Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent Bug


  • This topic is locked This topic is locked
28 replies to this topic

#1 wa4kec

wa4kec

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 27 April 2010 - 06:51 PM

I created this profile on my Dad's computer so that I can try to get it cleaned up for him without having to expose my thumbdrive or other peripherals to whatever might be on his system. He called me the other night and asked if I had installed anything new on his computer (no) and that a antimalware program popped up saying he was infected and that he needed to install new updates.

I came over and realized immediately that yes he was infected, and that the program was in reality part of the infection. I ran Malwarebytes and it found and cleaned 50 infected files and folders that contained various trojans and viruses. I restarted the computer and ran Spybot Search & Destroy as well and found a few more. Afterwards the computer seemed to work fine until I opened Firefox. The home page came up and then a second tab opened and a female voice congratulated him and announced that he had been selected to take a survey. I updated Malwarebytes and scanned again but found nothing. Ran McAfee and it said it found and removed system@network.realmedia (2 txt files) but the "survey" still comes up.

So any suggestions on what to try next? A big THANKS to anyone who lends a hand. The computer is an older emachines with a Celeron processor, 2gb of ram, and running the XP Home Edition 2002 SP3 OS.
--
Still working on my Dad's computer this morning. I followed the "Preparation Guide" last night, disable cd emulation
and script blocking programs like it suggested and saved the logs......except one. When I ran the GMER program it
had been running a couple of hours and still had not finished, so I told Dad to leave it running and I would come back
this morning to save the log and post the results. PROBLEM In addition to disabling cd emulation and script blocking
the Prep Guide might also want to mention disabling automatic updates for Windows. Seems they came out with an
update this morning (real important, to let Office 2010 install fonts) and before I got there it had downloaded, installed,
AND restarted his computer. crazy.gif I'm going to check back with him in a couple of hours and see if GMER is done
and I'll log back in later.

Here are the logs as outlined in the Prep guide, could not find anywhere to attach a file
so I have pasted the attach.txt and ark.txt logs as well in that order:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 20:21:16.96 on Tue 04/27/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1274 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=EM&Loc=ENG_US&Sys=DTP&M=W3622
uSearch Page = hxxp://my.juno.com/s/search?r=minisearch
uSearch Bar = hxxp://my.juno.com/s/search?r=minisearch
mDefault_Search_URL = hxxp://my.juno.com/s/search?r=minisearch
mSearch Page = hxxp://my.juno.com/s/search?r=minisearch
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://my.juno.com/s/search?r=minisearch
mSearchAssistant = hxxp://my.juno.com/s/search?r=minisearch
uURLSearchHooks: URLSearchHook Class: {37d2cdbf-2af4-44aa-8113-bd0d2da3c2b8} - c:\program files\juno\SearchEnh1.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Pop-up Blocker: {52706ef7-d7a2-49ad-a615-e903858cf284} - c:\program files\juno\qsacc\X1IEBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100427154000.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [Power2GoExpress] NA
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [DXDllRegExe] dxdllreg.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\forget~1.lnk - c:\program files\broderbund\ag creatacard\AGRemind.exe
IE: Display All Images with Full Quality - "c:\program files\juno\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files\juno\qsacc\appres.dll/227"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\88j3n9ks.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-4-13 385536]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-13 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-1-19 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-13 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-13 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-13 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-4-13 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-4-13 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-4-13 141792]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-13 55456]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-4-13 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-4-13 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-13 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-4-13 88480]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2006-7-1 69692]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-4-13 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-13 83496]

=============== Created Last 30 ================

2010-04-28 00:18:19 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-04-26 00:44:07 10043336 ----a-w- c:\documents and settings\owner\windows-kb890830-v3.6.exe
2010-04-24 03:16:01 0 d-----w- c:\docume~1\owner\applic~1\3F6715C76EA4DA85A337F99B9ADFC914
2010-04-20 19:16:19 0 d-----w- c:\program files\common files\Broderbund
2010-04-20 01:30:42 0 d-----w- c:\windows\BBSTORE
2010-04-20 01:30:36 0 d-----w- c:\program files\Web Publish
2010-04-20 01:29:48 0 d-----w- c:\program files\Broderbund
2010-04-13 23:24:45 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-13 23:24:34 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-13 23:24:34 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-13 23:24:34 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-13 23:24:34 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-13 23:24:34 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-13 23:24:34 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-13 23:24:34 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-13 23:24:34 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-13 23:24:34 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-03 00:38:05 0 d-----w- c:\documents and settings\owner\dwhelper

==================== Find3M ====================

2010-04-27 22:06:18 8392 ----a-w- c:\docume~1\owner\applic~1\wklnhst.dat
2010-03-30 04:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 20:40:15 20299200 ----a-w- c:\documents and settings\owner\TomTomHOME2winlatest.exe
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-17 13:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-01-19 21:10:49 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2010-01-20 00:43:38 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010011920100120\index.dat

============= FINISH: 20:23:20.40 ===============

THERE IS NO "BROWSE" BUTTON THAT I CAN FIND SO REST OF LOGS FOLLOW: ATTACH.TXT


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: DeviceHarddiskVolume1
Install Date: 1/19/2010 4:18:34 PM
System Uptime: 4/27/2010 5:11:24 PM (3 hours ago)

Motherboard: ELITEGROUP | | 945GCT-M3
Processor: Intel Celeron processor | Socket 775 | 1599/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 70 GiB total, 35.131 GiB free.
D: is FIXED (NTFS) - 4 GiB total, 1.416 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

5500
5500_Help
5500Tour
5500Trb
Acrobat.com
Activation Assistant for the 2007 Microsoft Office suites
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Reader 9.3.2
AiO_Scan
AIOMinimal
AiOSoftware
American Greetings CreataCard Select 6
Browser Address Error Redirector
BufferChm
CCleaner
Copy
CreativeProjects
CutePDF Writer 2.8
Defraggler
Destinations
DeviceFunctionQFolder
DeviceManagementQFolder
Diner Dash
DocProc
DVD Suite
eMachines Connect
eMachines Game Console
eSupportQFolder
Family Feud 2
FATE
Fax
Free Audio CD Burner version 1.2
Free YouTube to MP3 Converter version 3.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB979306)
HP Deskjet 5400 series
HP Image Zone Express
HP Imaging Device Functions 5.0
HP Photo & Imaging 3.1
HP PSC & OfficeJet 3.0
HP Software Update
HP Solution Center & Imaging Support Tools 5.0
HPDeskjet5400Series
hpmdtab
HPProductAssistant
HPSystemDiagnostics
InstantShare
Intel® Graphics Media Accelerator Driver
Java™ 6 Update 16
Java™ SE Runtime Environment 6 Update 1
Juno Internet
Malwarebytes' Anti-Malware
McAfee Internet Security
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Web Publishing Wizard 1.52
Microsoft Works
Microsoft WSE 2.0 SP3 Runtime
Mozilla Firefox (3.6.3)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
OpenOffice.org 3.1
Overland
Penguins!
PhotoGallery
Polar Bowler
Polar Golfer
Power2Go 5.0
PowerDVD
PrintScreen
QuickProjects
Readme
REALTEK GbE & FE Ethernet PCI NIC Driver
Realtek High Definition Audio Driver
Recovery Software Suite eMachines
Scan
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
SkinsHP1
SkinsHP2
Soft Data Fax Modem with SmartCP
SolutionCenter
Spare Backup
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
SpywareBlaster 4.3
Status
TomTom HOME 2.7.3.1894
TomTom HOME Visual Studio Merge Modules
Tradewinds
TrayApp
Uninstall 1.0.0.1
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
WebFldrs XP
WebReg
Windows Backup Utility
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

4/23/2010 11:42:46 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 ACPIEC adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x Pcmcia perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 sisagp Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp ViaIde
4/23/2010 11:21:49 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
4/23/2010 11:21:49 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.

==== End Of File ===========================

ARK.TXT LOG FOLLOWS:


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-28 14:27:36
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:DOCUME~1OwnerLOCALS~1Tempkfeyafog.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9E6CC50]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9E6CC64]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9E6CC90]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9E6CCE6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9E6CC3C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9E6CC14]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9E6CC28]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9E6CC7A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9E6CCBC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9E6CCA6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9E6CD10]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9E6CCFC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9E6CCD0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80502244 7 Bytes JMP B9E6CCD4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A74F0 7 Bytes JMP B9E6CCEA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8306 5 Bytes JMP B9E6CD00 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805B6040 3 Bytes JMP B9E6CCC0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject + 4 805B6044 1 Byte [39]
PAGE ntkrnlpa.exe!NtOpenProcess 805C1316 5 Bytes JMP B9E6CC18 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C15A2 5 Bytes JMP B9E6CC2C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CAA 5 Bytes JMP B9E6CD14 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 806188B6 7 Bytes JMP B9E6CCAA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80619D66 7 Bytes JMP B9E6CC7E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8061A344 5 Bytes JMP B9E6CC54 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7E0 7 Bytes JMP B9E6CC68 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A9B0 7 Bytes JMP B9E6CC94 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 8061B722 5 Bytes JMP B9E6CC40 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.rsrc C:WINDOWSsystem32driverscmdide.sys entry point in ".rsrc" section [0xBA5B5514]

---- User code sections - GMER 1.0.15 ----

.text C:Program FilesCommon FilesMcAfeeMcSvcHostMcSvHost.exe[300] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:Program FilesCommon FilesMcAfeeMcProxymcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:Program FilesCommon FilesMcAfeeMcSvcHostMcSvHost.exe[300] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:Program FilesCommon FilesMcAfeeMcProxymcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:WINDOWSsystem32svchost.exe[740] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00CD0FEF
.text C:WINDOWSsystem32svchost.exe[740] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CD000A
.text C:WINDOWSsystem32svchost.exe[740] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CD0FD4
.text C:WINDOWSsystem32svchost.exe[740] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D10000
.text C:WINDOWSsystem32svchost.exe[740] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D10F66
.text C:WINDOWSsystem32svchost.exe[740] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D1005B
.text C:WINDOWSsystem32svchost.exe[740] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D10F8D
.text C:WINDOWSsystem32svchost.exe[740] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D1004A
.text C:WINDOWSsystem32svchost.exe[740] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D10FC3
.text C:WINDOWSsystem32svchost.exe[740] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D100A7
.text C:WINDOWSsystem32svchost.exe[740] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D10F55
.text C:WINDOWSsystem32svchost.exe[740] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D100D3
.text C:WINDOWSsystem32svchost.exe[740] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D100C2
.text C:WINDOWSsystem32svchost.exe[740] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D10F1F
.text C:WINDOWSsystem32svchost.exe[740] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D10FA8
.text C:WINDOWSsystem32svchost.exe[740] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D10FE5
.text C:WINDOWSsystem32svchost.exe[740] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D10076
.text C:WINDOWSsystem32svchost.exe[740] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D10FD4
.text C:WINDOWSsystem32svchost.exe[740] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D1001B
.text C:WINDOWSsystem32svchost.exe[740] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D10F3A
.text C:WINDOWSsystem32svchost.exe[740] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D0001E
.text C:WINDOWSsystem32svchost.exe[740] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D00043
.text C:WINDOWSsystem32svchost.exe[740] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D00FCD
.text C:WINDOWSsystem32svchost.exe[740] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D00FDE
.text C:WINDOWSsystem32svchost.exe[740] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D00F86
.text C:WINDOWSsystem32svchost.exe[740] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D00FEF
.text C:WINDOWSsystem32svchost.exe[740] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D00F97
.text C:WINDOWSsystem32svchost.exe[740] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F0, 88]
.text C:WINDOWSsystem32svchost.exe[740] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D00FA8
.text C:WINDOWSsystem32svchost.exe[740] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CF0016
.text C:WINDOWSsystem32svchost.exe[740] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CF0F95
.text C:WINDOWSsystem32svchost.exe[740] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CF0FC1
.text C:WINDOWSsystem32svchost.exe[740] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CF0FEF
.text C:WINDOWSsystem32svchost.exe[740] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CF0FB0
.text C:WINDOWSsystem32svchost.exe[740] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CF0FDE
.text C:WINDOWSsystem32svchost.exe[740] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00CE0000
.text C:WINDOWSsystem32svchost.exe[740] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00CE0FE5
.text C:WINDOWSsystem32svchost.exe[740] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00CE0FD4
.text C:WINDOWSsystem32svchost.exe[740] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00CE0025
.text C:WINDOWSsystem32services.exe[920] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00040FEF
.text C:WINDOWSsystem32services.exe[920] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00040FB9
.text C:WINDOWSsystem32services.exe[920] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00040FDE
.text C:WINDOWSsystem32services.exe[920] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF0000
.text C:WINDOWSsystem32services.exe[920] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF0F77
.text C:WINDOWSsystem32services.exe[920] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF006C
.text C:WINDOWSsystem32services.exe[920] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0F9E
.text C:WINDOWSsystem32services.exe[920] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF005B
.text C:WINDOWSsystem32services.exe[920] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0FC3
.text C:WINDOWSsystem32services.exe[920] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF0091
.text C:WINDOWSsystem32services.exe[920] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF0F4B
.text C:WINDOWSsystem32services.exe[920] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF0F13
.text C:WINDOWSsystem32services.exe[920] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF0F24
.text C:WINDOWSsystem32services.exe[920] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF0F02
.text C:WINDOWSsystem32services.exe[920] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF004A
.text C:WINDOWSsystem32services.exe[920] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF0FE5
.text C:WINDOWSsystem32services.exe[920] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF0F66
.text C:WINDOWSsystem32services.exe[920] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF002F
.text C:WINDOWSsystem32services.exe[920] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF0FD4
.text C:WINDOWSsystem32services.exe[920] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF00A2
.text C:WINDOWSsystem32services.exe[920] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FE0014
.text C:WINDOWSsystem32services.exe[920] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FE004A
.text C:WINDOWSsystem32services.exe[920] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FE0FC3
.text C:WINDOWSsystem32services.exe[920] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FE0FD4
.text C:WINDOWSsystem32services.exe[920] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FE0039
.text C:WINDOWSsystem32services.exe[920] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FE0FEF
.text C:WINDOWSsystem32services.exe[920] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FE0F97
.text C:WINDOWSsystem32services.exe[920] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1E, 89]
.text C:WINDOWSsystem32services.exe[920] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FE0FB2
.text C:WINDOWSsystem32services.exe[920] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00070F97
.text C:WINDOWSsystem32services.exe[920] msvcrt.dll!system 77C293C7 5 Bytes JMP 00070022
.text C:WINDOWSsystem32services.exe[920] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00070011
.text C:WINDOWSsystem32services.exe[920] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00070FEF
.text C:WINDOWSsystem32services.exe[920] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00070FB2
.text C:WINDOWSsystem32services.exe[920] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00070000
.text C:WINDOWSsystem32services.exe[920] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0005000A
.text C:WINDOWSsystem32services.exe[920] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0005001B
.text C:WINDOWSsystem32services.exe[920] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00050036
.text C:WINDOWSsystem32services.exe[920] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00050047
.text C:WINDOWSsystem32services.exe[920] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00060000
.text C:WINDOWSsystem32lsass.exe[932] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00CF0000
.text C:WINDOWSsystem32lsass.exe[932] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CF0025
.text C:WINDOWSsystem32lsass.exe[932] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CF0FE5
.text C:WINDOWSsystem32lsass.exe[932] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F80000
.text C:WINDOWSsystem32lsass.exe[932] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F80062
.text C:WINDOWSsystem32lsass.exe[932] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F80051
.text C:WINDOWSsystem32lsass.exe[932] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F80F6D
.text C:WINDOWSsystem32lsass.exe[932] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F80F8A
.text C:WINDOWSsystem32lsass.exe[932] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F80FB6
.text C:WINDOWSsystem32lsass.exe[932] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F80F35
.text C:WINDOWSsystem32lsass.exe[932] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F8007D
.text C:WINDOWSsystem32lsass.exe[932] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F80F10
.text C:WINDOWSsystem32lsass.exe[932] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F800A9
.text C:WINDOWSsystem32lsass.exe[932] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F800C4
.text C:WINDOWSsystem32lsass.exe[932] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F80F9B
.text C:WINDOWSsystem32lsass.exe[932] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F80FE5
.text C:WINDOWSsystem32lsass.exe[932] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F80F52
.text C:WINDOWSsystem32lsass.exe[932] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F8002C
.text C:WINDOWSsystem32lsass.exe[932] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F8001B
.text C:WINDOWSsystem32lsass.exe[932] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F80098
.text C:WINDOWSsystem32lsass.exe[932] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F7001B
.text C:WINDOWSsystem32lsass.exe[932] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F70FA5
.text C:WINDOWSsystem32lsass.exe[932] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F70FCA
.text C:WINDOWSsystem32lsass.exe[932] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F70000
.text C:WINDOWSsystem32lsass.exe[932] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F70062
.text C:WINDOWSsystem32lsass.exe[932] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F70FEF
.text C:WINDOWSsystem32lsass.exe[932] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F70047
.text C:WINDOWSsystem32lsass.exe[932] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F70036
.text C:WINDOWSsystem32lsass.exe[932] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D2003D
.text C:WINDOWSsystem32lsass.exe[932] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D20FB2
.text C:WINDOWSsystem32lsass.exe[932] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D20011
.text C:WINDOWSsystem32lsass.exe[932] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D20FE3
.text C:WINDOWSsystem32lsass.exe[932] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D20022
.text C:WINDOWSsystem32lsass.exe[932] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D20000
.text C:WINDOWSsystem32lsass.exe[932] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D1000A
.text C:WINDOWSsystem32lsass.exe[932] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00D00FEF
.text C:WINDOWSsystem32lsass.exe[932] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00D0000A
.text C:WINDOWSsystem32lsass.exe[932] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00D00FD4
.text C:WINDOWSsystem32lsass.exe[932] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00D00FB9
.text C:WINDOWSsystem32svchost.exe[1088] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 024D0FEF
.text C:WINDOWSsystem32svchost.exe[1088] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 024D0014
.text C:WINDOWSsystem32svchost.exe[1088] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 024D0FDE
.text C:WINDOWSsystem32svchost.exe[1088] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02520000
.text C:WINDOWSsystem32svchost.exe[1088] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02520F86
.text C:WINDOWSsystem32svchost.exe[1088] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02520FA1
.text C:WINDOWSsystem32svchost.exe[1088] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0252007B
.text C:WINDOWSsystem32svchost.exe[1088] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02520054
.text C:WINDOWSsystem32svchost.exe[1088] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02520FB2
.text C:WINDOWSsystem32svchost.exe[1088] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 025200B1
.text C:WINDOWSsystem32svchost.exe[1088] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 025200A0
.text C:WINDOWSsystem32svchost.exe[1088] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02520F33
.text C:WINDOWSsystem32svchost.exe[1088] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02520F44
.text C:WINDOWSsystem32svchost.exe[1088] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02520F22
.text C:WINDOWSsystem32svchost.exe[1088] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02520039
.text C:WINDOWSsystem32svchost.exe[1088] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02520FEF
.text C:WINDOWSsystem32svchost.exe[1088] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02520F75
.text C:WINDOWSsystem32svchost.exe[1088] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02520FC3
.text C:WINDOWSsystem32svchost.exe[1088] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02520FDE
.text C:WINDOWSsystem32svchost.exe[1088] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 025200C2
.text C:WINDOWSsystem32svchost.exe[1088] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02510FDB
.text C:WINDOWSsystem32svchost.exe[1088] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02510076
.text C:WINDOWSsystem32svchost.exe[1088] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02510036
.text C:WINDOWSsystem32svchost.exe[1088] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0251001B
.text C:WINDOWSsystem32svchost.exe[1088] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02510FB9
.text C:WINDOWSsystem32svchost.exe[1088] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02510000
.text C:WINDOWSsystem32svchost.exe[1088] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0251005B
.text C:WINDOWSsystem32svchost.exe[1088] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02510FCA
.text C:WINDOWSsystem32svchost.exe[1088] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02500FAD
.text C:WINDOWSsystem32svchost.exe[1088] msvcrt.dll!system 77C293C7 5 Bytes JMP 02500042
.text C:WINDOWSsystem32svchost.exe[1088] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0250001D
.text C:WINDOWSsystem32svchost.exe[1088] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02500000
.text C:WINDOWSsystem32svchost.exe[1088] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02500FD2
.text C:WINDOWSsystem32svchost.exe[1088] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02500FE3
.text C:WINDOWSsystem32svchost.exe[1088] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 024E000A
.text C:WINDOWSsystem32svchost.exe[1088] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 024E0FE5
.text C:WINDOWSsystem32svchost.exe[1088] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 024E001B
.text C:WINDOWSsystem32svchost.exe[1088] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 024E0FD4
.text C:WINDOWSsystem32svchost.exe[1088] WS2_32.dll!socket 71AB4211 5 Bytes JMP 024F0000
.text C:WINDOWSsystem32svchost.exe[1156] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00EA0FEF
.text C:WINDOWSsystem32svchost.exe[1156] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00EA0FC3
.text C:WINDOWSsystem32svchost.exe[1156] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EA0FDE
.text C:WINDOWSsystem32svchost.exe[1156] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EF0FEF
.text C:WINDOWSsystem32svchost.exe[1156] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EF009A
.text C:WINDOWSsystem32svchost.exe[1156] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EF0FA5
.text C:WINDOWSsystem32svchost.exe[1156] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EF0073
.text C:WINDOWSsystem32svchost.exe[1156] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EF0062
.text C:WINDOWSsystem32svchost.exe[1156] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EF0036
.text C:WINDOWSsystem32svchost.exe[1156] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EF0F5C
.text C:WINDOWSsystem32svchost.exe[1156] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EF0F79
.text C:WINDOWSsystem32svchost.exe[1156] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EF00C9
.text C:WINDOWSsystem32svchost.exe[1156] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EF0F26
.text C:WINDOWSsystem32svchost.exe[1156] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EF0F15
.text C:WINDOWSsystem32svchost.exe[1156] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EF0047
.text C:WINDOWSsystem32svchost.exe[1156] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EF0000
.text C:WINDOWSsystem32svchost.exe[1156] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EF0F8A
.text C:WINDOWSsystem32svchost.exe[1156] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EF0FCA
.text C:WINDOWSsystem32svchost.exe[1156] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EF001B
.text C:WINDOWSsystem32svchost.exe[1156] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EF0F37
.text C:WINDOWSsystem32svchost.exe[1156] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EE0FB9
.text C:WINDOWSsystem32svchost.exe[1156] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EE0F83
.text C:WINDOWSsystem32svchost.exe[1156] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EE0FD4
.text C:WINDOWSsystem32svchost.exe[1156] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EE0FE5
.text C:WINDOWSsystem32svchost.exe[1156] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EE0040
.text C:WINDOWSsystem32svchost.exe[1156] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EE0000
.text C:WINDOWSsystem32svchost.exe[1156] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EE0025
.text C:WINDOWSsystem32svchost.exe[1156] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EE0FA8
.text C:WINDOWSsystem32svchost.exe[1156] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00ED0FA1
.text C:WINDOWSsystem32svchost.exe[1156] msvcrt.dll!system 77C293C7 5 Bytes JMP 00ED002C
.text C:WINDOWSsystem32svchost.exe[1156] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00ED0FD7
.text C:WINDOWSsystem32svchost.exe[1156] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00ED0000
.text C:WINDOWSsystem32svchost.exe[1156] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00ED0FC6
.text C:WINDOWSsystem32svchost.exe[1156] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00ED0011
.text C:WINDOWSsystem32svchost.exe[1156] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00EB0FE5
.text C:WINDOWSsystem32svchost.exe[1156] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00EB0000
.text C:WINDOWSsystem32svchost.exe[1156] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00EB0FD4
.text C:WINDOWSsystem32svchost.exe[1156] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00EB002F
.text C:WINDOWSsystem32svchost.exe[1156] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EC0FEF
.text C:WINDOWSSystem32svchost.exe[1256] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02130FE5
.text C:WINDOWSSystem32svchost.exe[1256] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0213000A
.text C:WINDOWSSystem32svchost.exe[1256] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02130FD4
.text C:WINDOWSSystem32svchost.exe[1256] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A
.text C:WINDOWSSystem32svchost.exe[1256] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C
.text C:WINDOWSSystem32svchost.exe[1256] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 031A0000
.text C:WINDOWSSystem32svchost.exe[1256] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 031A00B8
.text C:WINDOWSSystem32svchost.exe[1256] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 031A0FB9
.text C:WINDOWSSystem32svchost.exe[1256] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 031A0093
.text C:WINDOWSSystem32svchost.exe[1256] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 031A0FCA
.text C:WINDOWSSystem32svchost.exe[1256] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 031A005B
.text C:WINDOWSSystem32svchost.exe[1256] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 031A00EB
.text C:WINDOWSSystem32svchost.exe[1256] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 031A00DA
.text C:WINDOWSSystem32svchost.exe[1256] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 031A0117
.text C:WINDOWSSystem32svchost.exe[1256] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 031A0106
.text C:WINDOWSSystem32svchost.exe[1256] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 031A0F6D
.text C:WINDOWSSystem32svchost.exe[1256] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 031A006C
.text C:WINDOWSSystem32svchost.exe[1256] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 031A0011
.text C:WINDOWSSystem32svchost.exe[1256] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 031A00C9
.text C:WINDOWSSystem32svchost.exe[1256] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 031A0036
.text C:WINDOWSSystem32svchost.exe[1256] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 031A0FE5
.text C:WINDOWSSystem32svchost.exe[1256] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 031A0F88
.text C:WINDOWSSystem32svchost.exe[1256] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02930FCA
.text C:WINDOWSSystem32svchost.exe[1256] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02930051
.text C:WINDOWSSystem32svchost.exe[1256] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0293001B
.text C:WINDOWSSystem32svchost.exe[1256] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02930FE5
.text C:WINDOWSSystem32svchost.exe[1256] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02930F94
.text C:WINDOWSSystem32svchost.exe[1256] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02930000
.text C:WINDOWSSystem32svchost.exe[1256] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02930040
.text C:WINDOWSSystem32svchost.exe[1256] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02930FB9
.text C:WINDOWSSystem32svchost.exe[1256] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0088000A
.text C:WINDOWSSystem32svchost.exe[1256] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0087000A
.text C:WINDOWSSystem32svchost.exe[1256] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02920FBE
.text C:WINDOWSSystem32svchost.exe[1256] msvcrt.dll!system 77C293C7 5 Bytes JMP 02920049
.text C:WINDOWSSystem32svchost.exe[1256] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0292001D
.text C:WINDOWSSystem32svchost.exe[1256] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0292000C
.text C:WINDOWSSystem32svchost.exe[1256] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0292002E
.text C:WINDOWSSystem32svchost.exe[1256] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02920FE3
.text C:WINDOWSSystem32svchost.exe[1256] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0290000A
.text C:WINDOWSSystem32svchost.exe[1256] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0290001B
.text C:WINDOWSSystem32svchost.exe[1256] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02900036
.text C:WINDOWSSystem32svchost.exe[1256] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02900047
.text C:WINDOWSSystem32svchost.exe[1256] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02910FEF
.text C:WINDOWSsystem32svchost.exe[1300] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 008C0000
.text C:WINDOWSsystem32svchost.exe[1300] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 008C0FE5
.text C:WINDOWSsystem32svchost.exe[1300] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 008C001B
.text C:WINDOWSsystem32svchost.exe[1300] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A30FEF
.text C:WINDOWSsystem32svchost.exe[1300] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A30F6D
.text C:WINDOWSsystem32svchost.exe[1300] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A30F88
.text C:WINDOWSsystem32svchost.exe[1300] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A30F99
.text C:WINDOWSsystem32svchost.exe[1300] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A30062
.text C:WINDOWSsystem32svchost.exe[1300] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A30040
.text C:WINDOWSsystem32svchost.exe[1300] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A30087
.text C:WINDOWSsystem32svchost.exe[1300] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A30F3F
.text C:WINDOWSsystem32svchost.exe[1300] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A30F1A
.text C:WINDOWSsystem32svchost.exe[1300] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A300A9
.text C:WINDOWSsystem32svchost.exe[1300] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A300CE
.text C:WINDOWSsystem32svchost.exe[1300] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A30051
.text C:WINDOWSsystem32svchost.exe[1300] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A30014
.text C:WINDOWSsystem32svchost.exe[1300] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A30F5C
.text C:WINDOWSsystem32svchost.exe[1300] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A3002F
.text C:WINDOWSsystem32svchost.exe[1300] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A30FDE
.text C:WINDOWSsystem32svchost.exe[1300] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A30098
.text C:WINDOWSsystem32svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008F0047
.text C:WINDOWSsystem32svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008F0FAC
.text C:WINDOWSsystem32svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008F0036
.text C:WINDOWSsystem32svchost.exe[1300] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008F0011
.text C:WINDOWSsystem32svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008F0FD1
.text C:WINDOWSsystem32svchost.exe[1300] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008F0000
.text C:WINDOWSsystem32svchost.exe[1300] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 008F0073
.text C:WINDOWSsystem32svchost.exe[1300] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008F0062
.text C:WINDOWSsystem32svchost.exe[1300] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008E0FA1
.text C:WINDOWSsystem32svchost.exe[1300] msvcrt.dll!system 77C293C7 5 Bytes JMP 008E002C
.text C:WINDOWSsystem32svchost.exe[1300] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008E0000
.text C:WINDOWSsystem32svchost.exe[1300] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008E0FE3
.text C:WINDOWSsystem32svchost.exe[1300] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008E001B
.text C:WINDOWSsystem32svchost.exe[1300] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008E0FC6
.text C:WINDOWSsystem32svchost.exe[1300] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 008D0FEF
.text C:WINDOWSsystem32svchost.exe[1300] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 008D0000
.text C:WINDOWSsystem32svchost.exe[1300] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 008D001B
.text C:WINDOWSsystem32svchost.exe[1300] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 008D0FC0
.text C:WINDOWSsystem32svchost.exe[1492] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00DC000A
.text C:WINDOWSsystem32svchost.exe[1492] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00DC0036
.text C:WINDOWSsystem32svchost.exe[1492] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DC0025
.text C:WINDOWSsystem32svchost.exe[1492] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E10000
.text C:WINDOWSsystem32svchost.exe[1492] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E10FB6
.text C:WINDOWSsystem32svchost.exe[1492] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E10FC7
.text C:WINDOWSsystem32svchost.exe[1492] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E1009F
.text C:WINDOWSsystem32svchost.exe[1492] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E1008E
.text C:WINDOWSsystem32svchost.exe[1492] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E1006C
.text C:WINDOWSsystem32svchost.exe[1492] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E10F74
.text C:WINDOWSsystem32svchost.exe[1492] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E10F91
.text C:WINDOWSsystem32svchost.exe[1492] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E100F2
.text C:WINDOWSsystem32svchost.exe[1492] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E100D7
.text C:WINDOWSsystem32svchost.exe[1492] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E10103
.text C:WINDOWSsystem32svchost.exe[1492] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E1007D
.text C:WINDOWSsystem32svchost.exe[1492] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E10025
.text C:WINDOWSsystem32svchost.exe[1492] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E100BC
.text C:WINDOWSsystem32svchost.exe[1492] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E10051
.text C:WINDOWSsystem32svchost.exe[1492] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E10040
.text C:WINDOWSsystem32svchost.exe[1492] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E10F59
.text C:WINDOWSsystem32svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E00FB9
.text C:WINDOWSsystem32svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E00F5E
.text C:WINDOWSsystem32svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E00FCA
.text C:WINDOWSsystem32svchost.exe[1492] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E00FDB
.text C:WINDOWSsystem32svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E00F79
.text C:WINDOWSsystem32svchost.exe[1492] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E00000
.text C:WINDOWSsystem32svchost.exe[1492] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E00025
.text C:WINDOWSsystem32svchost.exe[1492] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E00FA8
.text C:WINDOWSsystem32svchost.exe[1492] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DF0038
.text C:WINDOWSsystem32svchost.exe[1492] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DF0FAD
.text C:WINDOWSsystem32svchost.exe[1492] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DF0FD9
.text C:WINDOWSsystem32svchost.exe[1492] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DF0000
.text C:WINDOWSsystem32svchost.exe[1492] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DF0FC8
.text C:WINDOWSsystem32svchost.exe[1492] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DF001D
.text C:WINDOWSsystem32svchost.exe[1492] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00DD000A
.text C:WINDOWSsystem32svchost.exe[1492] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00DD0FEF
.text C:WINDOWSsystem32svchost.exe[1492] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00DD0FDE
.text C:WINDOWSsystem32svchost.exe[1492] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00DD0025
.text C:WINDOWSsystem32svchost.exe[1492] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DE0FE5
.text C:WINDOWSsystem32svchost.exe[1616] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00DD0000
.text C:WINDOWSsystem32svchost.exe[1616] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00DD0011
.text C:WINDOWSsystem32svchost.exe[1616] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DD0FDB
.text C:WINDOWSsystem32svchost.exe[1616] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E2000A
.text C:WINDOWSsystem32svchost.exe[1616] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E2006C
.text C:WINDOWSsystem32svchost.exe[1616] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E20F77
.text C:WINDOWSsystem32svchost.exe[1616] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E20F88
.text C:WINDOWSsystem32svchost.exe[1616] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E20051
.text C:WINDOWSsystem32svchost.exe[1616] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E20FC0
.text C:WINDOWSsystem32svchost.exe[1616] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E20F50
.text C:WINDOWSsystem32svchost.exe[1616] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E20098
.text C:WINDOWSsystem32svchost.exe[1616] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E200D5
.text C:WINDOWSsystem32svchost.exe[1616] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E200C4
.text C:WINDOWSsystem32svchost.exe[1616] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E20F2B
.text C:WINDOWSsystem32svchost.exe[1616] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E20FAF
.text C:WINDOWSsystem32svchost.exe[1616] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E20025
.text C:WINDOWSsystem32svchost.exe[1616] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E20087
.text C:WINDOWSsystem32svchost.exe[1616] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E20FE5
.text C:WINDOWSsystem32svchost.exe[1616] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E20036
.text C:WINDOWSsystem32svchost.exe[1616] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E200B3
.text C:WINDOWSsystem32svchost.exe[1616] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E10036
.text C:WINDOWSsystem32svchost.exe[1616] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E10F9E
.text C:WINDOWSsystem32svchost.exe[1616] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E10025
.text C:WINDOWSsystem32svchost.exe[1616] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E1000A
.text C:WINDOWSsystem32svchost.exe[1616] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E10051
.text C:WINDOWSsystem32svchost.exe[1616] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E10FEF
.text C:WINDOWSsystem32svchost.exe[1616] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E10FAF
.text C:WINDOWSsystem32svchost.exe[1616] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [01, 89]
.text C:WINDOWSsystem32svchost.exe[1616] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E10FCA
.text C:WINDOWSsystem32svchost.exe[1616] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E00FE3
.text C:WINDOWSsystem32svchost.exe[1616] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E0006E
.text C:WINDOWSsystem32svchost.exe[1616] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E0002E
.text C:WINDOWSsystem32svchost.exe[1616] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E00000
.text C:WINDOWSsystem32svchost.exe[1616] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E00053
.text C:WINDOWSsystem32svchost.exe[1616] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E0001D
.text C:WINDOWSsystem32svchost.exe[1616] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00DE0000
.text C:WINDOWSsystem32svchost.exe[1616] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00DE0FE5
.text C:WINDOWSsystem32svchost.exe[1616] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00DE0011
.text C:WINDOWSsystem32svchost.exe[1616] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00DE002C
.text C:WINDOWSsystem32svchost.exe[1616] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DF000A
.text C:WINDOWSExplorer.EXE[1632] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00ED0FEF
.text C:WINDOWSExplorer.EXE[1632] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00ED0011
.text C:WINDOWSExplorer.EXE[1632] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00ED0000
.text C:WINDOWSExplorer.EXE[1632] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BC000A
.text C:WINDOWSExplorer.EXE[1632] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
.text C:WINDOWSExplorer.EXE[1632] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01AD0FEF
.text C:WINDOWSExplorer.EXE[1632] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01AD0F77
.text C:WINDOWSExplorer.EXE[1632] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01AD0062
.text C:WINDOWSExplorer.EXE[1632] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01AD0F88
.text C:WINDOWSExplorer.EXE[1632] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01AD0FA5
.text C:WINDOWSExplorer.EXE[1632] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01AD0036
.text C:WINDOWSExplorer.EXE[1632] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01AD0F3F
.text C:WINDOWSExplorer.EXE[1632] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01AD0087
.text C:WINDOWSExplorer.EXE[1632] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01AD0F1D
.text C:WINDOWSExplorer.EXE[1632] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01AD00B6
.text C:WINDOWSExplorer.EXE[1632] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01AD00C7
.text C:WINDOWSExplorer.EXE[1632] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01AD0051
.text C:WINDOWSExplorer.EXE[1632] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01AD000A
.text C:WINDOWSExplorer.EXE[1632] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01AD0F5C
.text C:WINDOWSExplorer.EXE[1632] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01AD001B
.text C:WINDOWSExplorer.EXE[1632] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01AD0FD4
.text C:WINDOWSExplorer.EXE[1632] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01AD0F2E
.text C:WINDOWSExplorer.EXE[1632] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01AC0014
.text C:WINDOWSExplorer.EXE[1632] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01AC006C
.text C:WINDOWSExplorer.EXE[1632] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01AC0FC3
.text C:WINDOWSExplorer.EXE[1632] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01AC0FD4
.text C:WINDOWSExplorer.EXE[1632] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01AC0051
.text C:WINDOWSExplorer.EXE[1632] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01AC0FEF
.text C:WINDOWSExplorer.EXE[1632] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01AC0036
.text C:WINDOWSExplorer.EXE[1632] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01AC0025
.text C:WINDOWSExplorer.EXE[1632] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01A00066
.text C:WINDOWSExplorer.EXE[1632] msvcrt.dll!system 77C293C7 5 Bytes JMP 01A00055
.text C:WINDOWSExplorer.EXE[1632] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01A00029
.text C:WINDOWSExplorer.EXE[1632] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01A00FEF
.text C:WINDOWSExplorer.EXE[1632] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01A00044
.text C:WINDOWSExplorer.EXE[1632] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01A00018
.text C:WINDOWSExplorer.EXE[1632] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00EE0FE5
.text C:WINDOWSExplorer.EXE[1632] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00EE0FD4
.text C:WINDOWSExplorer.EXE[1632] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00EE0FB9
.text C:WINDOWSExplorer.EXE[1632] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00EE0000
.text C:WINDOWSExplorer.EXE[1632] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EF0000
.text C:WINDOWSsystem32svchost.exe[2020] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B90FEF
.text C:WINDOWSsystem32svchost.exe[2020] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B90FCD
.text C:WINDOWSsystem32svchost.exe[2020] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B90FDE
.text C:WINDOWSsystem32svchost.exe[2020] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CD0FEF
.text C:WINDOWSsystem32svchost.exe[2020] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CD0F66
.text C:WINDOWSsystem32svchost.exe[2020] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CD0F77
.text C:WINDOWSsystem32svchost.exe[2020] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CD0051
.text C:WINDOWSsystem32svchost.exe[2020] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CD0F94
.text C:WINDOWSsystem32svchost.exe[2020] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CD002F
.text C:WINDOWSsystem32svchost.exe[2020] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CD00A4
.text C:WINDOWSsystem32svchost.exe[2020] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CD0093
.text C:WINDOWSsystem32svchost.exe[2020] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CD00D0
.text C:WINDOWSsystem32svchost.exe[2020] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CD00B5
.text C:WINDOWSsystem32svchost.exe[2020] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CD00EB
.text C:WINDOWSsystem32svchost.exe[2020] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CD0040
.text C:WINDOWSsystem32svchost.exe[2020] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CD0FD4
.text C:WINDOWSsystem32svchost.exe[2020] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CD0076
.text C:WINDOWSsystem32svchost.exe[2020] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CD000A
.text C:WINDOWSsystem32svchost.exe[2020] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CD0FB9
.text C:WINDOWSsystem32svchost.exe[2020] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CD0F41
.text C:WINDOWSsystem32svchost.exe[2020] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CC002C
.text C:WINDOWSsystem32svchost.exe[2020] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CC0F8A
.text C:WINDOWSsystem32svchost.exe[2020] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CC0FE5
.text C:WINDOWSsystem32svchost.exe[2020] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CC001B
.text C:WINDOWSsystem32svchost.exe[2020] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CC0FA5
.text C:WINDOWSsystem32svchost.exe[2020] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CC000A
.text C:WINDOWSsystem32svchost.exe[2020] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00CC003D
.text C:WINDOWSsystem32svchost.exe[2020] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CC0FC0
.text C:WINDOWSsystem32svchost.exe[2020] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BC0FB2
.text C:WINDOWSsystem32svchost.exe[2020] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BC0FCD
.text C:WINDOWSsystem32svchost.exe[2020] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BC0022
.text C:WINDOWSsystem32svchost.exe[2020] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BC0000
.text C:WINDOWSsystem32svchost.exe[2020] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BC0047
.text C:WINDOWSsystem32svchost.exe[2020] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BC0011
.text C:WINDOWSsystem32svchost.exe[2020] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00BA0000
.text C:WINDOWSsystem32svchost.exe[2020] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00BA0FDB
.text C:WINDOWSsystem32svchost.exe[2020] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00BA001B
.text C:WINDOWSsystem32svchost.exe[2020] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00BA0036
.text C:WINDOWSsystem32svchost.exe[2020] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BB000A
.text C:Program FilesMozilla Firefoxfirefox.exe[3748] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0131000A
.text C:Program FilesMozilla Firefoxfirefox.exe[3748] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0132000A
.text C:Program FilesMozilla Firefoxfirefox.exe[3748] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0130000C

---- Devices - GMER 1.0.15 ----

AttachedDevice FileSystemNtfs Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice DriverTcpip DeviceIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice DriverTcpip DeviceTcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice DriverTcpip DeviceUdp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice DriverTcpip DeviceRawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device -> Driveratapi DeviceHarddisk0DR0 8A519AC8

---- Files - GMER 1.0.15 ----

File C:WINDOWSsystem32driverscmdide.sys suspicious modification
File C:WINDOWSsystem32driversatapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----




The problem has gotten worse. I now have Dad's computer unplugged from the internet. He never uses IE and I noticed when I defragged that IE temp internet folders kept showing up full of junk. As soon as I would delete one folder another would pop up and start filling up with .swf and .flv files along with lots of other junk. I updated Malwarebytes again and unplugged his modem. Running another scan now. HELP!

The scan has finished and it found 2 files infected with Rogue.MultipleAV and Security Center was disabled. The computer is still disconnected from the internet. I restarted it, ran CCleaner, defragged, and now I'm running MB again. I printed the report since I have his computer disconnected.
The Database Ver.: 4031 OS: Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702

Edited by Andrew, 01 May 2010 - 11:52 PM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:44 PM

Posted 02 May 2010 - 08:22 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 wa4kec

wa4kec
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 02 May 2010 - 11:22 AM

THANKS!!! I'll get to work on it.

#4 wa4kec

wa4kec
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 03 May 2010 - 10:47 AM

Here are all the logs you requested. I've also attached a zip folder with 3 malwarebytes logs. 2 show infections with the third indicating a supposedly clean system. What's happening now is I get a popup tab in firefox wanting me to take a survey. Also within a few minutes of connecting to the internet I start seeing heavy traffic on my modem. A lot of temporary internet files start showing up at the following. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\VNX0HBM6\ along with a LOT of other subfolders in the Content.IE5 folder.
Thanks for helping me with this. I really appreciate it.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 15:37:10.48 on Mon 01/01/2007
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1520 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=EM&Loc=ENG_US&Sys=DTP&M=W3622
uSearch Page = hxxp://my.juno.com/s/search?r=minisearch
uSearch Bar = hxxp://my.juno.com/s/search?r=minisearch
mDefault_Search_URL = hxxp://my.juno.com/s/search?r=minisearch
mSearch Page = hxxp://my.juno.com/s/search?r=minisearch
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://my.juno.com/s/search?r=minisearch
mSearchAssistant = hxxp://my.juno.com/s/search?r=minisearch
uURLSearchHooks: URLSearchHook Class: {37d2cdbf-2af4-44aa-8113-bd0d2da3c2b8} - c:\program files\juno\SearchEnh1.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Pop-up Blocker: {52706ef7-d7a2-49ad-a615-e903858cf284} - c:\program files\juno\qsacc\X1IEBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100427154000.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [Power2GoExpress] NA
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [DXDllRegExe] dxdllreg.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\forget~1.lnk - c:\program files\broderbund\ag creatacard\AGRemind.exe
IE: Display All Images with Full Quality - "c:\program files\juno\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files\juno\qsacc\appres.dll/227"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\88j3n9ks.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-4-13 385536]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-13 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-1-19 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-13 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-13 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-13 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-4-13 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-4-13 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-4-13 141792]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-13 55456]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-4-13 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-4-13 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-13 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-4-13 88480]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2006-6-30 69692]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-4-13 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-13 83496]

=============== Created Last 30 ================

2010-05-01 18:46:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-01 18:46:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 00:18:19 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-04-26 00:44:07 10043336 ----a-w- c:\documents and settings\owner\windows-kb890830-v3.6.exe
2010-04-24 03:16:01 0 d-----w- c:\docume~1\owner\applic~1\3F6715C76EA4DA85A337F99B9ADFC914
2010-04-20 19:16:19 0 d-----w- c:\program files\common files\Broderbund
2010-04-20 01:30:42 0 d-----w- c:\windows\BBSTORE
2010-04-20 01:30:36 0 d-----w- c:\program files\Web Publish
2010-04-20 01:29:48 0 d-----w- c:\program files\Broderbund
2010-04-13 23:24:45 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-13 23:24:34 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-13 23:24:34 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-13 23:24:34 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-13 23:24:34 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-13 23:24:34 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-13 23:24:34 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-13 23:24:34 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-13 23:24:34 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-13 23:24:34 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-03 00:38:05 0 d-----w- c:\documents and settings\owner\dwhelper
2010-03-15 23:33:09 0 d-----w- c:\program files\DVDVideoSoft
2010-03-15 23:33:09 0 d-----w- c:\program files\common files\DVDVideoSoft
2010-03-15 23:16:42 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2010-03-15 23:13:38 0 d-----w- C:\Mp3 Output
2010-03-15 23:13:35 0 d-----w- c:\program files\Smallvideosoft
2010-03-15 22:57:09 311296 ----a-w- c:\windows\system32\TubeFinder.exe
2010-03-15 22:57:08 84512 ----a-w- c:\windows\system32\PICCLP32.OCX
2010-03-15 22:57:08 364544 ----a-w- c:\windows\system32\PropertyGrid.ocx
2010-03-15 22:57:08 208500 ----a-w- c:\windows\system32\ReyXpBasics.tlb
2010-03-15 22:57:08 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2010-03-15 22:57:08 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2010-03-15 22:57:07 9728 ----a-w- c:\windows\system32\PCCLPFR.DLL
2010-03-15 22:57:07 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2010-03-15 22:57:07 24576 ----a-w- c:\windows\system32\ControlSubX.ocx
2010-03-15 22:57:07 152848 ----a-w- c:\windows\system32\COMDLG32.OCX
2010-03-15 22:57:07 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2010-03-15 22:57:07 0 d-----w- c:\docume~1\owner\applic~1\FreeFLVConverter
2010-03-15 01:40:56 1559 ---ha-w- C:\IPH.PH
2010-03-15 01:40:56 0 d--h--w- C:\TEMP
2010-03-10 12:43:46 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-06 23:01:21 0 d-----w- c:\docume~1\alluse~1\applic~1\TomTom
2010-03-06 22:51:52 0 d-----w- c:\docume~1\owner\applic~1\TomTom
2010-03-06 22:51:20 0 d-----w- c:\program files\TomTom HOME 2
2010-03-06 20:41:01 0 d-----w- c:\program files\TomTom International B.V
2010-03-06 20:39:34 20299200 ----a-w- c:\documents and settings\owner\TomTomHOME2winlatest.exe
2010-02-12 04:33:11 100864 -c----w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-06 00:00:57 93 ----a-w- c:\windows\mail.ini
2010-02-05 23:58:03 0 d-----w- c:\program files\Juno
2010-02-05 23:58:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Juno
2010-02-05 23:58:00 0 d-----w- C:\JunoInstaller
2010-02-01 16:06:23 0 d-----w- c:\program files\SpywareBlaster
2010-01-29 13:21:39 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2010-01-29 13:21:36 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-01-24 21:51:49 0 d-----w- c:\docume~1\owner\applic~1\OpenOffice.org
2010-01-24 21:50:07 0 d-----w- c:\program files\JRE
2010-01-24 21:50:00 0 d-----w- c:\program files\OpenOffice.org 3
2010-01-24 21:49:47 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-23 16:00:21 0 d-----w- c:\program files\GPLGS
2010-01-23 15:59:50 87552 ----a-w- c:\windows\system32\cpwmon2k.dll
2010-01-23 15:59:49 0 d-----w- c:\program files\Acro Software
2010-01-23 15:29:09 8392 ----a-w- c:\docume~1\owner\applic~1\wklnhst.dat
2010-01-21 00:59:09 626960 ----a-r- c:\windows\system32\hpvaut32.dll
2010-01-21 00:59:09 487424 ----a-r- c:\windows\system32\hpvcp70.dll
2010-01-21 00:59:09 44544 ----a-r- c:\windows\system32\MSXML4a.dll
2010-01-21 00:59:09 344064 ----a-r- c:\windows\system32\hpvcr70.dll
2010-01-21 00:58:51 0 d-----w- c:\program files\common files\Hewlett-Packard
2010-01-21 00:56:18 35840 ----a-w- c:\windows\system32\drivers\AFS2K.SYS
2010-01-21 00:53:46 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-01-21 00:53:46 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-01-21 00:52:16 34468 ------w- c:\windows\hpomdl03.dat
2010-01-21 00:52:16 28947 ----a-w- c:\windows\hpoins03.dat
2010-01-21 00:49:28 0 d-----w- c:\windows\pss
2010-01-21 00:45:00 0 d-----w- c:\program files\common files\HP
2010-01-21 00:42:34 37376 ----a-w- c:\windows\system32\hpz3l3xu.dll
2010-01-21 00:41:23 94208 ----a-r- c:\windows\system32\HPZipt12.dll
2010-01-21 00:41:23 65795 ----a-r- c:\windows\system32\HPZipm12.exe
2010-01-21 00:41:23 61699 ----a-r- c:\windows\system32\HPZinw12.exe
2010-01-21 00:41:23 57344 ----a-r- c:\windows\system32\HPZisn12.dll
2010-01-21 00:41:23 266296 ----a-r- c:\windows\system32\HPZidr12.dll
2010-01-21 00:41:23 196608 ----a-r- c:\windows\system32\HPZipr12.dll
2010-01-21 00:40:11 0 d-----w- c:\program files\HP
2010-01-21 00:38:51 79669 ----a-w- c:\windows\hpfins05.dat
2010-01-21 00:38:50 1350 ------w- c:\windows\hpfmdl05.dat
2010-01-21 00:37:23 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2010-01-21 00:37:20 51056 ----a-r- c:\windows\system32\drivers\hpzid412.sys
2010-01-21 00:36:49 262144 ----a-w- c:\windows\system32\HPZc3212.dll
2010-01-21 00:36:48 21488 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2010-01-21 00:27:32 0 d-sh--w- c:\documents and settings\owner\PrivacIE
2010-01-20 23:19:47 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat
2010-01-20 02:10:26 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-01-20 02:10:26 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-01-20 01:47:07 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-01-20 01:47:07 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-01-20 01:01:03 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-01-20 01:01:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-01-20 00:31:28 0 d-----w- c:\windows\system32\scripting
2010-01-20 00:31:27 0 d-----w- c:\windows\system32\en
2010-01-20 00:31:27 0 d-----w- c:\windows\system32\bits
2010-01-20 00:31:27 0 d-----w- c:\windows\l2schemas
2010-01-20 00:26:42 0 d-----w- c:\windows\network diagnostic
2010-01-20 00:22:30 0 d-----w- c:\windows\EHome
2010-01-20 00:00:57 0 d-----w- c:\windows\system32\XPSViewer
2010-01-20 00:00:22 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-01-20 00:00:22 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-01-20 00:00:22 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-01-20 00:00:22 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-01-20 00:00:22 117760 ------w- c:\windows\system32\prntvpt.dll
2010-01-20 00:00:21 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-01-20 00:00:21 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-01-20 00:00:21 0 d-----w- C:\6e589265d4432114db04560be98333
2010-01-19 23:57:28 0 d-----w- c:\program files\MSXML 6.0
2010-01-19 23:54:01 0 d-sh--w- c:\documents and settings\owner\IETldCache
2010-01-19 23:47:35 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-01-19 23:47:34 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-19 23:47:31 0 d-----w- c:\windows\ie8updates
2010-01-19 23:47:00 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-01-19 23:45:14 0 dc-h--w- c:\windows\ie8
2010-01-19 23:26:14 0 d-----w- c:\windows\ServicePackFiles
2010-01-19 23:25:24 0 d-----w- c:\program files\MSXML 4.0
2010-01-19 21:34:13 64352 ------w- c:\windows\system32\drivers\ativmc20.cod
2010-01-19 21:25:18 0 d-----w- c:\windows\SxsCaPendDel
2010-01-19 21:18:52 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-01-19 21:15:36 8192 ----a-w- c:\windows\REGLOCS.OLD
2010-01-19 21:11:36 0 ----a-w- c:\windows\system32\Gateway_W3622_3.1_0000.MRK
2010-01-19 21:11:25 333 ----a-w- c:\windows\system32\$ncsp$.inf
2010-01-19 21:10:11 146650 ----a-w- c:\windows\system32\BuzzingBee.wav
2010-01-19 21:10:09 940794 ----a-w- c:\windows\system32\LoopyMusic.wav
2010-01-19 21:09:50 155648 ----a-w- c:\windows\system32\igfxres.dll
2010-01-19 21:04:03 981760 -c--a-w- c:\windows\system32\dllcache\mfc42u.dll
2010-01-19 20:57:57 20480 ----a-w- c:\windows\system32\Marker32.exe
2010-01-19 20:57:21 0 d-----w- c:\docume~1\owner\applic~1\Spare Backup
2010-01-19 20:57:06 0 d-----w- c:\program files\Spare Backup
2010-01-19 20:56:49 0 d-----w- c:\program files\Microsoft WSE
2010-01-19 20:55:03 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-01-19 20:55:02 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-01-19 20:54:59 1241088 -c--a-w- c:\windows\system32\dllcache\ieframe.dll.mui
2010-01-19 20:54:58 445952 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dll
2010-01-19 20:54:58 3698584 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dat
2010-01-19 20:54:58 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-01-19 20:54:58 13824 -c--a-w- c:\windows\system32\dllcache\ieudinit.exe
2010-01-19 20:54:57 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-01-19 20:54:57 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-01-19 20:54:57 11070976 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-01-19 20:53:28 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-19 20:52:42 11816 ----a-w- c:\windows\BigFixClientOverride.dll
2010-01-19 20:52:41 0 d-----w- c:\program files\BigFix
2010-01-19 20:52:38 0 d-----w- C:\Documents
2010-01-19 20:50:58 0 d-----w- c:\program files\eMachines Games
2010-01-19 20:50:48 0 d-----w- c:\docume~1\alluse~1\applic~1\WildTangent
2010-01-19 20:50:38 94208 ----a-w- c:\windows\system32\BAE.dll
2010-01-19 20:50:38 0 d-----w- C:\google
2010-01-19 20:50:34 0 d-----w- c:\program files\NetZero
2010-01-19 20:50:32 0 d-----w- c:\docume~1\alluse~1\applic~1\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}
2010-01-19 20:50:28 0 d-----w- c:\program files\Activation Assistant for the 2007 Microsoft Office suites
2010-01-19 20:49:26 0 d-----w- c:\program files\Acceller
2010-01-19 20:49:23 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-01-19 20:48:53 0 ----a-w- c:\windows\system32\drivers\Gateway_W3622_3.1_0000.MRK
2010-01-19 20:48:27 0 d-----w- c:\program files\AOL 9.0
2010-01-19 20:48:17 0 d--h--w- c:\windows\msdownld.tmp
2010-01-19 20:48:00 32592 ----a-w- c:\windows\system32\msonpmon.dll
2010-01-19 20:45:36 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-01-19 20:44:45 24064 ----a-w- c:\windows\system32\msxml3a.dll
2010-01-19 20:44:26 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-01-19 20:44:26 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-01-19 20:43:41 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2010-01-19 20:43:12 1206508 -c--a-w- c:\windows\system32\dllcache\sysmain.sdb
2010-01-19 20:42:57 0 d-----w- c:\program files\Windows Media Connect 2
2010-01-19 20:42:09 0 d-----w- c:\windows\system32\LogFiles
2010-01-19 20:41:47 0 d-----w- c:\program files\eBay
2010-01-19 20:40:47 86016 ----a-w- c:\windows\SoundMan.exe
2010-01-19 20:40:23 0 d-----w- c:\program files\Realtek
2010-01-19 20:39:35 0 d-----w- c:\windows\system32\ReinstallBackups
2010-01-19 20:38:48 2 ----a-w- C:\AUDIT_INSTALL_IN_PROGRESS
2010-01-19 20:37:09 2458112 -c----w- c:\windows\system32\dllcache\WMVCore.dll
2010-01-19 20:35:25 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-01-19 20:35:12 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-01-19 20:34:55 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-01-19 20:34:44 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-01-19 20:34:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-01-19 20:30:44 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-01-19 20:30:37 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-19 20:30:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-19 20:29:21 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2010-01-19 20:27:34 2066432 -c----w- c:\windows\system32\dllcache\mstscax.dll
2010-01-19 20:27:13 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-01-19 20:21:44 2 --sh--r- C:\USER
2010-01-19 20:21:44 0 ----a-w- C:\REQUEST_OEMRESET_ENDUSER
2010-01-19 20:20:49 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-01-19 20:20:43 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-01-19 20:20:08 0 d-----w- c:\program files\CONEXANT
2010-01-19 20:20:01 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
2010-01-19 20:19:02 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-01-19 20:19:01 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-01-19 20:17:01 0 d-----w- c:\windows\system32\PreInstall
2010-01-19 20:15:15 0 d-----w- c:\windows\creator
2010-01-19 20:15:12 990592 ----a-w- c:\windows\system32\drivers\HSF_DPV.sys
2010-01-19 20:15:12 94208 ----a-w- c:\windows\system32\mdmxsdk.dll
2010-01-19 20:15:12 728192 ----a-w- c:\windows\system32\drivers\HSF_CNXT.sys
2010-01-19 20:15:12 256128 ----a-w- c:\windows\system32\drivers\HSFHWBS2.sys
2010-01-19 20:15:12 144201 ----a-w- c:\windows\system32\drivers\HSFProf.cty
2010-01-19 20:15:12 12672 ----a-w- c:\windows\system32\drivers\mdmxsdk.sys
2010-01-19 20:15:12 122880 ----a-w- c:\windows\system32\Uci32107.dll
2010-01-19 20:15:06 0 d-----w- c:\windows\SMINST
2010-01-19 20:14:52 0 d-----r- C:\Program Files
2010-01-19 20:14:44 0 d-----r- c:\documents and settings\all users\Documents
2010-01-19 20:14:19 0 d-----r- c:\windows\Offline Web Pages
2010-01-19 20:12:03 0 dcsh--r- c:\windows\system32\dllcache
2010-01-19 20:11:09 60 ----a-w- C:\MOVE_RECOVERY
2010-01-19 20:11:08 0 d-----w- C:\My Backup -- 19-01-10 1311
2010-01-19 19:54:08 0 d-----w- c:\program files\common files\McAfee
2010-01-19 19:54:07 0 d-----w- c:\program files\McAfee.com
2010-01-19 19:53:58 0 d-----w- c:\program files\McAfee
2010-01-19 19:37:20 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-01-19 19:30:46 0 d-----w- c:\program files\Defraggler
2010-01-19 19:30:25 0 d-----w- c:\program files\CCleaner
2010-01-17 15:00:35 0 d-----w- c:\program files\IrfanView
2010-01-13 14:01:25 86016 -c----w- c:\windows\system32\dllcache\cabview.dll
2009-12-24 06:59:40 177664 -c----w- c:\windows\system32\dllcache\wintrust.dll
2009-12-16 18:43:27 343040 -c----w- c:\windows\system32\dllcache\mspaint.exe
2009-12-16 02:15:29 29696 ----a-w- c:\documents and settings\owner\Mandies Addresses.wps
2009-12-14 07:08:23 33280 -c----w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-08 09:23:28 474112 -c----w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-01 23:05:21 0 d-----w- c:\documents and settings\owner\Phone Movs
2009-11-27 17:11:44 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll
2009-11-27 16:07:35 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll
2009-11-27 16:07:35 28672 -c----w- c:\windows\system32\dllcache\msvidc32.dll
2009-11-27 16:07:34 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll
2009-11-27 16:07:34 11264 -c----w- c:\windows\system32\dllcache\msrle32.dll
2009-10-29 07:46:51 59904 -c--a-w- c:\windows\system32\dllcache\icardie.dll
2009-10-25 19:12:21 17899 ----a-w- c:\documents and settings\owner\Church Account.ods
2009-10-21 05:38:36 75776 -c----w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 -c----w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 -c----w- c:\windows\system32\dllcache\http.sys
2009-10-16 23:26:27 16896 ----a-w- c:\documents and settings\owner\Church directions.wps
2009-10-13 10:30:16 270336 -c----w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 -c----w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 -c----w- c:\windows\system32\dllcache\raschap.dll
2009-09-15 15:28:54 18432 ----a-w- c:\documents and settings\owner\Church Officers.wps
2009-09-09 18:52:25 17920 ----a-w- c:\documents and settings\owner\Faith Bible Church Officers.wps
2009-09-05 19:53:54 22016 ----a-w- c:\documents and settings\owner\Faith Bible Financial Report.wps
2009-09-04 21:03:36 58880 -c----w- c:\windows\system32\dllcache\msasn1.dll
2009-08-14 13:21:25 1850624 -c----w- c:\windows\system32\dllcache\win32k.sys
2009-08-07 00:24:18 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2009-08-07 00:24:12 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2009-08-07 00:24:06 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2009-08-07 00:24:00 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2009-08-05 09:01:48 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-21 19:44:40 0 d-----w- c:\documents and settings\owner\Downloads
2009-07-21 05:05:40 1348432 ----a-w- c:\windows\system32\msxml4.dll
2009-07-17 18:55:28 58880 -c----w- c:\windows\system32\dllcache\atl.dll
2009-07-17 16:22:18 1435648 -c----w- c:\windows\system32\dllcache\query.dll
2009-07-16 23:56:17 34 ----a-w- c:\documents and settings\owner\PDVD_MediaDisc.PlayList
2009-07-14 04:43:24 286208 -c----w- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-14 04:43:24 10841088 -c----w- c:\windows\system32\dllcache\wmp.dll
2009-06-25 08:25:26 54272 -c----w- c:\windows\system32\dllcache\wdigest.dll
2009-06-25 08:25:26 301568 -c----w- c:\windows\system32\dllcache\kerberos.dll
2009-06-25 08:25:26 136192 -c----w- c:\windows\system32\dllcache\msv1_0.dll
2009-06-24 11:18:41 92928 -c----w- c:\windows\system32\dllcache\ksecdd.sys
2009-06-12 12:31:39 76288 -c----w- c:\windows\system32\dllcache\telnet.exe
2009-06-11 12:45:20 15872 ----a-w- c:\documents and settings\owner\weed cutter.wps
2009-06-10 14:13:29 84992 -c----w- c:\windows\system32\dllcache\avifil32.dll
2009-06-10 06:14:49 132096 -c----w- c:\windows\system32\dllcache\wkssvc.dll
2009-06-04 17:22:08 75777 ----a-w- c:\documents and settings\owner\FEMA_APPL.pdf
2009-06-03 19:09:37 1291776 -c----w- c:\windows\system32\dllcache\quartz.dll
2009-05-23 11:28:50 19456 ----a-w- c:\documents and settings\owner\verses.wps
2009-05-20 01:33:57 19456 ----a-w- c:\documents and settings\owner\Qualifications for a pastor.wps
2009-05-07 15:32:35 345600 -c----w- c:\windows\system32\dllcache\localspl.dll
2009-04-18 15:50:20 15872 ----a-w- c:\documents and settings\owner\Vin and Serial numbers Car & Lawn mower.wps
2009-04-15 14:51:25 585216 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2009-04-02 04:02:22 604160 -c----w- c:\windows\system32\dllcache\wmspdmod.dll
2009-04-01 00:03:23 15872 ----a-w- c:\documents and settings\owner\LAYMEN.wps
2009-03-26 01:27:31 9344792 ----atr- c:\documents and settings\owner\DCP_2465
2009-03-21 14:06:58 989696 -c----w- c:\windows\system32\dllcache\kernel32.dll
2009-03-08 19:22:30 49152 ------w- c:\windows\system32\msrating.dll.mui
2009-03-08 19:22:18 2560 ------w- c:\windows\system32\mshta.exe.mui
2009-03-08 19:21:06 4096 ------w- c:\windows\system32\ie4uinit.exe.mui
2009-03-08 19:20:54 81920 ------w- c:\windows\system32\iedkcs32.dll.mui
2009-03-02 13:16:09 16384 ----a-w- c:\documents and settings\owner\Church Tax Number.wps
2009-02-22 18:06:24 17920 ----a-w- c:\documents and settings\owner\Deceased Classmates.wps
2009-02-21 00:37:54 16896 ----a-w- c:\documents and settings\owner\names of Classmates sent.wps
2009-02-18 22:44:55 3029760 ----a-w- c:\documents and settings\owner\From_Internet_1.mp3
2009-02-13 03:20:42 5630 ------w- c:\windows\system32\IE8Eula.rtf
2009-02-08 00:02:58 2066816 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-07 18:20:37 3331584 ----a-w- c:\documents and settings\owner\homer and Jethro.mp3
2009-02-03 19:59:07 56832 -c----w- c:\windows\system32\dllcache\secur32.dll
2009-01-23 13:54:28 16896 ----a-w- c:\documents and settings\owner\Untitled Document.wps
2009-01-07 23:20:54 134144 -c----w- c:\windows\system32\dllcache\sqmapi.dll
2009-01-07 23:20:18 265720 ----a-w- c:\windows\system32\msdbg2.dll
2008-12-19 18:17:10 17920 ----a-w- c:\documents and settings\owner\Carmel Corn.wps
2008-12-16 12:30:34 354816 -c----w- c:\windows\system32\dllcache\winhttp.dll
2008-12-10 15:47:29 8829504 ----a-w- c:\documents and settings\owner\Have yourself a Merry little Christmas.mp3
2008-12-07 22:45:17 25600 ----a-w- c:\documents and settings\owner\Christmas labels.wps
2008-12-05 06:54:55 147456 -c----w- c:\windows\system32\dllcache\schannel.dll
2008-10-23 12:36:14 286720 -c----w- c:\windows\system32\dllcache\gdi32.dll
2008-10-05 23:41:21 18432 ----a-w- c:\documents and settings\owner\apple butter resip.wps
2008-10-03 18:56:08 15872 ----a-w- c:\documents and settings\owner\Pass word to AT&T.wps
2008-10-01 15:31:12 16384 ----a-w- c:\documents and settings\owner\Insurance premiums Ky Farm Bureau.wps
2008-09-24 16:01:03 109568 ----a-w- c:\documents and settings\owner\MY ADDRESS BOOK.wps
2008-09-23 13:00:17 23040 ----a-w- c:\documents and settings\owner\Seven Seals.wps
2008-07-30 02:10:04 73720 ----a-w- c:\windows\system32\dxva2.dll
2008-07-30 02:10:04 493048 ----a-w- c:\windows\system32\evr.dll
2008-07-30 02:10:04 26112 ----a-w- c:\windows\system32\TsWpfWrp.exe
2008-07-30 01:35:46 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2008-07-30 00:59:58 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2008-07-30 00:59:58 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2008-07-30 00:59:58 161296 ----a-w- c:\windows\system32\UIAutomationCore.dll
2008-07-30 00:59:58 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2008-07-30 00:24:50 97800 ----a-w- c:\windows\system32\infocardapi.dll
2008-07-30 00:24:50 622080 ----a-w- c:\windows\system32\icardagt.exe
2008-07-30 00:24:50 37384 ----a-w- c:\windows\system32\infocardcpl.cpl
2008-07-30 00:24:50 11264 ----a-w- c:\windows\system32\icardres.dll
2008-07-29 10:49:58 586240 ----a-w- c:\windows\system32\icardres.dll.mui
2008-07-26 22:20:13 0 d-----w- c:\documents and settings\owner\CyberLink
2008-07-25 16:16:58 83968 ----a-w- c:\windows\system32\mscories.dll
2008-07-25 16:16:58 282112 ----a-w- c:\windows\system32\mscoree.dll
2008-07-25 16:16:58 158720 ----a-w- c:\windows\system32\mscorier.dll
2008-07-25 16:16:46 96760 ----a-w- c:\windows\system32\dfshim.dll
2008-07-24 13:00:11 90810 ----a-w- c:\documents and settings\owner\USB002
2008-07-19 23:11:09 14848 ----a-w- c:\documents and settings\owner\safety.wps
2008-07-07 20:26:58 253952 -c----w- c:\windows\system32\dllcache\es.dll
2008-07-05 20:40:30 0 d-----w- c:\documents and settings\owner\My Scans
2008-06-24 16:43:16 74240 -c----w- c:\windows\system32\dllcache\mscms.dll
2008-06-20 17:46:57 245248 -c----w- c:\windows\system32\dllcache\mswsock.dll
2008-06-20 17:46:57 147968 -c----w- c:\windows\system32\dllcache\dnsapi.dll
2008-06-20 11:51:12 361600 -c----w- c:\windows\system32\dllcache\tcpip.sys
2008-06-20 11:40:08 138496 -c----w- c:\windows\system32\dllcache\afd.sys
2008-06-20 11:08:27 226880 -c----w- c:\windows\system32\dllcache\tcpip6.sys
2008-06-18 10:03:08 938496 -c----w- c:\windows\system32\dllcache\WMNetmgr.dll
2008-06-18 06:09:22 100864 -c----w- c:\windows\system32\dllcache\logagent.exe
2008-06-17 19:02:19 8461312 -c----w- c:\windows\system32\dllcache\shell32.dll
2008-06-12 14:23:32 956928 -c----w- c:\windows\system32\dllcache\msdtctm.dll
2008-06-12 14:23:32 91648 -c----w- c:\windows\system32\dllcache\mtxoci.dll
2008-06-12 14:23:32 66560 -c----w- c:\windows\system32\dllcache\mtxclu.dll
2008-06-12 14:23:32 58880 -c----w- c:\windows\system32\dllcache\msdtclog.dll
2008-06-12 14:23:32 428032 -c----w- c:\windows\system32\dllcache\msdtcprx.dll
2008-06-12 14:23:32 161792 -c----w- c:\windows\system32\dllcache\msdtcuiu.dll
2008-05-27 15:48:09 13824 ----a-w- c:\documents and settings\owner\TroyBilt tines.wps
2008-05-09 23:23:42 135168 -c----w- c:\windows\system32\dllcache\wshom.ocx
2008-05-09 10:53:40 90112 -c----w- c:\windows\system32\dllcache\wshext.dll
2008-05-09 10:53:40 172032 -c----w- c:\windows\system32\dllcache\scrrun.dll
2008-05-09 10:53:39 180224 -c----w- c:\windows\system32\dllcache\scrobj.dll
2008-05-08 11:24:44 155648 -c----w- c:\windows\system32\dllcache\wscript.exe
2008-05-07 09:07:23 135168 -c----w- c:\windows\system32\dllcache\cscript.exe
2008-05-03 00:49:51 517 ----a-w- c:\documents and settings\owner\My Sharing Folders.lnk
2008-04-19 16:59:05 22528 ----a-w- c:\documents and settings\owner\Church Financial Report.wps
2008-04-14 00:11:57 397312 ------w- c:\windows\system32\mmcex.dll
2008-04-14 00:09:55 6144 ------w- c:\windows\system32\kbdpash.dll
2008-04-14 00:09:55 6144 ------w- c:\windows\system32\kbdnepr.dll
2008-04-14 00:09:55 6144 ------w- c:\windows\system32\kbdiultn.dll
2008-04-14 00:09:55 6144 ------w- c:\windows\system32\kbdbhc.dll
2008-04-13 18:56:49 30592 ------w- c:\windows\system32\drivers\rndismpx.sys
2008-04-13 18:56:49 12800 ------w- c:\windows\system32\drivers\usb8023x.sys
2008-04-13 18:51:34 101120 ------w- c:\windows\system32\drivers\bthpan.sys
2008-04-13 18:46:33 37888 ------w- c:\windows\system32\drivers\bthmodem.sys
2008-04-13 18:46:33 17024 ------w- c:\windows\system32\drivers\bthenum.sys
2008-04-13 18:46:32 59136 ------w- c:\windows\system32\drivers\rfcomm.sys
2008-04-13 18:46:31 36480 ------w- c:\windows\system32\drivers\bthprint.sys
2008-04-13 18:46:30 25600 ------w- c:\windows\system32\drivers\hidbth.sys
2008-04-13 18:46:29 18944 ------w- c:\windows\system32\drivers\bthusb.sys
2008-04-13 18:46:20 121984 ------w- c:\windows\system32\drivers\usbvideo.sys
2008-04-13 18:45:26 19200 ------w- c:\windows\system32\drivers\hidir.sys
2008-04-13 18:43:55 14208 ------w- c:\windows\system32\drivers\wacompen.sys
2008-04-13 18:43:55 12672 ------w- c:\windows\system32\drivers\mutohpen.sys
2008-04-13 18:40:48 10240 ------w- c:\windows\system32\drivers\sffp_mmc.sys
2008-04-13 18:36:40 46464 ------w- c:\windows\system32\drivers\gagp30kx.sys
2008-04-13 18:36:40 44672 ------w- c:\windows\system32\drivers\uagp35.sys
2008-04-13 18:36:34 5888 ------w- c:\windows\system32\drivers\smbali.sys
2008-04-13 18:14:58 76800 ------w- c:\windows\system32\msshavmsg.dll
2008-04-13 17:27:18 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2008-04-13 17:27:18 79872 ----a-w- c:\windows\system32\msxml6r.dll
2008-02-02 18:22:17 14336 ----a-w- c:\documents and settings\owner\oil change.wps
2008-02-01 20:49:40 0 d-----w- c:\documents and settings\owner\Updater5
2008-01-23 00:43:15 28672 ----a-w- c:\documents and settings\owner\All Addresses.wps
2008-01-20 00:34:33 0 d-----r- c:\documents and settings\owner\My Videos
2008-01-19 22:55:05 0 d-----w- c:\documents and settings\owner\My Received Files
2007-10-27 22:40:30 222720 -c----w- c:\windows\system32\dllcache\wmasf.dll
2007-09-17 08:48:10 1261 ------w- c:\windows\system32\pid.inf
2007-08-10 02:27:17 0 d-----w- c:\documents and settings\owner\My Google Gadgets
2007-06-19 01:18:26 23680 ----a-w- c:\windows\system32\drivers\motmodem.sys
2007-06-08 19:52:16 638 ------w- c:\windows\system32\wbem\napclientprov.mof
2007-06-08 19:52:16 3990 ------w- c:\windows\system32\wbem\napclientschema.mof
2007-05-15 20:43:10 1372672 ----a-w- c:\windows\system32\msxml6.dll
2006-12-28 19:01:31 19569 ----a-w- c:\windows\002861_.tmp

==================== Find3M ====================

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02:15 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-01-19 20:40:39 315392 ----a-w- c:\windows\HideWin.exe
2010-01-13 14:01:25 86016 ----a-w- c:\windows\system32\cabview.dll
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-24 06:59:40 177664 ----a-w- c:\windows\system32\wintrust.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-15 16:28:26 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-10-15 16:28:26 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 09:17:27 354816 ----a-w- c:\windows\system32\winhttp.dll
2009-08-14 13:21:25 1850624 ----a-w- c:\windows\system32\win32k.sys
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 04:35:42 1172480 ----a-w- c:\windows\system32\msxml3.dll
2009-07-17 19:01:06 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 16:22:18 1435648 ----a-w- c:\windows\system32\query.dll
2009-07-14 04:43:24 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-25 08:25:26 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25:26 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25:26 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25:26 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25:26 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-24 11:18:41 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-12 12:31:39 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19:38 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14:49 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-05-07 15:32:35 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-15 14:51:25 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-02 04:02:22 604160 ----a-w- c:\windows\system32\wmspdmod.dll
2009-03-08 09:34:30 43008 ----a-w- c:\windows\system32\licmgr10.dll
2009-03-08 09:33:40 18944 ----a-w- c:\windows\system32\corpol.dll
2009-03-08 09:32:56 72704 ----a-w- c:\windows\system32\admparse.dll
2009-03-08 09:32:50 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-03-08 09:31:38 34816 ----a-w- c:\windows\system32\imgutil.dll
2009-03-08 09:31:18 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-03-08 09:31:02 45568 ----a-w- c:\windows\system32\mshta.exe
2009-03-08 09:22:38 156160 ----a-w- c:\windows\system32\msls31.dll
2009-03-06 14:22:18 284160 ----a-w- c:\windows\system32\pdh.dll
2009-02-09 12:10:48 714752 ----a-w- c:\windows\system32\ntdll.dll
2009-02-09 12:10:48 617472 ----a-w- c:\windows\system32\advapi32.dll
2009-02-09 12:10:48 473600 ----a-w- c:\windows\system32\wbem\fastprox.dll
2009-02-09 12:10:48 453120 ----a-w- c:\windows\system32\wbem\wmiprvsd.dll
2009-02-09 12:10:48 401408 ----a-w- c:\windows\system32\rpcss.dll
2009-02-06 11:11:05 110592 ----a-w- c:\windows\system32\services.exe
2009-02-06 10:39:08 35328 ----a-w- c:\windows\system32\sc.exe
2009-02-06 10:10:02 227840 ----a-w- c:\windows\system32\wbem\wmiprvse.exe
2009-01-27 18:50:56 111620 ----a-w- c:\windows\fonts\opens___.ttf
2009-01-07 23:21:00 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-01-07 23:20:38 24576 ----a-w- c:\windows\system32\nlsdl.dll
2009-01-07 23:20:36 26112 ----a-w- c:\windows\system32\idndl.dll
2009-01-07 23:20:36 23552 ----a-w- c:\windows\system32\normaliz.dll
2008-10-23 12:36:14 286720 ----a-w- c:\windows\system32\gdi32.dll
2008-08-14 10:04:36 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2008-07-07 20:26:58 253952 ----a-w- c:\windows\system32\es.dll
2008-06-24 23:12:58 295936 ----a-w- c:\windows\system32\wmpeffects.dll
2008-06-24 16:43:16 74240 ----a-w- c:\windows\system32\mscms.dll
2008-06-20 17:46:57 245248 ----a-w- c:\windows\system32\mswsock.dll
2008-06-20 11:51:12 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2008-06-18 10:03:08 938496 ----a-w- c:\windows\system32\WMNetmgr.dll
2008-06-18 06:09:22 100864 ----a-w- c:\windows\system32\logagent.exe
2008-06-12 14:23:32 956928 ----a-w- c:\windows\system32\msdtctm.dll
2008-06-12 14:23:32 91648 ----a-w- c:\windows\system32\mtxoci.dll
2008-06-12 14:23:32 66560 ----a-w- c:\windows\system32\mtxclu.dll
2008-06-12 14:23:32 58880 ----a-w- c:\windows\system32\msdtclog.dll
2008-06-12 14:23:32 428032 ----a-w- c:\windows\system32\msdtcprx.dll
2008-06-12 14:23:32 161792 ----a-w- c:\windows\system32\msdtcuiu.dll
2008-05-09 10:53:40 90112 ----a-w- c:\windows\system32\wshext.dll
2008-05-09 10:53:40 172032 ----a-w- c:\windows\system32\scrrun.dll
2008-05-09 10:53:39 180224 ----a-w- c:\windows\system32\scrobj.dll
2008-05-08 14:02:52 203136 ----a-w- c:\windows\system32\drivers\rmcast.sys
2008-05-08 11:24:44 155648 ----a-w- c:\windows\system32\wscript.exe
2008-05-07 09:07:23 135168 ----a-w- c:\windows\system32\cscript.exe
2008-04-14 10:42:38 11264 ----a-w- c:\windows\system32\spnpinst.exe
2008-04-14 10:42:06 985088 ----a-w- c:\windows\system32\setupapi.dll
2008-04-14 10:41:58 423936 ----a-w- c:\windows\system32\licdll.dll
2008-04-14 00:25:26 1804 ----a-w- c:\windows\system32\dcache.bin
2008-04-14 00:16:51 329728 ----a-w- c:\windows\system32\netsetup.exe
2008-04-14 00:13:22 92424 ----a-w- c:\windows\system32\rdpdd.dll
2008-04-14 00:13:22 87176 ----a-w- c:\windows\system32\rdpwsx.dll

============= FINISH: 15:38:56.10 ===============

#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:44 PM

Posted 04 May 2010 - 12:05 PM

Hello, wa4kec
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.





Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#6 wa4kec

wa4kec
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 04 May 2010 - 03:35 PM

NOTE: I opened this account to work on my Dad's computer as he isn't able to do this himself. So the following account is of me (his son) following the instructions on his behalf.

I ran the combofix program and it said it found rootkit activity and restarted his computer. After it ran, deleted some files, and created the log I then logged on here and tried to post the results. However every time I attempted to do so it would say "connection reset". I would navigate back here and try again with same results. Also when I reconnected to the internet it resumed continuously downloading files to the IE5 temp folders again. I had to email the file to myself and then go back to my home to see if I could post it from there. Thanks for your help. Here are the results.

ComboFix 10-05-04.01 - Owner 05/04/2010 15:41:38.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1552 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\schrauber.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
{84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\3F6715C76EA4DA85A337F99B9ADFC914
c:\documents and settings\Owner\Application
Data\3F6715C76EA4DA85A337F99B9ADFC914\enemies-names.txt
c:\documents and settings\Owner\Start Menu\Programs\Antimalware Doctor
c:\program files\WindowsUpdate
c:\recycler\S-1-5-21-3751842287-2595302631-1493888825-1003
c:\windows\system32\Thumbs.db
D:\Autorun.inf

Infected copy of c:\windows\system32\drivers\cmdide.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-04 to 2010-05-04
)))))))))))))))))))))))))))))))
.

2010-05-01 18:46 . 2010-04-29
19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-01 18:46 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 09:29 . 2010-04-27 09:29 -------- d-----w- c:\documents and
settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-26 00:44 . 2010-04-26 00:44 10043336 ----a-w- c:\documents and
settings\Owner\windows-kb890830-v3.6.exe
2010-04-24 03:26 . 2010-04-24 03:26 -------- d-sh--w- c:\documents and
settings\NetworkService\IETldCache
2010-04-20 01:30 . 2010-04-20 01:30 -------- d-----w- c:\windows\BBSTORE
2010-04-20 01:30 . 2010-04-20 19:17 -------- d-----w- c:\program files\Web Publish
2010-04-20 01:29 . 2010-04-20 19:15 -------- d-----w- c:\program files\Broderbund
2010-04-13 23:24 . 2010-04-14 16:29 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-13 23:24 . 2010-04-14
16:29 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-13 23:24 . 2010-04-14
16:29 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-13 23:24 . 2010-04-14
16:29 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-13 23:24 . 2010-04-14
16:29 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-13 23:24 . 2010-04-14 16:29 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-13 23:24 . 2010-04-14
16:29 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-13 23:24 . 2010-04-14
16:29 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-13 23:24 . 2010-04-14
16:29 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-13 23:24 . 2010-04-14
16:29 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-04 19:37 . 2006-07-01 05:59 6656 ----a-w- c:\windows\system32\drivers\cmdide.sys
2010-05-04 19:25 . 2010-02-01 16:06 -------- d---a-w- c:\documents and settings\All
Users\Application Data\TEMP
2010-05-04 18:23 . 2010-01-24 21:58 1 ----a-w- c:\documents and
settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-01 20:47 . 2010-01-20 01:01 -------- d-----w- c:\documents and settings\All
Users\Application Data\Spybot - Search & Destroy
2010-05-01 18:46 . 2010-01-19 20:30 -------- d-----w- c:\program files\Malwarebytes'
Anti-Malware
2010-05-01 18:39 . 2010-01-19 19:30 -------- d-----w- c:\program files\Defraggler
2010-05-01 18:38 . 2010-01-19 19:30 -------- d-----w- c:\program files\CCleaner
2010-05-01 00:38 . 2010-01-23 15:29 8392 ----a-w- c:\documents and
settings\Owner\Application Data\wklnhst.dat
2010-04-22 23:25 . 2010-02-01 16:06 -------- d-----w- c:\program files\SpywareBlaster
2010-04-20 19:16 . 2010-04-20 19:16 -------- d-----w- c:\program files\Common
Files\Broderbund
2010-04-20 19:16 . 2010-01-19 20:40 -------- d--h--w- c:\program files\InstallShield
Installation Information
2010-04-20 01:39 . 2010-01-19 21:10 63840 ----a-w- c:\documents and settings\Owner\Local
Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-19 18:33 . 2010-01-31 14:59 -------- d-----w- c:\documents and
settings\Owner\Application Data\CyberLink
2010-04-14 12:16 . 2010-01-19 19:54 -------- d-----w- c:\program files\McAfee.com
2010-04-13 23:28 . 2010-01-19 19:53 -------- d-----w- c:\program files\McAfee
2010-04-13 23:28 . 2010-01-19 19:54 -------- d-----w- c:\program files\Common
Files\McAfee
2010-04-02 17:03 . 2010-01-20 01:01 -------- d-----w- c:\program files\Spybot - Search &
Destroy
2010-03-15 23:33 . 2010-03-15 23:33 -------- d-----w- c:\program files\Common
Files\DVDVideoSoft
2010-03-15 23:33 . 2010-03-15 23:33 -------- d-----w- c:\program files\DVDVideoSoft
2010-03-15 23:13 . 2010-03-15 23:13 -------- d-----w- c:\program files\Smallvideosoft
2010-03-15 22:59 . 2010-03-15 22:57 -------- d-----w- c:\documents and
settings\Owner\Application Data\FreeFLVConverter
2010-03-10 06:15 . 2006-05-07 00:24 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 23:01 . 2010-03-06 23:01 -------- d-----w- c:\documents and settings\All
Users\Application Data\TomTom
2010-03-06 22:51 . 2010-03-06 22:51 -------- d-----w- c:\documents and
settings\Owner\Application Data\TomTom
2010-03-06 22:51 . 2010-03-06 22:51 -------- d-----w- c:\program files\TomTom HOME 2
2010-03-06 20:41 . 2010-03-06 20:41 -------- d-----w- c:\program files\TomTom
International B.V
2010-03-06 20:40 . 2010-03-06 20:39 20299200 ----a-w- c:\documents and
settings\Owner\TomTomHOME2winlatest.exe
2010-02-25 06:24 . 2006-05-07 00:24 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-05-07
00:24 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 14:17 . 2010-02-23 14:17 1955624 ----a-w- c:\documents and
settings\Owner\Application Data\Macromedia\Flash
Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-02-17 13:43 . 2010-02-17 13:43 128 ----a-w- c:\documents and settings\Owner\Local
Settings\Application Data\fusioncache.dat
2010-02-17 13:10 . 2006-05-07 00:24 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 05:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-05-07 00:24 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-05-07
00:24 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-04-14 16:29 . 2010-04-13 23:24 24376 ----a-w- c:\program files\mozilla
firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search &
Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-06 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-06 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-06 94208]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-13 16132608]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
[2006-11-23 56928]
"LanguageShortcut"="c:\program
files\CyberLink\PowerDVD\Language\Language.exe" [2006-11-29 58928]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe"
[2010-04-02 1180976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader
9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common
Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Forget Me Not.lnk - c:\program files\Broderbund\AG CreataCard\AGRemind.exe [2010-4-20
323584]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP
Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging
Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader
Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component
Manager]
2003-06-26 23:50 212992 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software
Update]
2005-05-12 04:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spare Backup]
2007-07-14 00:19 5252936 ----a-w- c:\program files\Spare Backup\SpareBackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-11-13 11:31 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplicat
ions\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/13/2010 7:24
PM 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program
files\McAfee\SiteAdvisor\McSACore.exe [1/19/2010 3:57 PM 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common
Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/13/2010 7:24 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common
Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/13/2010 7:24 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common
Files\McAfee\SystemCore\mfefire.exe [4/13/2010 7:24 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common
Files\McAfee\SystemCore\mfevtps.exe [4/13/2010 7:24 PM 141792]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME
2\TomTomHOMEService.exe [11/13/2009 7:31 AM 92008]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/13/2010 7:24 PM
55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/13/2010 7:24
PM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/13/2010 7:24 PM
88480]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card
Driver;c:\windows\system32\drivers\el575ND5.sys [7/1/2006 12:44 AM 69692]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys
[4/13/2010 7:24 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/13/2010 7:24
PM 83496]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=EM&Loc=ENG_US&Sys=DTP&M
=W3622
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://my.juno.com/s/search?r=minisearch
IE: Display All Images with Full Quality - "c:\program
files\Juno\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program
files\Juno\qsacc\appres.dll/227"
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application
Data\Mozilla\Firefox\Profiles\88j3n9ks.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant:
{20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows
Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors",
true);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled",
false);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js -
pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref&q
uot;, true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js -
pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js -
pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js -
pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js -
pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js -
pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js -
pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name",
"chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description",
"chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-DXDllRegExe - dxdllreg.exe
MSConfigStartUp-BigFix - c:\program files\Bigfix\bigfix.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.
net
Rootkit scan 2010-05-04 15:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll
>>UNKNOWN [0x8A4D0AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba18cf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f01852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler ->
NDIS.sys @ 0xb9d5abd4
PacketIndicateHandler -> NDIS.sys @ 0xb9d66a21
SendHandler -> NDIS.sys @ 0xb9d5ad44
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(872)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(932)
c:\windows\system32\WININET.dll
.
Completion time: 2010-05-04 15:57:30
ComboFix-quarantined-files.txt 2010-05-04 19:57

Pre-Run: 47,232,729,088 bytes free
Post-Run: 47,215,656,960 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition"
/noexecute=optin /fastdetect

- - End Of File - - BD3E90711BA9226F52395FF0A8741C5C

Edited by wa4kec, 04 May 2010 - 03:36 PM.


#7 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:44 PM

Posted 06 May 2010 - 11:54 AM

Hi,


You must first verify that you can logon to the Windows Recovery Console.
To do so, you must have the Recovery Console installed or use the Windows XP installation cd.

How to install and use the Windows XP Recovery Console


Next, please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Console.
Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat

You will see many files copied then return to the x:\windows> prompt.
Type Exit then restart your computer and logon in normal mode.
Please run maxlook.exe again now. Note - you must run it only once!
It will produce looklog.txt on the desktop and open it.
Please post the results here.

NEXT:

Once back in Windows, go to Start > Run, and copy/paste the following then press Enter.

maxlook -sig


Post the log in your next reply
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#8 wa4kec

wa4kec
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 07 May 2010 - 01:31 PM

No luck using Maxlook. When I try to run the recovery console it says "error reading disk, pres ctrl alt del to restart". There are no OS disks with this computer. The manufacturer installed a separate recovery partition on the hard drive to reinstall the OS with. It's looking like I will probably have to go the "nuclear option" route and reinstall the OS along with all the XP updates for the past several years. I was so hoping to avoid that. wacko.gif Anything else I can try???

Edited by wa4kec, 07 May 2010 - 05:51 PM.


#9 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:44 PM

Posted 08 May 2010 - 06:51 AM

Hi,

You can also go here and create a Recovery Console CD. Just click the link provided there to download the recovery_console_cd.zip and unzip that to your desktop.

Then inside the recovery_console_cd folder that created locate and click on the IE icon titled Readme. This will open a webpage, which will provide the simple steps you will need to follow, as well as a clickable link to go to the MS download page where you can select the BootDisk file download appropriate for your operating system. For example, for an XP SP2 Home Edition you would be downloading WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#10 wa4kec

wa4kec
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 08 May 2010 - 04:07 PM

I created the recovery cd per their instructions, set the computer to boot to cd first, inserted the cd and restarted. It came up and said it was going to boot to the cd then skipped it and booted straight to the OS instead. Evidently it doesn't recognize it as a bootable cd or something else is preventing it from running. I don't need to run Maxlook again do I? I ran it the other night and haven't again since it said to use it...ONLY ONCE! So I haven't bothered with it.

Edited by wa4kec, 08 May 2010 - 04:09 PM.


#11 wa4kec

wa4kec
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 08 May 2010 - 05:10 PM

Found another program to make the bootable cd with and got it to work. Also have noticed that when I have the computer online and do a Google search that something is redirecting me when I click on the results. Instead of the link I want it takes me to advertisement sites. Here are the Maxlook logs:

Run from C:\Documents and Settings\Owner\Desktop\maxlook.exe on Sat 05/08/2010 at 17:59:06.56

No infected file found

------------------------------------------------------

CODE
Run from C:\Documents and Settings\Owner\Desktop\maxlook.exe on Sat 05/08/2010 at 18:03:22.12

--------- maxlook unsigned files ---------

c:\windows\maxdriver\cmdide.sys:
    Verified:    Unsigned
    File date:    6:16 PM 5/6/2010
    Publisher:    n/a
    Description:    n/a
    Product:    n/a
    Version:    n/a
    File version:    n/a

--------- system32\drivers unsigned files ---------

No matching files were found.

Edited by wa4kec, 08 May 2010 - 05:18 PM.


#12 wa4kec

wa4kec
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 08 May 2010 - 07:04 PM

I updated Spybot Search&Destroy and scanned the computer again. It found a trojan called Win32.Agent.svc and "fixed" it. I can't tell any difference however. I'm still have temporary internet files that grow and grow without browser use, I still get a popup in Firefox from time to time wanting me to take a survey, and something is hijacking my google search. If I click on a result it takes me somewhere completely unrelated. If I type in the address myself it works fine.

#13 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:44 PM

Posted 11 May 2010 - 11:09 AM

Hi,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
TDL::
c:\windows\system32\drivers\cmdide.sys


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#14 wa4kec

wa4kec
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 11 May 2010 - 03:27 PM

Here's the ComboFix log:

ComboFix 10-05-04.01 - Owner 05/11/2010 15:55:17.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1542 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\schrauber.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\cmdide.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
Infected copy of c:\windows\system32\DRIVERS\cmdide.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
Infected copy of c:\windows\system32\drivers\cmdide.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
Infected copy of c:\windows\system32\drivers\cmdide.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
Infected copy of c:\windows\system32\DRIVERS\cmdide.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
Infected copy of c:\windows\system32\drivers\cmdide.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
Infected copy of c:\windows\system32\drivers\cmdide.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
Infected copy of c:\windows\system32\DRIVERS\cmdide.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
Infected copy of c:\windows\system32\drivers\cmdide.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-11 to 2010-05-11 )))))))))))))))))))))))))))))))
.

2010-05-08 22:03 . 2010-02-26 21:26 220024 ----a-w- c:\windows\sigcheck.exe
2010-05-07 18:05 . 2010-05-08 21:59 -------- d-----w- c:\windows\maxdriver
2010-05-04 19:32 . 2010-05-04 19:57 -------- d-----w- C:\schrauber
2010-05-01 18:46 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-01 18:46 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 09:29 . 2010-04-27 09:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-26 00:44 . 2010-04-26 00:44 10043336 ----a-w- c:\documents and settings\Owner\windows-kb890830-v3.6.exe
2010-04-24 03:26 . 2010-04-24 03:26 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-20 01:30 . 2010-04-20 01:30 -------- d-----w- c:\windows\BBSTORE
2010-04-20 01:30 . 2010-04-20 19:17 -------- d-----w- c:\program files\Web Publish
2010-04-20 01:29 . 2010-04-20 19:15 -------- d-----w- c:\program files\Broderbund
2010-04-13 23:24 . 2010-04-14 16:29 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-13 23:24 . 2010-04-14 16:29 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-13 23:24 . 2010-04-14 16:29 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-13 23:24 . 2010-04-14 16:29 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-13 23:24 . 2010-04-14 16:29 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-13 23:24 . 2010-04-14 16:29 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-13 23:24 . 2010-04-14 16:29 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-13 23:24 . 2010-04-14 16:29 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-13 23:24 . 2010-04-14 16:29 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-13 23:24 . 2010-04-14 16:29 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-11 19:52 . 2006-07-01 05:59 6656 ----a-w- c:\windows\system32\drivers\cmdide.sys
2010-05-10 18:09 . 2010-01-24 21:58 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-10 17:51 . 2010-01-23 15:29 8392 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2010-05-08 23:41 . 2010-01-20 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-04 20:00 . 2010-02-01 16:06 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-01 18:46 . 2010-01-19 20:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-01 18:39 . 2010-01-19 19:30 -------- d-----w- c:\program files\Defraggler
2010-05-01 18:38 . 2010-01-19 19:30 -------- d-----w- c:\program files\CCleaner
2010-04-22 23:25 . 2010-02-01 16:06 -------- d-----w- c:\program files\SpywareBlaster
2010-04-20 19:16 . 2010-04-20 19:16 -------- d-----w- c:\program files\Common Files\Broderbund
2010-04-20 19:16 . 2010-01-19 20:40 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-20 01:39 . 2010-01-19 21:10 63840 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-19 18:33 . 2010-01-31 14:59 -------- d-----w- c:\documents and settings\Owner\Application Data\CyberLink
2010-04-14 12:16 . 2010-01-19 19:54 -------- d-----w- c:\program files\McAfee.com
2010-04-13 23:28 . 2010-01-19 19:53 -------- d-----w- c:\program files\McAfee
2010-04-13 23:28 . 2010-01-19 19:54 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-02 17:03 . 2010-01-20 01:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-15 23:33 . 2010-03-15 23:33 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-03-15 23:33 . 2010-03-15 23:33 -------- d-----w- c:\program files\DVDVideoSoft
2010-03-15 23:13 . 2010-03-15 23:13 -------- d-----w- c:\program files\Smallvideosoft
2010-03-15 22:59 . 2010-03-15 22:57 -------- d-----w- c:\documents and settings\Owner\Application Data\FreeFLVConverter
2010-03-10 06:15 . 2006-05-07 00:24 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 20:40 . 2010-03-06 20:39 20299200 ----a-w- c:\documents and settings\Owner\TomTomHOME2winlatest.exe
2010-02-25 06:24 . 2006-05-07 00:24 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-05-07 00:24 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 14:17 . 2010-02-23 14:17 1955624 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-02-17 13:43 . 2010-02-17 13:43 128 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\fusioncache.dat
2010-02-17 13:10 . 2006-05-07 00:24 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 05:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-05-07 00:24 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-05-07 00:24 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-04-14 16:29 . 2010-04-13 23:24 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-06 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-06 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-06 94208]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-13 16132608]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-11-29 58928]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Forget Me Not.lnk - c:\program files\Broderbund\AG CreataCard\AGRemind.exe [2010-4-20 323584]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-06-26 23:50 212992 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-12 04:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spare Backup]
2007-07-14 00:19 5252936 ----a-w- c:\program files\Spare Backup\SpareBackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-11-13 11:31 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/13/2010 7:24 PM 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [1/19/2010 3:57 PM 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/13/2010 7:24 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/13/2010 7:24 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/13/2010 7:24 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [4/13/2010 7:24 PM 141792]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 7:31 AM 92008]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/13/2010 7:24 PM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/13/2010 7:24 PM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/13/2010 7:24 PM 88480]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [7/1/2006 12:44 AM 69692]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/13/2010 7:24 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/13/2010 7:24 PM 83496]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=EM&Loc=ENG_US&Sys=DTP&M=W3622
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://my.juno.com/s/search?r=minisearch
IE: Display All Images with Full Quality - "c:\program files\Juno\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files\Juno\qsacc\appres.dll/227"
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\88j3n9ks.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-11 16:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3808)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-05-11 16:09:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-11 20:09
ComboFix2.txt 2010-05-04 19:57

Pre-Run: 46,784,385,024 bytes free
Post-Run: 46,760,611,840 bytes free

- - End Of File - - 12CE9516592DCE168718848ACF2DF5A1

#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:44 PM

Posted 11 May 2010 - 03:33 PM

Hi,


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt




  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemdrive%\*.sys /90 /md5
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized



How is it running now?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users