1
OTL by OldTimer - Version 3.1.26.0 Folder = C:\Documents and Settings\Greg Matses\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 0.00 Gb Available Physical Memory | 37.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 66.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.85 Gb Total Space | 18.74 Gb Free Space | 33.55% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GREGLAPTOP
Current User Name: Greg Matses
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.)
"C:\Program Files\Dell Computer\Dell Picture Studio v2.0\launch.exe" = C:\Program Files\Dell Computer\Dell Picture Studio v2.0\launch.exe:*:Enabled:Jasc Paint Shop Photo Album Application -- (Jasc Software)
"C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE" = C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE:*:Enabled:Microsoft Office Word -- (Microsoft Corporation)
"C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" = C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe:*:Enabled:Dreamweaver MX -- (Macromedia, Inc.)
"C:\hmremote\WinVNC.exe" = C:\hmremote\WinVNC.exe:*:Enabled:TightVNC Win32 Server -- (TightVNC Group)
"C:\Program Files\Dell TrueMobile 2300\ControlUtility.exe" = C:\Program Files\Dell TrueMobile 2300\ControlUtility.exe:*:Enabled:ControlUtility -- ()
"C:\Program Files\Intuit\QuickBooks 2007\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2007\QBDBMgrN.exe:*:Enabled:QuickBooks 2007 Data Manager -- (iAnywhere Solutions, Inc.)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{004B0DCB-4C60-465B-8F01-44B0A4111187}" = SlingPlayer
"{054C3038-FFAC-446D-9682-E25891DC2E05}" = QuickBooks Product Listing Service
"{06B8DAD8-2809-475E-BA9D-C34479A0D58A}" = Dell TrueMobile 2300 Control Utility
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic Data Module
"{11B569C2-4BF6-4ED0-9D17-A4273943CB24}" = Adobe Photoshop Album 2.0 Starter Edition
"{11F1920A-56A2-4642-B6E0-3B31A12C9288}" = Dell Solution Center
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{147567F0-8575-4BE0-B5B3-62706C67FA5A}" = EZXCocktail
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1B4AA674-F5CA-4BB5-831A-CD37B4021959}" = ImageMixer for Sony
"{20227921-DB38-4810-9162-DDC6FCA936E7}" = Dell Home Systems Services Agreement
"{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Dell Media Experience
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 17
"{2CC4BC82-41CF-43D3-B533-7283AA8BB86F}" = EZXPercussion
"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel
"{3EC91FDF-FE9A-43D5-96C4-8A9C24372500}" = Maxtor OneTouch
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{410438A3-B591-4028-B70A-3CC0B33FBCD1}" =
"{417B79C9-CDB4-477F-952D-840CEFC57A6C}" = AccessDirect
"{430399DC-98BC-4A7F-8F8E-77981CABAE05}" = EZXVintage
"{43E8D9E7-AFC9-4BA3-8106-B95E02B87AB7}" = EZdrummer
"{4468EF97-A253-4699-9E1C-88CAE2C6832D}" = ABBYY FineReader 5.0 Sprint
"{49FA793C-785E-47E9-93DF-BD442B0B45D1}" = McAfee Virtual Technician
"{564A8DD3-70BC-4018-A5C3-7CEB10BBB6E9}" = Image Transfer
"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
"{5E835305-63BB-4E55-BBB7-EEBBE67774DB}" = Sonic MyDVD
"{62FC357F-022B-4F90-9376-7A0DF9FBE7A1}" = Sonic Foundry Sound Forge 6.0
"{637099FB-45FD-4BC7-9651-6FB540DBB749}" = Sonic Backup MyPC Deluxe
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{68D60342-7686-45C9-B8EB-40EF843D0460}" = Dell Networking Guide
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7E545666-F422-45FD-B3DF-C0B99A1A579F}" = QuickBooks Pro 2007
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{81A34902-9D0B-4920-A25C-4CDC5D14B328}" = Jasc Paint Shop Pro 8
"{89EE857B-8970-4F9F-AB58-A1C873AC72B3}" = Broadcom Advanced Control Suite
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8B4AB829-DFD3-436D-B808-D9733D76C590}" = Macromedia Dreamweaver MX
"{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}" = Napster Burn Engine
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90AF0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office PowerPoint Viewer 2003
"{90D55A3F-1D99-4C94-A77E-46DC14F0BF08}" = Help and Support Customization
"{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{98DF85D9-96C0-4F57-A92E-C3539477EF5E}" = DVDSentry
"{9B79DCB0-AAD7-456B-8D07-433C936FA24B}" = DS21Patch
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = C-Major Audio
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A5BA14E0-7384-11D4-BAE7-00409631A2C8}" = Macromedia Extension Manager
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{ABC52CF9-2D43-4278-A152-CB2CD3ED8FE9}" = MIDI-OX
"{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic Copy Module
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BBBCAE4B-B416-4182-A6F2-438180894A81}" = Napster
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C4354214-B919-4C8F-84EB-4F9B84ACC02C}" = Retrospect 6.0
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}" = Jasc Paint Shop Photo Album
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DA22A6BB-10B5-4595-BD59-1AD4023C8536}" = Virtual Sound Canvas VST
"{DB1299AF-9EE0-422B-959E-F4171B2AE0F7}" = EZXDfh
"{DCB91C79-B78B-44B1-A7FE-28DECA6E9245}" = Dell TrueMobile 2300 Wireless Broadband Router Control Utility
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{F45298E5-0083-426F-A668-1A2C5F04B8A0}" = FaxTools
"{FB6691DA-66D3-412E-9853-641CF7D0C35A}" = AmpliTube2
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"7-Zip" = 7-Zip 4.65
"ActiveTouchMeetingClient" = WebEx
"Adobe Acrobat 7.0 Professional" = Adobe Acrobat 7.0 Professional
"Adobe Atmosphere Player" = Adobe Atmosphere Player for Acrobat and Adobe Reader
"Adobe Photoshop 5.5" = Adobe Photoshop 5.5
"Antares Hyperprism v1.5.6 DX" = Antares Hyperprism v1.5.6 DX
"Antares Microphone Modeler - ZONE" = Antares Microphone Modeler - ZONE
"Arboretum Raygun v1.3 DX & Stand-alone" = Arboretum Raygun v1.3 DX & Stand-alone
"ASAPI Update" = ASAPI Update
"Ashampoo WinOptimizer 6_is1" = Ashampoo WinOptimizer 6.30
"BBE Sonic Maximizer Plugin" = BBE Sonic Maximizer Plugin
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1" = Conexant D480 MDC V.9x Modem
"De-Esser" = SPL De-Esser v1.0
"Dell AIO Printer A940" = Dell AIO Printer A940
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"FLV Player Ver 1.00_is1" = FLV Player Ver 1.00
"GuitarPort 2.51" = GuitarPort 2.51 (Remove Only)
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"IK Multimedia AmpliTube v1.1.1" = IK Multimedia AmpliTube v1.1.1
"IK Multimedia Sampletank XL v2.0.2.R1" = IK Multimedia Sampletank XL v2.0.2.R1
"InstallShield_{004B0DCB-4C60-465B-8F01-44B0A4111187}" = SlingPlayer
"InstallShield_{89EE857B-8970-4F9F-AB58-A1C873AC72B3}" = Broadcom Advanced Control Suite
"Line 6 Edit" = Line 6 Edit (remove only)
"Line 6 Uninstaller" = Line 6 Uninstaller
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MOTU FireWire Audio Uninstall" = MOTU FireWire Audio
"Mozilla Firefox (3.0.13)" = Mozilla Firefox (3.0.13)
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MusEdit" = MusEdit
"MXOFX" = USB Storage Adapter FX (MXO)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"RealPlayer 6.0" = RealPlayer
"Revo Uninstaller" = Revo Uninstaller 1.83
"Rhapsody" = Rhapsody
"SF Noise Reduction DX" = Sonic Foundry Noise Reduction DX v2.0
"SpywareBlaster_is1" = SpywareBlaster 4.2
"Steinberg HALion v2.0" = Steinberg HALion v2.0
"Steinberg WaveLab 4.0g" = Steinberg WaveLab 4.0g
"Steinberg Wavelab v4.01a" = Steinberg Wavelab v4.01a
"StreetPlugin" = Learn2 Player (Uninstall Only)
"SUPER " = SUPER Version 2009.bld.36 (June 10, 2009)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TC.Works.Native.Bundle.v3.0.VST.WinAll-cRime" = TC.Works.Native.Bundle.v3.0.VST.WinAll-cRime
"TEFView_is1" = TEFView 2.64
"Timeworks Millenium Pack" = Timeworks Millenium Pack
"T-Racks" = T-Racks v1.1
"T-RackS 24 v2.0.1" = T-RackS 24 v2.0.1
"Vegas Pro" = Vegas Pro v1.0b 208
"VSC32" = Virtual Sound Canvas 3.2
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"InstallShield_{3EC91FDF-FE9A-43D5-96C4-8A9C24372500}" = Maxtor OneTouch
"Move Media Player" = Move Media Player
"Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/10/2010 7:47:48 PM | Computer Name = GREGLAPTOP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/10/2010 7:47:48 PM | Computer Name = GREGLAPTOP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/10/2010 7:47:48 PM | Computer Name = GREGLAPTOP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/10/2010 7:47:48 PM | Computer Name = GREGLAPTOP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/10/2010 7:47:49 PM | Computer Name = GREGLAPTOP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/10/2010 7:47:49 PM | Computer Name = GREGLAPTOP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/10/2010 7:47:49 PM | Computer Name = GREGLAPTOP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/10/2010 7:47:50 PM | Computer Name = GREGLAPTOP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/11/2010 5:33:01 PM | Computer Name = GREGLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module AcroPDF.dll, version 7.0.7.0, fault address 0x0002fc89.

Error - 1/11/2010 6:53:21 PM | Computer Name = GREGLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module Flash10d.ocx, version 10.0.42.34, fault address 0x000e6f80.

[ System Events ]
Error - 1/21/2010 11:43:05 AM | Computer Name = GREGLAPTOP | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/21/2010 11:43:05 AM | Computer Name = GREGLAPTOP | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 1/21/2010 11:54:31 AM | Computer Name = GREGLAPTOP | Source = Service Control Manager | ID = 7034
Description = The WLTRYSVC service terminated unexpectedly. It has done this 1
time(s).

Error - 1/21/2010 12:00:56 PM | Computer Name = GREGLAPTOP | Source = Service Control Manager | ID = 7034
Description = The WLTRYSVC service terminated unexpectedly. It has done this 1
time(s).

Error - 1/22/2010 2:47:19 PM | Computer Name = GREGLAPTOP | Source = DCOM | ID = 10010
Description = The server {9E14B23B-5D8A-447F-B962-6D6D6897861E} did not register
with DCOM within the required timeout.

Error - 1/22/2010 7:33:29 PM | Computer Name = GREGLAPTOP | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the mcmscsvc service.

Error - 1/22/2010 7:33:36 PM | Computer Name = GREGLAPTOP | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM
Service service to connect.

Error - 1/22/2010 7:33:36 PM | Computer Name = GREGLAPTOP | Source = Service Control Manager | ID = 7000
Description = The IMAPI CD-Burning COM Service service failed to start due to the
following error: %%1053

Error - 1/23/2010 12:35:53 PM | Computer Name = GREGLAPTOP | Source = System Error | ID = 1003
Description = Error code 100000d1, parameter1 00000000, parameter2 0000001c, parameter3
00000001, parameter4 8860d00c.

Error - 1/23/2010 1:16:14 PM | Computer Name = GREGLAPTOP | Source = System Error | ID = 1003
Description = Error code 10000050, parameter1 e489c000, parameter2 00000000, parameter3
b4118c3e, parameter4 00000001.


< End of report >


#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:10 PM

Posted 24 January 2010 - 03:22 PM

Hi,


Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    CODE
    :OTL
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - Reg Error: Value error. File not found
    O2 - BHO: (no name) - {EF45B8E6-C662-4819-88B5-3C2AC20EF9DE} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - No CLSID value found.
    O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
    [2010/01/19 17:47:02 | 00,870,128 | ---- | M] () -- C:\WINDOWS\System32\mcs.rma
    [2010/01/19 17:47:02 | 00,000,004 | ---- | M] () -- C:\WINDOWS\System32\83A625
    [2010/01/10 21:07:24 | 00,000,016 | ---- | M] () -- C:\WINDOWS\System32\w3data.vss
    [2010/01/10 21:07:24 | 00,000,016 | ---- | M] () -- C:\WINDOWS\msocreg32.dat
  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
================================Follow up scan=================================
  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users