Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Work is detecting malware/viruses through VPN - I don't see them


  • This topic is locked This topic is locked
28 replies to this topic

#1 VirusSucks

VirusSucks

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 12 January 2010 - 03:01 AM

Hi,

I log into work through Cisco VPN. They have sent me two notifications that my laptop is infected with malware/viruses, most currently the following:

Trojan.Downloader.QQHelper
Trojan.Alureon
Trojan.Fakeavalert
Trojan.TDSServ
Bot.Conficker.B
Bot.Grum

I am on Windows XP and use a Netgear wireless router through Comcast.

I have no symptoms and have not found any detections when I have run multiple antivirus programs.

I posted in the " Am I infected? What do I do?" forum, and followed their instructions below:
1. Ran Rkill by Grinler

2. Ran MalwareBytes

3. Ran ATF-Cleaner and SUPERAntiSpyware in safe mode.
Nothing has been detected.

I did have a problem with redirected searches about two months ago, but I got rid of that problem and have been fine since.

Is it possible that my work is reporting false viruses? Any help will be much appreciated, as my VPN priviliges are very close to being revoked.


DDS.txt:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Linda at 23:42:50.17 on Tue 01/12/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1310 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: avast! antivirus 4.8.1368 [VPS 100111-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Documents and Settings\Linda\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Windows Internet Explorer provided by Yahoo!
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DWABrowserHlprObj Class: {2709d830-b643-4e72-9a1e-701cfffcf30c} - c:\windows\system32\dwabho.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: &Accessibility Toolbar: {11352a67-0178-46b1-8855-d50b2f81c054} - c:\progra~1\wat_en\ACCESS~1.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset .exe c:\program files\dell\quickset\quickset .exe c:\program files\dell\quickset\quickset .exe c:\program files\dell\quickset\quickset.exe .exe c:\program files\dell\quickset\quickset .exe c:\program files\dell\quickset\quickset.exe .exe c:\program files\dell\quickset\quickset.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam .exe" /runcleanupscript
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\embass~1.lnk - c:\program files\wave systems corp\services manager\secure update\AutoUpdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{51fb15f4-ad27-43bc-ad4b-dd0354fb6bbd}\Icon3E5562ED7.ico
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184283924328
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://inside.sfsu.edu/mail01b/dwa7W.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5263/mcfscan.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: wxvault.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 wvauth
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\linda\applic~1\mozilla\firefox\profiles\o5kkwa9v.default\
FF - plugin: c:\documents and settings\linda\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-1-12 207792]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-19 114768]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-8 11608]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-4-1 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-1-8 108289]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-19 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-11-19 138680]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-1-8 56816]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-1-12 112592]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-4-1 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-4-1 144704]
R2 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-4-1 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-4-1 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-4-1 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-4-1 40552]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S3 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-8 185089]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-11-19 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-11-19 352920]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-4-1 34248]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-1-12 359624]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-1-12 1141712]

=============== Created Last 30 ================

2010-01-13 01:53:10 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-13 01:19:57 0 d--h--w- c:\windows\PIF
2010-01-12 22:37:44 883 ----a-w- c:\windows\RegSDImport.xml
2010-01-12 22:37:44 880 ----a-w- c:\windows\RegISSImport.xml
2010-01-12 22:37:44 767952 ----a-w- c:\windows\BDTSupport.dll
2010-01-12 22:37:44 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-01-12 22:37:44 131 ----a-w- c:\windows\IDB.zip
2010-01-12 22:37:43 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-01-12 22:37:43 1152444 ----a-w- c:\windows\UDB.zip
2010-01-12 22:37:42 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-01-12 22:35:40 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-01-12 22:35:40 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-01-12 22:35:31 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-01-12 22:35:31 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-01-12 22:35:31 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-01-12 22:35:30 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-01-12 22:35:10 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-01-12 22:35:10 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-01-12 22:34:49 0 d-----w- c:\program files\common files\PC Tools
2010-01-12 22:34:48 0 d-----w- c:\program files\Spyware Doctor
2010-01-12 22:34:48 0 d-----w- c:\docume~1\linda\applic~1\PC Tools
2010-01-12 22:34:48 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-01-08 17:26:16 0 d--h--w- c:\windows\system32\GroupPolicy
2010-01-08 06:14:27 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-08 06:14:20 0 d-----w- c:\program files\Avira
2010-01-08 06:14:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-01-08 06:09:44 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-01-08 06:09:44 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-01-08 06:09:44 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-01-08 06:09:44 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-01-08 06:09:44 153088 ----a-w- c:\windows\system32\unrar3.dll
2010-01-08 06:09:39 0 d-----w- c:\docume~1\linda\applic~1\Simply Super Software
2010-01-08 06:09:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software
2010-01-08 04:11:41 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-07 23:34:40 0 d-----w- c:\program files\Spybot - Search & Destroy

==================== Find3M ====================

2010-01-07 22:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-14 22:40:41 13025 ----a-w- c:\windows\system32\nvModes.dat
2009-11-20 01:45:42 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-18 05:00:28 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-03 02:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2008-05-20 02:26:13 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051920080520\index.dat

============= FINISH: 23:43:56.65 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:25 AM

Posted 17 January 2010 - 02:53 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  1. Please download OTL from following mirror:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 VirusSucks

VirusSucks
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 18 January 2010 - 03:29 AM

Hi Myrti,

Thank you for your response. I tried selecting "Track this Topic" from the Options menu, but it gave me an error stating that I was already subscribed to this topic. I did check the "Enable email notification of replies" box below this Fast Reply.

Also, I ran OTL twice, and it is no longer giving me an extra.txt file. Here is the OTL.txt file:

OTL logfile created on: 1/19/2010 12:21:02 AM - Run 4
OTL by OldTimer - Version 3.1.25.2 Folder = C:\Documents and Settings\Linda\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 59.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.72 Gb Total Space | 94.95 Gb Free Space | 84.99% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DHXV74D1
Current User Name: Linda
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/19 00:20:41 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Linda\Desktop\OTL.exe
PRC - [2010/01/07 07:56:13 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/01/05 07:56:02 | 02,002,160 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/11/24 17:51:40 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 17:51:35 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 17:51:21 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/24 17:48:48 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 17:43:56 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/11/19 19:45:43 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/11/19 19:45:43 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/11/10 10:28:08 | 00,112,592 | ---- | M] (Threat Expert Ltd.) -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
PRC - [2009/10/29 06:54:44 | 01,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/05/13 15:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/02 12:08:47 | 00,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2008/11/09 14:48:14 | 00,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/08/29 12:58:16 | 01,528,608 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2008/04/13 18:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/05/31 14:50:40 | 00,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2007/02/21 10:28:36 | 00,643,072 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2007/02/21 10:19:40 | 00,294,912 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
PRC - [2007/02/21 10:16:48 | 00,983,040 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2007/02/21 10:10:00 | 00,327,680 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2007/02/20 11:24:34 | 00,475,136 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
PRC - [2007/02/18 22:27:16 | 00,090,112 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\system32\stacsv.exe
PRC - [2007/02/18 22:26:32 | 00,303,104 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2006/12/19 13:21:48 | 00,079,432 | ---- | M] (Broadcom Corporation) -- C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
PRC - [2006/11/03 19:20:12 | 00,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2006/11/03 17:02:14 | 00,050,688 | ---- | M] (Avanquest Software ) -- C:\Program Files\Digital Line Detect\DLG.exe
PRC - [2006/09/05 09:09:10 | 00,315,392 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Wave Systems Corp\Common\DataServer.exe
PRC - [2006/08/25 08:45:30 | 00,192,512 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
PRC - [2006/06/12 09:01:14 | 00,180,224 | ---- | M] () -- C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
PRC - [2000/08/06 00:03:20 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe


========== Modules (SafeList) ==========

MOD - [2010/01/19 00:20:41 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Linda\Desktop\OTL.exe
MOD - [2006/09/08 07:32:02 | 00,286,720 | ---- | M] () -- C:\WINDOWS\system32\wxvault.dll
MOD - [2006/09/08 07:30:44 | 00,004,096 | ---- | M] () -- C:\WINDOWS\system32\detoured.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/01/16 20:14:30 | 00,194,032 | ---- | M] (Google) [Auto | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/11/24 17:51:35 | 00,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 17:51:21 | 00,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 17:48:48 | 00,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 17:43:56 | 00,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/11/19 19:45:43 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/11/10 10:28:08 | 00,112,592 | ---- | M] (Threat Expert Ltd.) [Auto | Running] -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe -- (Browser Defender Update Service)
SRV - [2009/11/06 14:29:22 | 01,141,712 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2009/10/30 11:18:16 | 00,359,624 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/09/16 10:23:32 | 00,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/21 13:34:33 | 00,185,089 | ---- | M] (Avira GmbH) [On_Demand | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/07/08 19:22:22 | 00,068,112 | ---- | M] (McAfee) [On_Demand | Stopped] -- C:\Program Files\McAfee\MBK\MBackMonitor.exe -- (MBackMonitor)
SRV - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/05/13 15:48:22 | 00,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2008/11/09 14:48:14 | 00,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/08/29 12:58:16 | 01,528,608 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2007/05/31 14:50:40 | 00,163,908 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2007/02/21 10:28:36 | 00,643,072 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2007/02/21 10:19:40 | 00,294,912 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER) Intel®
SRV - [2007/02/21 10:16:48 | 00,983,040 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2007/02/21 10:10:00 | 00,327,680 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®
SRV - [2007/02/20 11:24:34 | 00,475,136 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC)
SRV - [2007/02/18 22:27:16 | 00,090,112 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\WINDOWS\system32\stacsv.exe -- (STacSV)
SRV - [2006/12/19 13:21:48 | 00,079,432 | ---- | M] (Broadcom Corporation) [Auto | Running] -- C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe -- (ASFIPmon)
SRV - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006/09/05 09:09:10 | 00,315,392 | ---- | M] (Wave Systems Corp.) [Auto | Running] -- C:\Program Files\Wave Systems Corp\Common\DataServer.exe -- (DataSvr2)
SRV - [2006/06/12 09:01:14 | 00,180,224 | ---- | M] () [Auto | Running] -- C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe -- (tcsd_win32.exe)
SRV - [2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2000/08/06 00:50:20 | 07,442,493 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe -- (MSSQLSERVER)
SRV - [2000/08/06 00:50:18 | 00,303,170 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.exe -- (SQLSERVERAGENT)


========== Driver Services (SafeList) ==========

DRV - [2010/01/08 09:25:09 | 00,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/01/05 07:56:06 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Running] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2010/01/05 07:56:04 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/01/05 07:56:02 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/11/24 17:49:07 | 00,048,560 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009/11/24 17:48:57 | 00,023,120 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009/11/24 17:47:54 | 00,027,408 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/11/09 11:20:12 | 00,207,792 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2009/09/16 09:22:48 | 00,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 09:22:48 | 00,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 09:22:48 | 00,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 09:22:48 | 00,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 09:22:14 | 00,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/09/15 05:56:14 | 00,094,160 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2009/09/15 05:55:30 | 00,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2009/09/15 05:55:19 | 00,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/07/16 11:32:26 | 00,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2009/05/11 09:12:24 | 00,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/03/30 09:33:07 | 00,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/02/13 11:35:05 | 00,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2008/08/29 12:57:18 | 00,306,299 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2008/04/13 12:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 12:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 10:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/03/29 16:36:28 | 00,125,328 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2007/11/14 16:05:16 | 00,394,952 | ---- | M] (Zone Labs, LLC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2007/11/13 04:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/06/21 22:27:25 | 00,021,425 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\AegisP.sys -- (AegisP) AEGIS Protocol (IEEE 802.1x)
DRV - [2007/05/31 14:50:20 | 06,727,136 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2007/04/15 21:03:04 | 00,056,576 | ---- | M] (O2Micro) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\oz776.sys -- (guardian2)
DRV - [2007/04/15 20:49:08 | 00,132,608 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2007/03/18 14:44:38 | 00,160,256 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2007/03/12 19:59:56 | 02,203,520 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel®
DRV - [2007/02/21 10:16:12 | 00,012,416 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2007/02/18 22:27:34 | 01,228,296 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2007/01/31 17:19:04 | 00,989,696 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2007/01/31 17:19:04 | 00,012,672 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2007/01/31 17:19:02 | 00,730,112 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2007/01/31 17:19:02 | 00,209,152 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2007/01/18 17:28:02 | 00,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2006/12/19 13:21:52 | 00,010,480 | ---- | M] (Broadcom Corporation) [Kernel | Auto | Running] -- C:\Program Files\Broadcom\ASFIPMon\BASFND.sys -- (BASFND)
DRV - [2006/11/02 11:32:32 | 00,097,536 | ---- | M] (Knowles Acoustics) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dxec01.sys -- (DXEC01)
DRV - [2006/10/17 17:02:28 | 00,038,288 | ---- | M] (UPEK Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tcusb.sys -- (TcUsb)
DRV - [2006/01/10 10:07:58 | 00,004,864 | ---- | M] (GTek Technologies Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2005/12/09 14:35:00 | 00,018,816 | ---- | M] (Dell Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\pbadrv.sys -- (PBADRV)
DRV - [2005/10/14 05:54:16 | 00,017,290 | ---- | M] (Broadcom Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btpmw32.sys -- (BCMTPM)
DRV - [2005/08/12 15:50:46 | 00,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2004/08/04 04:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/04 04:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rootmdm.sys -- (ROOTMODEM)
DRV - [2001/08/17 13:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 13:07:42 | 00,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 13:07:40 | 00,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 13:07:36 | 00,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 13:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 12:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 12:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 12:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 12:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 12:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 12:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 12:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 12:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 12:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 12:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 11:12:10 | 00,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B) Intel®


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070621
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/hws/sb/dell-usuk-rel...html?channel=us
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070621


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070621
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070621
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070621
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070621
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-603032722-229761981-2833396860-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
IE - HKU\S-1-5-21-603032722-229761981-2833396860-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/hws/sb/dell-usuk-rel...html?channel=us
IE - HKU\S-1-5-21-603032722-229761981-2833396860-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-603032722-229761981-2833396860-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-603032722-229761981-2833396860-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-603032722-229761981-2833396860-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
IE - HKU\S-1-5-21-603032722-229761981-2833396860-1005\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-603032722-229761981-2833396860-1005\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll File not found
IE - HKU\S-1-5-21-603032722-229761981-2833396860-1005\S-1-5-21-603032722-229761981-2833396860-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {097d3191-e6fa-4728-9826-b533d755359d}:0.7.10
FF - prefs.js..extensions.enabledItems: accessext@cita.uiuc.edu:1.5.58.0
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: {c45c406e-ab73-11d8-be73-000a95be3b12}:1.1.8


FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/07 07:56:22 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/07 07:56:22 | 00,000,000 | ---D | M]

[2008/06/24 15:59:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Linda\Application Data\Mozilla\Extensions
[2010/01/19 00:04:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\o5kkwa9v.default\extensions
[2009/12/04 19:48:51 | 00,000,000 | ---D | M] (All-in-One Sidebar) -- C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\o5kkwa9v.default\extensions\{097d3191-e6fa-4728-9826-b533d755359d}
[2009/12/04 19:48:43 | 00,000,000 | ---D | M] (Web Developer) -- C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\o5kkwa9v.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
[2009/12/04 19:48:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\o5kkwa9v.default\extensions\accessext@cita.uiuc.edu
[2010/01/18 23:05:22 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2004/08/04 04:00:00 | 00,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (DWABrowserHlprObj Class) - {2709D830-B643-4e72-9A1E-701CFFFCF30C} - C:\WINDOWS\system32\dwabho.dll (IBM Corporation)
O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (&Accessibility Toolbar) - {11352A67-0178-46B1-8855-D50B2F81C054} - C:\Program Files\WAT_EN\Accessibility_Toolbar.dll (NILS Accessible Information Solutions)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll File not found
O3 - HKLM\..\Toolbar: (no name) - SITEguard - No CLSID value found.
O3 - HKU\S-1-5-21-603032722-229761981-2833396860-1005\..\Toolbar\WebBrowser: (&Accessibility Toolbar) - {11352A67-0178-46B1-8855-D50B2F81C054} - C:\Program Files\WAT_EN\Accessibility_Toolbar.dll (NILS Accessible Information Solutions)
O3 - HKU\S-1-5-21-603032722-229761981-2833396860-1005\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset .exe File not found
O4 - HKLM..\Run: [Google Updater] C:\Program Files\Google\Google Updater\GoogleUpdater.exe (Google)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam .exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] C:\WINDOWS\System32\nvhotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] File not found
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-603032722-229761981-2833396860-1005..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe (Wave Systems Corp.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-603032722-229761981-2833396860-1005\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-603032722-229761981-2833396860-1005\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-603032722-229761981-2833396860-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-603032722-229761981-2833396860-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableProfileQuota = 1
O7 - HKU\S-1-5-21-603032722-229761981-2833396860-1005_Classes\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-603032722-229761981-2833396860-1005_Classes\Software\Policies\Microsoft\Internet Explorer\restrictions present
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll (Google Inc.)
O15 - HKLM\..Trusted Domains: 107 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 34 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 34 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-19\..Trusted Domains: 34 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-20\..Trusted Domains: 34 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-603032722-229761981-2833396860-1005\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-603032722-229761981-2833396860-1005\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-603032722-229761981-2833396860-1005\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-603032722-229761981-2833396860-1005\..Trusted Domains: 34 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1184283924328 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} https://inside.sfsu.edu/mail01b/dwa7W.cab (Domino Web Access 7 Control)
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} http://download.mcafee.com/molbin/iss-loc/...263/mcfscan.cab (McFreeScan Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - AppInit_DLLs: (wxvault.dll) - C:\WINDOWS\System32\wxvault.dll ()
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (waveGina.dll) - C:\WINDOWS\System32\waveGina.dll (Wave Systems Corp)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Documents and Settings\Linda\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Linda\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - C:\Program Files\Qualcomm\Eudora\EuShlExt.dll (Qualcomm Inc.)
O30 - LSA: Authentication Packages - (wvauth) - C:\WINDOWS\System32\wvauth.dll (Wave Systems Corp.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 16:15:00 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{88f66ea0-6f72-11de-982b-0019b97d9e53}\Shell - "" = AutoRun
O33 - MountPoints2\{88f66ea0-6f72-11de-982b-0019b97d9e53}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{88f66ea0-6f72-11de-982b-0019b97d9e53}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/19 00:20:26 | 00,547,328 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Linda\Desktop\OTL.exe
[2010/01/18 20:40:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Linda\My Documents\2009
[2010/01/12 23:45:02 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Linda\Desktop\RootRepeal.exe
[2010/01/12 19:53:10 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/01/12 19:44:01 | 00,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Linda\Desktop\ATF-Cleaner.exe
[2010/01/12 19:19:57 | 00,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2010/01/12 16:44:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Linda\Local Settings\Application Data\Threat Expert
[2010/01/12 16:37:44 | 00,149,456 | ---- | C] (PC Tools) -- C:\WINDOWS\SGDetectionTool.dll
[2010/01/12 16:37:43 | 01,640,400 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll
[2010/01/12 16:37:42 | 00,165,840 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDRes.dll
[2010/01/12 16:35:40 | 00,233,136 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2010/01/12 16:35:31 | 00,207,792 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2010/01/12 16:35:30 | 00,087,784 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys
[2010/01/12 16:35:10 | 00,070,408 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2010/01/12 16:34:49 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2010/01/12 16:34:48 | 00,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2010/01/12 16:34:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Linda\Application Data\PC Tools
[2010/01/12 16:34:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2010/01/08 11:26:16 | 00,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2010/01/08 00:35:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/01/08 00:14:27 | 00,096,104 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010/01/08 00:14:27 | 00,056,816 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/01/08 00:14:27 | 00,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2010/01/08 00:14:26 | 00,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2010/01/08 00:14:25 | 00,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2010/01/08 00:14:20 | 00,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/01/08 00:14:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2010/01/08 00:09:44 | 00,069,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ztvcabinet.dll
[2010/01/08 00:09:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Linda\My Documents\Simply Super Software
[2010/01/08 00:09:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Linda\Application Data\Simply Super Software
[2010/01/08 00:09:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Simply Super Software
[2010/01/07 22:11:41 | 00,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2010/01/07 17:34:40 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/12/25 22:26:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Linda\Desktop\webscr_files
[2009/11/22 16:06:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Google
[2009/11/22 16:06:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/11/22 16:06:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/11/19 02:10:35 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/09/22 22:21:22 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2007/07/10 19:16:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee
[2007/06/21 22:27:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Intel
[2007/06/21 22:27:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Intel
[2004/08/11 16:20:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/19 00:20:41 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Linda\Desktop\OTL.exe
[2010/01/19 00:20:40 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/01/19 00:18:50 | 00,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
[2010/01/19 00:18:40 | 00,013,025 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2010/01/19 00:18:37 | 00,024,103 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/01/19 00:18:28 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/19 00:17:59 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/01/19 00:17:41 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/19 00:17:35 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/19 00:17:32 | 21,455,05280 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/19 00:16:57 | 05,505,024 | ---- | M] () -- C:\Documents and Settings\Linda\NTUSER.DAT
[2010/01/19 00:02:00 | 00,000,356 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2010/01/18 23:00:00 | 00,000,356 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2010/01/18 22:00:00 | 00,000,356 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2010/01/18 21:15:52 | 00,001,846 | -H-- | M] () -- C:\Documents and Settings\Linda\My Documents\Default.rdp
[2010/01/18 21:00:00 | 00,000,356 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2010/01/18 18:19:22 | 06,444,214 | -H-- | M] () -- C:\Documents and Settings\Linda\Local Settings\Application Data\IconCache.db
[2010/01/18 18:00:00 | 00,000,356 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2010/01/18 17:00:03 | 00,017,514 | ---- | M] () -- C:\Documents and Settings\Linda\Desktop\3253_73875461771_633291771_1590160_2322658_n.jpg
[2010/01/18 17:00:00 | 00,000,356 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2010/01/18 16:00:00 | 00,000,356 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2010/01/18 15:00:00 | 00,000,356 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2010/01/18 14:00:00 | 00,000,356 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2010/01/18 13:00:00 | 00,000,356 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2010/01/18 01:00:00 | 00,000,356 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2010/01/16 20:00:00 | 00,000,356 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2010/01/16 19:00:00 | 00,000,356 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2010/01/16 12:00:00 | 00,000,356 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2010/01/16 02:00:00 | 00,000,356 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2010/01/15 23:56:05 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/01/14 11:00:00 | 00,000,356 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2010/01/14 10:00:00 | 00,000,356 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2010/01/12 23:47:00 | 00,000,015 | ---- | M] () -- C:\Documents and Settings\Linda\Desktop\settings.dat
[2010/01/12 23:45:08 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Linda\Desktop\RootRepeal.exe
[2010/01/12 23:42:18 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Linda\Desktop\dds.scr
[2010/01/12 22:43:12 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Linda\ntuser.ini
[2010/01/12 19:53:47 | 00,000,780 | ---- | M] () -- C:\Documents and Settings\Linda\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/01/12 19:44:58 | 07,520,288 | ---- | M] () -- C:\Documents and Settings\Linda\Desktop\SUPERAntiSpyware.exe
[2010/01/12 19:44:01 | 00,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Linda\Desktop\ATF-Cleaner.exe
[2010/01/12 16:35:21 | 00,001,637 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2010/01/12 09:00:00 | 00,000,356 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2010/01/12 08:00:00 | 00,000,356 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2010/01/12 07:00:00 | 00,000,356 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2010/01/08 11:39:01 | 00,000,008 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2010/01/08 09:25:09 | 00,056,816 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/01/08 00:14:44 | 00,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010/01/07 22:12:40 | 00,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/07 08:11:01 | 05,292,054 | ---- | M] () -- C:\Documents and Settings\Linda\Desktop\notdtc.bmp
[2010/01/07 01:25:00 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/01/01 01:00:04 | 00,000,332 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2009/12/28 00:14:29 | 00,005,686 | ---- | M] () -- C:\Documents and Settings\Linda\Desktop\resume.html
[2009/12/25 22:26:26 | 00,020,779 | ---- | M] () -- C:\Documents and Settings\Linda\Desktop\webscr.htm
[2009/12/23 13:51:22 | 00,200,463 | ---- | M] () -- C:\Documents and Settings\Linda\Desktop\gmat.JPG
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/18 17:00:00 | 00,017,514 | ---- | C] () -- C:\Documents and Settings\Linda\Desktop\3253_73875461771_633291771_1590160_2322658_n.jpg
[2010/01/12 23:45:38 | 00,000,015 | ---- | C] () -- C:\Documents and Settings\Linda\Desktop\settings.dat
[2010/01/12 23:42:17 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Linda\Desktop\dds.scr
[2010/01/12 22:43:52 | 21,455,05280 | -HS- | C] () -- C:\hiberfil.sys
[2010/01/12 19:53:47 | 00,000,780 | ---- | C] () -- C:\Documents and Settings\Linda\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/01/12 19:44:30 | 07,520,288 | ---- | C] () -- C:\Documents and Settings\Linda\Desktop\SUPERAntiSpyware.exe
[2010/01/12 16:37:44 | 00,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll
[2010/01/12 16:37:44 | 00,000,883 | ---- | C] () -- C:\WINDOWS\RegSDImport.xml
[2010/01/12 16:37:44 | 00,000,880 | ---- | C] () -- C:\WINDOWS\RegISSImport.xml
[2010/01/12 16:37:44 | 00,000,131 | ---- | C] () -- C:\WINDOWS\IDB.zip
[2010/01/12 16:37:43 | 01,152,444 | ---- | C] () -- C:\WINDOWS\UDB.zip
[2010/01/12 16:35:40 | 00,007,387 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctgntdi.cat
[2010/01/12 16:35:31 | 00,007,412 | ---- | C] () -- C:\WINDOWS\System32\drivers\PCTAppEvent.cat
[2010/01/12 16:35:31 | 00,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctcore.cat
[2010/01/12 16:35:21 | 00,001,637 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2010/01/12 16:35:10 | 00,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctplsg.cat
[2010/01/08 11:30:21 | 00,000,008 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol
[2010/01/08 00:14:44 | 00,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010/01/08 00:09:44 | 00,162,304 | ---- | C] () -- C:\WINDOWS\System32\ztvunrar36.dll
[2010/01/08 00:09:44 | 00,153,088 | ---- | C] () -- C:\WINDOWS\System32\unrar3.dll
[2010/01/08 00:09:44 | 00,077,312 | ---- | C] () -- C:\WINDOWS\System32\ztvunace26.dll
[2010/01/08 00:09:44 | 00,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll
[2010/01/07 23:54:11 | 00,000,330 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/01/07 08:11:00 | 05,292,054 | ---- | C] () -- C:\Documents and Settings\Linda\Desktop\notdtc.bmp
[2009/12/28 00:08:05 | 00,005,686 | ---- | C] () -- C:\Documents and Settings\Linda\Desktop\resume.html
[2009/12/25 22:26:25 | 00,020,779 | ---- | C] () -- C:\Documents and Settings\Linda\Desktop\webscr.htm
[2009/12/23 13:51:22 | 00,200,463 | ---- | C] () -- C:\Documents and Settings\Linda\Desktop\gmat.JPG
[2009/08/03 14:07:42 | 00,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/07/28 12:58:02 | 00,007,680 | -HS- | C] () -- C:\Documents and Settings\Linda\Application Data\Thumbs.db
[2009/07/23 23:40:16 | 00,002,119 | ---- | C] () -- C:\Documents and Settings\Linda\Application Data\VmqZk2Dkat.gif
[2009/07/23 23:40:16 | 00,000,607 | ---- | C] () -- C:\Documents and Settings\Linda\Application Data\VmqZk2Dkzn.gif
[2009/07/23 23:40:16 | 00,000,598 | ---- | C] () -- C:\Documents and Settings\Linda\Application Data\VmqZk2Dkby.gif
[2009/03/24 00:13:06 | 00,003,584 | ---- | C] () -- C:\Documents and Settings\Linda\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/08/29 12:58:26 | 00,197,408 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2008/08/29 12:58:16 | 00,193,312 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2007/07/05 10:37:00 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\wddx_com.dll
[2007/07/05 10:37:00 | 00,139,264 | ---- | C] () -- C:\WINDOWS\System32\CFFileProxy.dll
[2007/07/05 10:37:00 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\CFSDebug.dll
[2007/07/05 10:36:34 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\xmltok.dll
[2007/07/05 10:36:34 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\xmlparse.dll
[2007/07/05 10:36:34 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\cfmsg.dll
[2007/07/05 10:30:49 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/07/03 19:08:49 | 00,000,008 | ---- | C] () -- C:\Documents and Settings\Linda\Local Settings\Application Data\.user_keys.dat
[2007/07/02 15:59:58 | 00,000,128 | ---- | C] () -- C:\Documents and Settings\Linda\Local Settings\Application Data\fusioncache.dat
[2007/06/21 22:34:17 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/06/21 22:24:12 | 00,143,360 | ---- | C] () -- C:\WINDOWS\System32\bioapi_mds300.dll
[2007/06/21 22:24:12 | 00,106,496 | ---- | C] () -- C:\WINDOWS\System32\bioapi100.dll
[2007/06/21 22:01:21 | 01,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/06/21 22:01:21 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/06/21 22:01:21 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/06/21 22:01:20 | 01,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/06/21 21:59:55 | 00,001,120 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/09/12 11:07:36 | 00,184,320 | ---- | C] () -- C:\WINDOWS\System32\AmRes_en.dll
[2006/09/12 11:01:48 | 00,196,608 | ---- | C] () -- C:\WINDOWS\System32\AmRes_es.dll
[2006/09/12 11:01:42 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ko.dll
[2006/09/12 11:01:34 | 00,196,608 | ---- | C] () -- C:\WINDOWS\System32\AmRes_de.dll
[2006/09/12 11:01:28 | 00,184,320 | ---- | C] () -- C:\WINDOWS\System32\AmRes_pt-BR.dll
[2006/09/12 11:01:20 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\AmRes_fr.dll
[2006/09/12 11:01:12 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ja.dll
[2006/09/12 11:01:06 | 00,208,896 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ru.dll
[2006/09/12 11:00:58 | 00,196,608 | ---- | C] () -- C:\WINDOWS\System32\AmRes_it.dll
[2006/09/12 11:00:52 | 00,176,128 | ---- | C] () -- C:\WINDOWS\System32\AmRes_zh-CHS.dll
[2006/09/12 11:00:44 | 00,172,032 | ---- | C] () -- C:\WINDOWS\System32\AmRes_zh-CHT.dll
[2006/09/08 07:32:02 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\wxvault.dll
[2006/09/08 07:30:44 | 00,004,096 | ---- | C] () -- C:\WINDOWS\System32\detoured.dll
[2006/09/05 09:05:32 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_en.dll
[2006/09/05 08:26:06 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_pt.dll
[2006/09/05 08:25:54 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_zh-CHT.dll
[2006/09/05 08:25:42 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ko.dll
[2006/09/05 08:25:32 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_es.dll
[2006/09/05 08:25:20 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ru.dll
[2006/09/05 08:25:10 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ja.dll
[2006/09/05 08:24:58 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_it.dll
[2006/09/05 08:24:48 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_de.dll
[2006/09/05 08:24:36 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_fr.dll
[2006/09/05 08:24:26 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_zh-CHS.dll
[2006/06/12 09:01:18 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_RUS.dll
[2006/06/12 09:01:18 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_ITA.dll
[2006/06/12 09:01:18 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_FRA.dll
[2006/06/12 09:01:18 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_ESN.dll
[2006/06/12 09:01:18 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_ENU.dll
[2006/06/12 09:01:18 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_DEU.dll
[2006/06/12 09:01:18 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_CHS.dll
[2006/06/12 09:01:16 | 00,348,160 | ---- | C] () -- C:\WINDOWS\System32\Tsp.dll
[2005/12/01 13:41:20 | 00,057,344 | ---- | C] () -- C:\WINDOWS\System32\pbadrvdll.dll
[2005/09/20 12:36:06 | 00,798,720 | ---- | C] () -- C:\WINDOWS\System32\DemoLicense.dll
[2004/08/11 16:24:19 | 00,000,832 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/11 16:11:31 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/07/21 14:03:14 | 00,917,504 | ---- | C] () -- C:\WINDOWS\System32\lmgr10.dll
[2004/07/20 13:27:52 | 00,057,344 | ---- | C] () -- C:\WINDOWS\System32\ADsSecurity.dll
[2004/03/18 17:01:20 | 00,072,192 | ---- | C] () -- C:\WINDOWS\System32\xltZlib.dll
[2003/01/07 14:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Alternate Data Streams ==========

@Alternate Data Stream - 158 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
< End of report >


Thanks again!

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:25 AM

Posted 18 January 2010 - 08:43 AM

Hi,

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either McAfee or Avast.

Please also run a scan with gmer:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 VirusSucks

VirusSucks
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 18 January 2010 - 05:37 PM

Howdy,

I tried running twice in normal mode, but received a blue screen that said, among other things, "PFN_List_Corrupt."

I was able to run in safe mode, so here it is:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-19 14:29:19
Windows 5.1.2600 Service Pack 3
Running: cgwvnuxh.exe; Driver: C:\DOCUME~1\Linda\LOCALS~1\Temp\ugroapod.sys


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF743BE52]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF741CCDE]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF741CED0]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF743C640]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF743C8F4]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF743AB44]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF743CD60]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF743C112]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF741C984]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\winlogon.exe[260] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100073E3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10006035 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[260] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100073E3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10006035 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[304] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100073E3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10006035 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[316] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100073E3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10006035 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[476] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100073E3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10006035 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[524] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100073E3 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10006035 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[556] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100073E3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10006035 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[604] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100073E3 C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10006035 C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[640] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100073E3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10006035 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[956] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100073E3 C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10006035 C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1040] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100073E3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10006035 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[1456] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100073E3 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10006035 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Linda\Desktop\cgwvnuxh.exe[1504] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat B95F2D20
Device \FileSystem\Fastfat \Fat B9602428

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


#6 VirusSucks

VirusSucks
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 18 January 2010 - 06:17 PM

Hi again,

I have a question about virus protection. I get McAfee from Comcast. I downloaded Avast because the initial redirect malware problems that I had were not detected by McAfee. I was not experiencing any problems when running both McAfee and Avast, and just felt safer (though it may have been a false sense of security). If I was not having problems running both, is it ok to still do so? If not, which would you recommend?

Thank you!

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:25 AM

Posted 19 January 2010 - 11:48 AM

Hi,

I previously missed that you have also installed Avira Antivir. This is the anti virus program, that I have been using as well and I'm happy with it. So if I were the one to choose, I would advise to remove both Avast and McAfee and just keep Avira.
Even though the programs may be running fine side by side now this may change with every update made to one of the three tools. I would definitely remove two of them, but since it is your PC, this is ultimately your decision.

I do not see a sign of conficker or tdss present on your PC. Is this the only PC you use for signing up through VPN, have you removed anything since you first came here?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 VirusSucks

VirusSucks
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 20 January 2010 - 12:27 AM

Hi Myrti,

Thanks for your advice! No, I haven't removed anything, and this is the only computer I've used. I really think that they may be misreading something. I will tell them that I got a clean bill of health from bleeping computer. Is that all I need to do?

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:25 AM

Posted 20 January 2010 - 03:04 PM

Hi,

there's a couple of things I'd like you to do before leaving:
First of all please run the following fix:

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    CODE
    :files
    C:\Windows\tasks\at*.job
  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply.

    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
    If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
================================Follow up scan=================================
  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.

Then please run a scan with Eset:

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

Whil it is rather obvious that the infections pointed out by your VPN aren't on your system, there may still be some other malware on it, we haven't seen yet. (although I doubt it, but I would like to make sure. smile.gif )

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 VirusSucks

VirusSucks
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 20 January 2010 - 07:57 PM

Hi myrti,

I just ran a scan with Avira, and it found multiple occurences of TR/Dldr.Cekar. Shall I post the log here?



#11 VirusSucks

VirusSucks
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 20 January 2010 - 08:05 PM

Hi again,

Here's the OTL moved files log. I will run the others right now:

========== FILES ==========
C:\Windows\tasks\At1.job moved successfully.
C:\Windows\tasks\At10.job moved successfully.
C:\Windows\tasks\At11.job moved successfully.
C:\Windows\tasks\At12.job moved successfully.
C:\Windows\tasks\At13.job moved successfully.
C:\Windows\tasks\At14.job moved successfully.
C:\Windows\tasks\At15.job moved successfully.
C:\Windows\tasks\At16.job moved successfully.
C:\Windows\tasks\At17.job moved successfully.
C:\Windows\tasks\At18.job moved successfully.
C:\Windows\tasks\At19.job moved successfully.
C:\Windows\tasks\At2.job moved successfully.
C:\Windows\tasks\At20.job moved successfully.
C:\Windows\tasks\At21.job moved successfully.
C:\Windows\tasks\At22.job moved successfully.
C:\Windows\tasks\At23.job moved successfully.
C:\Windows\tasks\At24.job moved successfully.
C:\Windows\tasks\At3.job moved successfully.
C:\Windows\tasks\At4.job moved successfully.
C:\Windows\tasks\At5.job moved successfully.
C:\Windows\tasks\At6.job moved successfully.
C:\Windows\tasks\At7.job moved successfully.
C:\Windows\tasks\At8.job moved successfully.
C:\Windows\tasks\At9.job moved successfully.

OTL by OldTimer - Version 3.1.25.2 log created on 01212010_170838



#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:25 AM

Posted 20 January 2010 - 08:16 PM

Hi,

yes please post the log from avira.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 VirusSucks

VirusSucks
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 20 January 2010 - 08:18 PM

Hi,

Here's the Avira report. Am currently running the ESET:



Avira AntiVir Personal
Report file date: Thursday, January 21, 2010 16:01

Scanning for 1620081 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : DHXV74D1

Version information:
BUILD.DAT : 9.0.0.418 21723 Bytes 12/2/2009 16:28:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 17:26:33
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 16:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 17:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 16:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 13:35:52
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 06:16:26
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 22:01:13
VBASE003.VDF : 7.10.3.2 2048 Bytes 1/20/2010 22:01:13
VBASE004.VDF : 7.10.3.3 2048 Bytes 1/20/2010 22:01:13
VBASE005.VDF : 7.10.3.4 2048 Bytes 1/20/2010 22:01:14
VBASE006.VDF : 7.10.3.5 2048 Bytes 1/20/2010 22:01:15
VBASE007.VDF : 7.10.3.6 2048 Bytes 1/20/2010 22:01:15
VBASE008.VDF : 7.10.3.7 2048 Bytes 1/20/2010 22:01:16
VBASE009.VDF : 7.10.3.8 2048 Bytes 1/20/2010 22:01:16
VBASE010.VDF : 7.10.3.9 2048 Bytes 1/20/2010 22:01:16
VBASE011.VDF : 7.10.3.10 2048 Bytes 1/20/2010 22:01:17
VBASE012.VDF : 7.10.3.11 2048 Bytes 1/20/2010 22:01:17
VBASE013.VDF : 7.10.3.12 2048 Bytes 1/20/2010 22:01:17
VBASE014.VDF : 7.10.3.13 2048 Bytes 1/20/2010 22:01:18
VBASE015.VDF : 7.10.3.14 2048 Bytes 1/20/2010 22:01:19
VBASE016.VDF : 7.10.3.15 2048 Bytes 1/20/2010 22:01:19
VBASE017.VDF : 7.10.3.16 2048 Bytes 1/20/2010 22:01:19
VBASE018.VDF : 7.10.3.17 2048 Bytes 1/20/2010 22:01:19
VBASE019.VDF : 7.10.3.18 2048 Bytes 1/20/2010 22:01:20
VBASE020.VDF : 7.10.3.19 2048 Bytes 1/20/2010 22:01:20
VBASE021.VDF : 7.10.3.20 2048 Bytes 1/20/2010 22:01:21
VBASE022.VDF : 7.10.3.21 2048 Bytes 1/20/2010 22:01:21
VBASE023.VDF : 7.10.3.22 2048 Bytes 1/20/2010 22:01:21
VBASE024.VDF : 7.10.3.23 2048 Bytes 1/20/2010 22:01:21
VBASE025.VDF : 7.10.3.24 2048 Bytes 1/20/2010 22:01:22
VBASE026.VDF : 7.10.3.25 2048 Bytes 1/20/2010 22:01:22
VBASE027.VDF : 7.10.3.26 2048 Bytes 1/20/2010 22:01:22
VBASE028.VDF : 7.10.3.27 2048 Bytes 1/20/2010 22:01:23
VBASE029.VDF : 7.10.3.28 2048 Bytes 1/20/2010 22:01:23
VBASE030.VDF : 7.10.3.29 2048 Bytes 1/20/2010 22:01:23
VBASE031.VDF : 7.10.3.30 2048 Bytes 1/20/2010 22:01:24
Engineversion : 8.2.1.146
AEVDF.DLL : 8.1.1.2 106867 Bytes 11/8/2009 13:38:52
AESCRIPT.DLL : 8.1.3.9 659834 Bytes 1/21/2010 22:01:29
AESCN.DLL : 8.1.3.1 127348 Bytes 1/16/2010 07:08:43
AESBX.DLL : 8.1.1.1 246132 Bytes 11/8/2009 13:38:44
AERDL.DLL : 8.1.3.4 479605 Bytes 1/8/2010 06:17:24
AEPACK.DLL : 8.2.0.5 422262 Bytes 1/16/2010 07:08:42
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 11/8/2009 13:38:38
AEHEUR.DLL : 8.1.0.195 2232695 Bytes 1/16/2010 07:08:38
AEHELP.DLL : 8.1.10.0 237942 Bytes 1/16/2010 07:08:19
AEGEN.DLL : 8.1.1.83 369014 Bytes 1/8/2010 06:17:02
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 13:38:26
AECORE.DLL : 8.1.9.5 184693 Bytes 1/16/2010 07:08:18
AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 13:38:20
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 14:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 21:14:02
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 20:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 16:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 21:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 16:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 21:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 14:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 16:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 21:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 18:25:47

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

Start of the scan: Thursday, January 21, 2010 16:01

Starting search for hidden objects.
'65370' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'Dot1XCfg.exe' - '1' Module(s) have been scanned
Scan process 'mcsysmon.exe' - '1' Module(s) have been scanned
Scan process 'sqlmangr.exe' - '1' Module(s) have been scanned
Scan process 'AutoUpdate.exe' - '1' Module(s) have been scanned
Scan process 'DLG.exe' - '1' Module(s) have been scanned
Scan process 'SUPERAntiSpyware.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'MSASCui.exe' - '1' Module(s) have been scanned
Scan process 'stsystra.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'mcagent.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'YahooAUService.exe' - '1' Module(s) have been scanned
Scan process 'tcsd_win32.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'stacsv.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'NicConfigSvc.exe' - '1' Module(s) have been scanned
Scan process 'MpfSrv.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'Mcshield.exe' - '1' Module(s) have been scanned
Scan process 'McProxy.exe' - '1' Module(s) have been scanned
Scan process 'McNASvc.exe' - '1' Module(s) have been scanned
Scan process 'mcmscsvc.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'DataServer.exe' - '1' Module(s) have been scanned
Scan process 'cvpnd.exe' - '1' Module(s) have been scanned
Scan process 'BDTUpdateService.exe' - '1' Module(s) have been scanned
Scan process 'AsfIpMon.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'scardsvr.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'WLKEEPER.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'MsMpEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
56 processes with 56 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '67' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\SQLEVAL\devtools\samples\dblib\unzip_dblib.exe
[DETECTION] Is the TR/Dldr.Cekar.160256A Trojan
C:\SQLEVAL\devtools\samples\desktop\unzip_desktop.exe
[DETECTION] Is the TR/Dldr.Cekar.160256A Trojan
C:\SQLEVAL\devtools\samples\esqlc\unzip_esqlc.exe
[DETECTION] Is the TR/Dldr.Cekar.160256A Trojan
C:\SQLEVAL\devtools\samples\msdtc\unzip_msdtc.exe
[DETECTION] Is the TR/Dldr.Cekar.160256A Trojan
C:\SQLEVAL\devtools\samples\ods\unzip_ods.exe
[DETECTION] Is the TR/Dldr.Cekar.160256A Trojan
C:\SQLEVAL\devtools\samples\oleauto\unzip_oleauto.exe
[DETECTION] Is the TR/Dldr.Cekar.160256A Trojan
C:\SQLEVAL\devtools\samples\sqlns\unzip_sqlns.exe
[DETECTION] Is the TR/Dldr.Cekar.160256A Trojan
C:\SQLEVAL\x86\other\dtstemplates.exe
[DETECTION] Is the TR/Dldr.Cekar.160256A Trojan
C:\SQLEVAL\x86\other\prftemplates.exe
[DETECTION] Is the TR/Dldr.Cekar.160256A Trojan
C:\SQLEVAL\x86\other\qatemplates.exe
[DETECTION] Is the TR/Dldr.Cekar.160256A Trojan

Beginning disinfection:
C:\SQLEVAL\devtools\samples\dblib\unzip_dblib.exe
[DETECTION] Is the TR/Dldr.Cekar.160256A Trojan
[NOTE] The file was moved to '4bd2dcc5.qua'!
C:\SQLEVAL\devtools\samples\desktop\unzip_desktop.exe
[DETECTION] Is the TR/Dldr.Cekar.160256A Trojan
[NOTE] The file was moved to '4ab638a6.qua'!
C:\SQLEVAL\devtools\samples\esqlc\unzip_esqlc.exe
[DETECTION] Is the TR/Dldr.Cekar.160256A Trojan
[NOTE] The file was moved to '4ab1005e.qua'!
C:\SQLEVAL\devtools\samples\msdtc\unzip_msdtc.exe
[DETECTION] Is the TR/Dldr.Cekar.160256A Trojan
[NOTE] The file was moved to '4ab42f36.qua'!
C:\SQLEVAL\devtools\samples\ods\unzip_ods.exe
[DETECTION] Is the TR/Dldr.Cekar.160256A Trojan
[NOTE] The file was moved to '4abbdf46.qua'!
C:\SQLEVAL\devtools\samples\oleauto\unzip_oleauto.exe
[DETECTION] Is the TR/Dldr.Cekar.160256A Trojan
[NOTE] The file was moved to '4ab8d78e.qua'!
C:\SQLEVAL\devtools\samples\sqlns\unzip_sqlns.exe
[DETECTION] Is the TR/Dldr.Cekar.160256A Trojan
[NOTE] The file was moved to '4ab9cfd6.qua'!
C:\SQLEVAL\x86\other\dtstemplates.exe
[DETECTION] Is the TR/Dldr.Cekar.160256A Trojan
[NOTE] The file was moved to '4bcbdccb.qua'!
C:\SQLEVAL\x86\other\prftemplates.exe
[DETECTION] Is the TR/Dldr.Cekar.160256A Trojan
[NOTE] The file was moved to '4bbedcc9.qua'!
C:\SQLEVAL\x86\other\qatemplates.exe
[DETECTION] Is the TR/Dldr.Cekar.160256A Trojan
[NOTE] The file was moved to '4bccdcb8.qua'!


End of the scan: Thursday, January 21, 2010 16:59
Used time: 57:28 Minute(s)

The scan has been done completely.

7764 Scanned directories
478338 Files were scanned
10 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
10 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
478326 Files not concerned
4103 Archives were scanned
2 Warnings
12 Notes
65370 Objects were scanned with rootkit scan
0 Hidden objects were found



#14 VirusSucks

VirusSucks
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 20 January 2010 - 08:21 PM

Howdy,

By the way, I turned off my System Restore when the above Trojans were found. My understanding is that I should do this so that they will not be saved. Is this correct? Should I turn it back on again?

And thank you again for all your help. You are really wonderful!

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:25 AM

Posted 20 January 2010 - 08:57 PM

Hi,

usually we ask that system restore remains on during the cleaning, it may be the only hope to restore things after they went wrong. I would have asked you to flush your system restore after we finished cleaning your pc, because malware will indeed get stored in system restore and could get reactivated if you restored to a restore point from last week.
As long as you don't restore you do not have to worry about getting reinfected though.

The files flagged by avira seem to be a possible false positive. That would also explain why they have only been detected now. Did you create the folder C:\SQLEVAL or do you know to what it belongs?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users