Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Web Hijacker


  • This topic is locked This topic is locked
10 replies to this topic

#1 jkolle

jkolle

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 14 November 2010 - 06:15 PM

when clicking on search results in internet explorer, the browser sometimes opens a window directed at google analytics, which then redirects to a malware site.
Some of the GMER log is below, the log is too long to post here.

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-14 14:55:23
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HTS541040G9SA00 rev.MB2OC60G
Running: gmer.exe; Driver: C:\DOCUME~1\JACKKO~1\LOCALS~1\Temp\kwriypoc.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF754E87E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF754EBFE]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF730D0F6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF730D122]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF730D0CC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF730D0A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF730D0B8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF730D10C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF730D14E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF730D178]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF730D162]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C88 80504524 4 Bytes CALL 11E33C7D
.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP F730D166 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805C05DA 5 Bytes JMP F730D152 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB3FA 5 Bytes JMP F730D0A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB686 5 Bytes JMP F730D0BC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D2982 5 Bytes JMP F730D17C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231EA 7 Bytes JMP F730D110 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C64 7 Bytes JMP F730D0FA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E34 7 Bytes JMP F730D126 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624BA6 5 Bytes JMP F730D0D0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[244] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A10FEF
.text C:\WINDOWS\system32\svchost.exe[244] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A1001B
.text C:\WINDOWS\system32\svchost.exe[244] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006D20 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 1000720C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A1000A
.text C:\WINDOWS\system32\svchost.exe[244] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005B0D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 100072CF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000719F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005A43 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006E0000
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006E0F5C
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006E0F6D
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006E0F7E
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006E0F9B
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006E0047
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006E006C
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006E0F24
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006E0EFF
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006E0098
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006BCB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 100058B1 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006E00B3
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006E0FC0
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 1000612C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10006508 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006A3C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10006291 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 100061B3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 1000620D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006E001B
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100065FF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 100069A6 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 1000590B C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 10006436 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006DF7 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006E0F41
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006677 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007154 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005BB3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005B2C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 100070DC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006B37 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006E0FDB
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000639E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 10006922 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006087 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006CB5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005DAC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006D83 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005E9E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 100059D5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 1000705A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006E002C
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006E007D
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007188 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A40047
.text C:\WINDOWS\system32\svchost.exe[244] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A40FC0
.text C:\WINDOWS\system32\svchost.exe[244] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A4002C
.text C:\WINDOWS\system32\svchost.exe[244] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A40011
.text C:\WINDOWS\system32\svchost.exe[244] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A40FD1
.text C:\WINDOWS\system32\svchost.exe[244] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A40000
.text C:\WINDOWS\system32\svchost.exe[244] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A40073
.text C:\WINDOWS\system32\svchost.exe[244] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A40062
.text C:\WINDOWS\system32\svchost.exe[244] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 10007139 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[244] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A30F95
.text C:\WINDOWS\system32\svchost.exe[244] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A30FA6
.text C:\WINDOWS\system32\svchost.exe[244] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A30FD2
.text C:\WINDOWS\system32\svchost.exe[244] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A30000
.text C:\WINDOWS\system32\svchost.exe[244] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A30FC1
.text C:\WINDOWS\system32\svchost.exe[244] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A30FE3
.text C:\WINDOWS\system32\svchost.exe[244] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A20000
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006D20 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 1000720C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005B0D C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 100072CF C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000719F C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005A43 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10007335 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006BCB C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 100058B1 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 1000612C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10006508 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006A3C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10006291 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 100061B3 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 1000620D C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10005F87 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100065FF C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 100069A6 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 1000590B C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 10006436 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006DF7 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006677 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007154 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005BB3 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005B2C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 100070DC C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006B37 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000639E C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 10006922 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006087 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006CB5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005DAC C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006D83 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005E9E C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 100059D5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 1000705A C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007188 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[276] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 10007139 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006D20 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 1000720C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005B0D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 100072CF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000719F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005A43 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10007335 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006BCB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 100058B1 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 1000612C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10006508 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006A3C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10006291 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 100061B3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 1000620D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10005F87 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100065FF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 100069A6 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 1000590B C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 10006436 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006DF7 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006677 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007154 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005BB3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005B2C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 100070DC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006B37 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000639E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 10006922 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006087 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006CB5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005DAC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006D83 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005E9E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 100059D5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 1000705A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007188 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\mfevtps.exe[340] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 10007139 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F70FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F70025
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006D20 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 1000720C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F7000A
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005B0D C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 100072CF C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000719F C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005A43 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F60000
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F6005B
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F60F5C
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F60036
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F60F83
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F60F9E
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F6007D
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F6006C
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F600B3
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F60098
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006BCB C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 100058B1 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F60F09
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F60025
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 1000612C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10006508 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006A3C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10006291 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 100061B3 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 1000620D C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F60FE5
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100065FF C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 100069A6 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 1000590B C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 10006436 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006DF7 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F60F41
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006677 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007154 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005BB3 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005B2C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 100070DC C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006B37 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F60FB9
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000639E C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 10006922 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006087 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006CB5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005DAC C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006D83 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005E9E C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 100059D5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 1000705A C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F60FCA
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F60F1A
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007188 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F50051
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F50FCA
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F50036
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F5001B
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F50087
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F5000A
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F50FE5
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [15, 89]
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F50062
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 10007139 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F90F9A
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F90025
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F90FB5
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F90FE3
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F9000A
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F90FD2
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[364] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F80FE5
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006D20 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 1000720C C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005B0D C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 100072CF C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000719F C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005A43 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10007335 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006BCB C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 100058B1 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 1000612C C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10006508 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006A3C C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10006291 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 100061B3 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 1000620D C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10005F87 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100065FF C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 100069A6 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 1000590B C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 10006436 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006DF7 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006EA5 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006677 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007154 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005BB3 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005B2C C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 100070DC C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006B37 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000639E C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 10006922 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006087 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10006F53 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006CB5 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005DAC C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006D83 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005E9E C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 100059D5 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 1000705A C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007188 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[400] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 10007139 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 00A16D20 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00A1720C C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 00A15B0D C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 00A172CF C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 00A1719F C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 00A15A43 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A17335 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 00A16BCB C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 00A158B1 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 00A1612C C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 00A16508 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 00A16A3C C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 00A16291 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 00A161B3 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 00A1620D C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A15F87 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 00A165FF C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 00A169A6 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00A1590B C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 00A16436 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 00A16DF7 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 00A16EA5 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 00A16677 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 00A17154 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 00A15BB3 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 00A15B2C C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 00A170DC C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 00A16B37 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 00A1639E C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 00A16922 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 00A16087 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 00A16F53 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 00A16CB5 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 00A15DAC C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 00A16D83 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 00A15E9E C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 00A159D5 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 00A1705A C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 00A17188 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[412] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 00A17139 C:\WINDOWS\System32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 00A46D20 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00A4720C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 00A45B0D C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 00A472CF C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 00A4719F C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 00A45A43 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A47335 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 00A46BCB C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 00A458B1 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 00A4612C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 00A46508 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 00A46A3C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 00A46291 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 00A461B3 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 00A4620D C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A45F87 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 00A465FF C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 00A469A6 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00A4590B C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 00A46436 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 00A46DF7 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 00A46EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 00A46677 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 00A47154 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 00A45BB3 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 00A45B2C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 00A470DC C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 00A46B37 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 00A4639E C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 00A46922 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 00A46087 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 00A46F53 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 00A46CB5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 00A45DAC C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 00A46D83 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 00A45E9E C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 00A459D5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 00A4705A C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 00A47188 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[416] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 00A47139 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[548] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006D20 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[548] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 1000720C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[548] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005B0D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[548] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 100072CF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[548] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000719F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[548] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005A43 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[548] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10007335 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[548] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006BCB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[548] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 100058B1 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[548] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 1000612C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[548] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10006508 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[548] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006A3C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[548] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10006291 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[548] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 100061B3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[548] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 1000620D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[548] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10005F87 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[548] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100065FF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[548] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 100069A6 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[548] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 1000590B C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[548] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 10006436 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[548] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006DF7 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[548] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[548] kernel32.dll!MoveFileWithProgressW

one example of a malware site is www.epoclick.com/?ad=1289776259

Merged posts. ~ OB

Edited by Orange Blossom, 14 November 2010 - 06:33 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:20 PM

Posted 22 November 2010 - 07:41 AM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please Download Rootkit Unhooker Save it to your desktop.
  • extract RKUnhooker to your desktop
    Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file -
    you can get a free one from here - http://www.7-zip.org/
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 jkolle

jkolle
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 22 November 2010 - 08:24 PM

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF70B5000 C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 1368064 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xAA6C8000 C:\WINDOWS\system32\drivers\sthda.sys 1015808 bytes (SigmaTel, Inc., NDRC)
0xAA4D3000 C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys 1011712 bytes (Conexant Systems, Inc., HSF_DP driver)
0xBF077000 C:\WINDOWS\System32\ialmdd5.DLL 925696 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0xAA41D000 C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys 745472 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xF72A3000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xAA37A000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)
0xAA187000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF7011000 C:\WINDOWS\system32\DRIVERS\bcmwl5.sys 425984 bytes (Broadcom Corporation, Broadcom 802.11 Network Adapter wireless driver)
0xF6EDE000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xF735A000 mfehidk.sys 380928 bytes (McAfee, Inc., McAfee Link Driver)
0xAA2C6000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA9A94000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xA9211000 \Device\mfefirek01.sys 307200 bytes
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xA8BC1000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xAA5CA000 C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys 237568 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0xAA266000 C:\WINDOWS\system32\DRIVERS\tcpip6.sys 229376 bytes (Microsoft Corporation, IPv6 driver)
0xBF042000 C:\WINDOWS\System32\ialmdev5.DLL 217088 bytes (Intel Corporation, Component GHAL Driver)
0xF744F000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA9BDC000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7276000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA8742000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xAA1F7000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF7079000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xAA29E000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xA913A000 C:\WINDOWS\system32\drivers\mfeavfk.sys 147456 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
0xAA6A4000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF6FCA000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF6FEE000 C:\WINDOWS\system32\DRIVERS\b57xp32.sys 143360 bytes (Broadcom Corporation, Broadcom NetXtreme Gigabit Ethernet NDIS5.1 Driver.)
0xF6F8C000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xAA244000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xBF020000 C:\WINDOWS\System32\ialmdnt5.dll 139264 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xAA222000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF73C9000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF7401000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF7420000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xF6FAF000 C:\WINDOWS\system32\DRIVERS\Apfiltr.sys 110592 bytes (Alps Electric Co., Ltd., Alps Touch Pad Driver)
0xF725C000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF73E9000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xAA147000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7343000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF6F4D000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA8EA4000 \Device\mfeapfk01.sys 90112 bytes
0xA9F01000 C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys 90112 bytes (Microsoft Corporation, NWLINK2 IPX Protocol Driver)
0xA9787000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xA92A7000 C:\WINDOWS\system32\DRIVERS\mfendisk.sys 81920 bytes (McAfee, Inc., McAfee NDIS Intermediate Driver)
0xF70A1000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xAA31F000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xA91FE000 C:\WINDOWS\system32\drivers\mfetdi2k.sys 77824 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
0xF7330000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF73B7000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF743E000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF6F3C000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF77CE000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF766E000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xAA117000 C:\WINDOWS\system32\DRIVERS\nwlnknb.sys 65536 bytes (Microsoft Corporation, NWLINK2 IPX Netbios Protocol Driver)
0xF765E000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF770E000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF767E000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA98D4000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF76FE000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBF012000 C:\WINDOWS\System32\ialmrnt5.dll 57344 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xA9EA1000 C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys 57344 bytes (Microsoft Corporation, NWLINK2 SPX Protocol Driver)
0xF75BE000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF764E000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF768E000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF759E000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF774E000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xA8EEA000 C:\WINDOWS\system32\drivers\cfwids.sys 49152 bytes (McAfee, Inc., McAfee Personal Firewall IDS Plugin)
0xF76AE000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF775E000 C:\WINDOWS\system32\DRIVERS\usbccid.sys 49152 bytes (Microsoft Corporation, USB CCID Driver)
0xF779E000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xA8FAA000 C:\WINDOWS\system32\drivers\mfebopk.sys 45056 bytes (McAfee, Inc., Buffer Overflow Protection Driver)
0xF758E000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF769E000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF757E000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF76DE000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF76CE000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF75AE000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF773E000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF763E000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF76BE000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF777E000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA88E6000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF75CE000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF776E000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF78EE000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF791E000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF78B6000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF78F6000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF78FE000 C:\WINDOWS\system32\DRIVERS\NuidFltr.sys 28672 bytes (Microsoft Corporation, Filter Driver for Microsoft Hardware HID Non-User Input Data)
0xF77FE000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7856000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xF78C6000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF78BE000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7926000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0xF78AE000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF790E000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF7916000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF78E6000 C:\WINDOWS\system32\DRIVERS\omci.sys 20480 bytes (Dell Inc, OMCI Device Driver)
0xF7806000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF780E000 pbadrv.sys 20480 bytes (Dell Inc, PBA Support Driver)
0xF78D6000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF78DE000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF78CE000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7946000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF6F88000 C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS 16384 bytes (Dell Inc, App Support Driver)
0xA8966000 C:\WINDOWS\system32\DRIVERS\asyncmac.sys 16384 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0xF7996000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xF7A5A000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xA9DED000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface DRIVER)
0xF7A76000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xAA013000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7A62000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF7A32000 C:\WINDOWS\system32\DRIVERS\SMCLIB.SYS 16384 bytes (Microsoft Corporation, Smard Card Driver Library)
0xF798E000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF7992000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xAA372000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF7A2A000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF7A22000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xF7A2E000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF7A6A000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF7A3A000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7A56000 C:\WINDOWS\system32\DRIVERS\tunmp.sys 12288 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0xF7A4E000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0xF7AB0000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7AE2000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7AAE000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7A7E000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7AB2000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7AB4000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7A9C000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7AA8000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7A80000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7C29000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7B7F000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7C44000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7B46000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
0xA92E3730 Unknown thread object [ ETHREAD 0x86E14878 ] , 600 bytes

#4 jkolle

jkolle
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 22 November 2010 - 08:26 PM

OTL logfile created on: 11/22/2010 4:36:59 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Jack Kolle\My Documents\malware2
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 498.00 Mb Available Physical Memory | 49.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 74.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.21 Gb Total Space | 15.17 Gb Free Space | 40.77% Space Free | Partition Type: NTFS
Unable to calculate disk information.

Computer Name: JACKSLAPTOP | User Name: Jack Kolle | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/22 16:25:37 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jack Kolle\My Documents\malware2\OTL.exe
PRC - [2010/10/13 22:28:54 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
PRC - [2010/10/13 22:28:54 | 000,171,168 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
PRC - [2010/10/13 22:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
PRC - [2010/09/30 13:10:36 | 001,193,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
PRC - [2008/04/13 16:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/03/25 14:24:04 | 000,315,392 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Wave Systems Corp\common\DataServer.exe
PRC - [2005/11/30 10:33:04 | 000,180,224 | ---- | M] () -- C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
PRC - [2005/11/30 05:39:02 | 000,192,512 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
PRC - [2002/08/21 02:13:12 | 000,189,952 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\WISPTIS.EXE


========== Modules (SafeList) ==========

MOD - [2010/11/22 16:25:37 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jack Kolle\My Documents\malware2\OTL.exe
MOD - [2010/08/23 08:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2010/04/01 09:57:36 | 000,015,056 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2006/03/09 08:25:24 | 000,286,720 | ---- | M] () -- C:\WINDOWS\system32\wxvault.dll
MOD - [2006/03/09 08:24:10 | 000,004,096 | ---- | M] () -- C:\WINDOWS\system32\detoured.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - File not found [Auto | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate) Google Update Service (gupdate)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/10/13 22:28:54 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV - [2010/10/13 22:28:54 | 000,171,168 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2010/10/13 22:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
SRV - [2010/10/07 21:34:28 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2010/08/13 08:13:32 | 000,066,112 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) getPlus®
SRV - [2010/04/28 17:13:42 | 000,820,488 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Documents and Settings\Jack Kolle\Local Settings\Temp\0319101290458656mcinst.exe -- (0319101290458656mcinstcleanup) McAfee Application Installer Cleanup (0319101290458656)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/04/26 13:29:24 | 000,090,352 | ---- | M] (PC Pitstop LLC) [Disabled | Stopped] -- C:\Program Files\PCPitstop\PCPitstopScheduleService.exe -- (PCPitstop Scheduling)
SRV - [2008/12/18 15:29:50 | 000,079,360 | ---- | M] (SolidWorks) [On_Demand | Stopped] -- C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe -- (SolidWorks Licensing Service)
SRV - [2006/03/25 14:24:04 | 000,315,392 | ---- | M] (Wave Systems Corp.) [Auto | Running] -- C:\Program Files\Wave Systems Corp\Common\DataServer.exe -- (DataSvr2)
SRV - [2005/11/30 10:33:04 | 000,180,224 | ---- | M] () [Auto | Running] -- C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe -- (tcsd_win32.exe)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys -- (Lavasoft Kernexplorer)
DRV - [2010/10/13 22:28:54 | 000,386,840 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2010/10/13 22:28:54 | 000,313,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2010/10/13 22:28:54 | 000,152,960 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2010/10/13 22:28:54 | 000,095,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2010/10/13 22:28:54 | 000,088,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
DRV - [2010/10/13 22:28:54 | 000,088,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
DRV - [2010/10/13 22:28:54 | 000,084,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2010/10/13 22:28:54 | 000,084,072 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2010/10/13 22:28:54 | 000,055,840 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/10/13 22:28:54 | 000,052,104 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2010/05/10 10:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 10:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/02/11 04:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2008/04/13 10:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2008/04/13 10:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 10:40:58 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\Changer.sys -- (Changer)
DRV - [2008/04/13 10:40:26 | 000,034,688 | ---- | M] (Toshiba Corp.) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\lbrtfdc.sys -- (lbrtfdc)
DRV - [2008/04/13 10:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 10:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 08:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2005/12/09 12:35:00 | 000,018,816 | ---- | M] (Dell Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\pbadrv.sys -- (PBADRV)
DRV - [2005/12/01 04:40:56 | 000,936,960 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2005/12/01 04:40:12 | 000,192,512 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2005/12/01 04:40:08 | 000,669,696 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2005/11/16 18:36:00 | 001,047,816 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2005/11/10 13:25:14 | 000,142,720 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2005/11/02 16:24:34 | 000,424,320 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2005/09/28 22:57:18 | 000,113,847 | R--- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2005/08/12 13:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2005/05/13 19:27:56 | 000,028,672 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbccid.sys -- (USBCCID)
DRV - [2004/08/04 02:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2004/08/04 02:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2004/08/03 19:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/02/13 13:46:00 | 000,017,153 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (omci)
DRV - [2002/10/15 21:41:06 | 000,102,220 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sonypvs1.sys -- (sonypvs1)
DRV - [2001/08/17 11:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 11:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 11:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 11:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 11:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 10:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 10:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 10:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 10:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 10:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 10:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 10:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 10:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 10:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 10:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/04/12 14:04:54 | 000,131,776 | ---- | M] (Intel ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\stvqx3.sys -- (STVqx3)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-21-4245878917-3946568406-3561998704-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-4245878917-3946568406-3561998704-1007\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-4245878917-3946568406-3561998704-1007\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-4245878917-3946568406-3561998704-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-4245878917-3946568406-3561998704-1007\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-4245878917-3946568406-3561998704-1007\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-4245878917-3946568406-3561998704-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\software\mozilla\Firefox\Extensions\\{5C3C3D32-9DBD-41E9-ADD0-47C13ABB88EC}: C:\Documents and Settings\Jack Kolle\Local Settings\Application Data\{5C3C3D32-9DBD-41E9-ADD0-47C13ABB88EC} [2010/07/17 15:05:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/11/22 12:51:47 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/11/22 12:43:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/11/22 09:55:29 | 000,000,000 | ---D | M]

[2010/11/22 09:50:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jack Kolle\Application Data\Mozilla\Extensions
[2010/11/22 09:57:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jack Kolle\Application Data\Mozilla\Firefox\Profiles\5i5uojfc.default\extensions
[2010/11/22 09:57:40 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jack Kolle\Application Data\Mozilla\Firefox\Profiles\5i5uojfc.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/11/22 09:57:41 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/08/12 21:59:18 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/10/13 22:28:54 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2010/07/17 04:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2008/10/30 15:55:52 | 000,155,648 | ---- | M] (Dassault Systèmes SolidWorks Corp.) -- C:\Program Files\Mozilla Firefox\plugins\npEModelPlugin.dll
[2010/08/29 11:55:43 | 000,002,024 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\McSiteAdvisor.xml

O1 HOSTS File: ([2010/08/29 14:12:50 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20101122124336.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-4245878917-3946568406-3561998704-1007\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-4245878917-3946568406-3561998704-1007\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll File not found
O3 - HKU\S-1-5-21-4245878917-3946568406-3561998704-1007\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll File not found
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe (McAfee, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe File not found
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe (Wave Systems Corp.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-4245878917-3946568406-3561998704-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_21.dll (Sun Microsystems, Inc.)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab (Windows Live Safety Center Base Module)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll (PCPitstop Exam)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 213.109.64.109 213.109.73.42
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - AppInit_DLLs: (wxvault.dll) - C:\WINDOWS\System32\wxvault.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Jack Kolle\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jack Kolle\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O30 - LSA: Authentication Packages - (wvauth) - C:\WINDOWS\System32\wvauth.dll (Wave Systems Corp.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 10:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{63328270-b05b-11dd-86d5-001422f4ecd6}\Shell - "" = AutoRun
O33 - MountPoints2\{63328270-b05b-11dd-86d5-001422f4ecd6}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{63328270-b05b-11dd-86d5-001422f4ecd6}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/22 16:25:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jack Kolle\My Documents\malware2
[2010/11/22 12:43:34 | 000,009,344 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeclnk.sys
[2010/11/22 12:43:23 | 000,313,288 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfefirek.sys
[2010/11/22 12:43:23 | 000,152,960 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2010/11/22 12:43:23 | 000,088,544 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfendisk.sys
[2010/11/22 12:43:23 | 000,084,264 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdet.sys
[2010/11/22 12:43:23 | 000,084,072 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfetdi2k.sys
[2010/11/22 12:43:23 | 000,055,840 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\cfwids.sys
[2010/11/22 12:43:23 | 000,052,104 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2010/11/22 12:43:12 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee.com
[2010/11/22 12:43:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/11/22 11:19:53 | 000,141,792 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\mfevtps.exe
[2010/11/22 09:57:39 | 000,000,000 | ---D | C] -- C:\Program Files\NOS
[2010/11/22 09:57:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2010/11/22 09:57:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS(2)
[2010/11/22 09:50:35 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/11/14 13:49:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jack Kolle\Desktop\GooredFix Backups
[2010/11/11 08:46:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jack Kolle\Desktop\10-189 McMoran JTD
[2010/11/07 09:05:30 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2008/03/01 11:26:40 | 098,224,311 | ---- | C] (Intel Corp.) -- C:\Program Files\QX3Plus.exe
[2006/07/07 20:17:17 | 000,774,144 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll
[2006/05/01 17:12:17 | 022,490,584 | ---- | C] (Tektronix, Inc. ) -- C:\Program Files\WaveStar.exe

========== Files - Modified Within 30 Days ==========

[2010/11/22 16:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2010/11/22 16:13:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/11/22 15:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2010/11/22 14:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2010/11/22 13:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2010/11/22 13:36:49 | 000,000,400 | ---- | M] () -- C:\WINDOWS\dellstat.ini
[2010/11/22 13:04:24 | 000,406,774 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/11/22 13:04:24 | 000,063,796 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/11/22 13:03:45 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Jack Kolle\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2010/11/22 13:03:40 | 000,001,595 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Center.lnk
[2010/11/22 12:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2010/11/22 12:13:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/11/22 11:59:33 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/22 11:59:29 | 000,000,290 | -H-- | M] () -- C:\WINDOWS\tasks\466603fa.job
[2010/11/22 11:58:37 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/22 11:58:36 | 1063,444,480 | -HS- | M] () -- C:\hiberfil.sys
[2010/11/22 11:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2010/11/22 11:03:03 | 000,337,056 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/11/22 10:55:48 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/11/22 10:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2010/11/22 09:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2010/11/21 21:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2010/11/21 20:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2010/11/21 19:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2010/11/21 18:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2010/11/21 17:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2010/11/14 22:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2010/11/11 08:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2010/11/07 09:58:41 | 000,000,458 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/10/26 06:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2010/10/26 05:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2010/10/26 04:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2010/10/26 03:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2010/10/26 02:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2010/10/26 01:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2010/10/26 00:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2010/10/25 23:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2010/10/25 22:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At24.job

========== Files Created - No Company Name ==========

[2010/11/22 12:45:18 | 000,001,595 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Center.lnk
[2010/08/25 09:00:01 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Jack Kolle\Local Settings\Application Data\housecall.guid.cache
[2010/08/21 01:08:09 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\680UWPj.dat
[2010/04/03 11:34:08 | 000,000,400 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2008/12/18 15:29:52 | 000,000,000 | ---- | C] () -- C:\WINDOWS\eDrawingOfficeAutomator.INI
[2008/03/11 19:46:22 | 000,002,538 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/06/12 18:31:35 | 000,000,672 | ---- | C] () -- C:\Documents and Settings\Jack Kolle\Application Data\lp.xml
[2006/11/29 10:27:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MTSTACK.INI
[2006/05/01 09:53:02 | 000,050,176 | ---- | C] () -- C:\Documents and Settings\Jack Kolle\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/05/01 09:33:42 | 000,003,654 | ---- | C] () -- C:\WINDOWS\System32\drivers\Sonyhcp.dll
[2006/04/20 10:46:14 | 000,000,133 | ---- | C] () -- C:\Documents and Settings\Jack Kolle\Local Settings\Application Data\fusioncache.dat
[2006/04/15 08:21:33 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/04/15 08:12:53 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/04/15 08:08:18 | 000,000,004 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare
[2006/04/15 08:05:38 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\bioapi_mds300.dll
[2006/04/15 08:05:38 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\bioapi100.dll
[2006/04/15 07:43:50 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2006/04/15 07:43:46 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2006/04/15 07:43:40 | 000,000,390 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/03/25 14:19:50 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_en.dll
[2006/03/24 12:19:22 | 000,184,320 | ---- | C] () -- C:\WINDOWS\System32\AmRes_en.dll
[2006/03/24 12:14:34 | 000,184,320 | ---- | C] () -- C:\WINDOWS\System32\AmRes_es.dll
[2006/03/24 12:14:28 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ko.dll
[2006/03/24 12:14:22 | 000,184,320 | ---- | C] () -- C:\WINDOWS\System32\AmRes_de.dll
[2006/03/24 12:14:18 | 000,184,320 | ---- | C] () -- C:\WINDOWS\System32\AmRes_pt-BR.dll
[2006/03/24 12:14:12 | 000,184,320 | ---- | C] () -- C:\WINDOWS\System32\AmRes_fr.dll
[2006/03/24 12:14:08 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ja.dll
[2006/03/24 12:14:02 | 000,184,320 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ru.dll
[2006/03/24 12:13:58 | 000,184,320 | ---- | C] () -- C:\WINDOWS\System32\AmRes_it.dll
[2006/03/24 12:13:52 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\AmRes_zh-CHS.dll
[2006/03/24 12:13:46 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\AmRes_zh-CHT.dll
[2006/03/09 08:25:24 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\wxvault.dll
[2006/03/09 08:24:10 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\detoured.dll
[2005/12/01 11:41:20 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\pbadrvdll.dll
[2005/11/30 10:33:06 | 000,348,160 | ---- | C] () -- C:\WINDOWS\System32\Tsp.dll
[2005/11/30 10:33:06 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_RUS.dll
[2005/11/30 10:33:06 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_ITA.dll
[2005/11/30 10:33:06 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_FRA.dll
[2005/11/30 10:33:06 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_ESN.dll
[2005/11/30 10:33:06 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_ENU.dll
[2005/11/30 10:33:06 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_DEU.dll
[2005/11/30 10:33:06 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_CHS.dll
[2005/09/20 10:36:06 | 000,798,720 | ---- | C] () -- C:\WINDOWS\System32\DemoLicense.dll
[2004/08/10 10:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 09:57:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/07/21 12:03:14 | 000,917,504 | ---- | C] () -- C:\WINDOWS\System32\lmgr10.dll
[2004/07/20 11:27:52 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ADsSecurity.dll
[2004/02/10 14:08:00 | 000,000,373 | ---- | C] () -- C:\WINDOWS\System32\dlbccoin.ini
[2004/01/14 17:12:02 | 000,114,688 | ---- | C] () -- C:\WINDOWS\pcswin32.dll
[2003/12/11 20:27:20 | 000,221,184 | ---- | C] () -- C:\WINDOWS\MMDB32.dll
[2003/02/17 15:21:30 | 000,045,056 | ---- | C] () -- C:\WINDOWS\YmUpdate.dll
[2003/01/07 12:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/11/13 14:40:22 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlbcvs.dll

========== LOP Check ==========

[2010/05/01 13:14:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MumboJumbo
[2006/04/20 11:05:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MVTLogs
[2010/08/26 11:40:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCPitstop
[2010/09/25 18:59:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2006/06/20 20:58:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2006/04/15 08:05:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Wave Systems Corp
[2010/11/22 09:56:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
[2010/03/20 18:12:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jack Kolle\Application Data\Artogon
[2008/12/18 15:32:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jack Kolle\Application Data\EDrawings
[2010/04/17 15:08:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jack Kolle\Application Data\ERS G-Studio
[2006/12/06 21:55:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jack Kolle\Application Data\Jasc
[2007/11/12 23:02:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jack Kolle\Application Data\MSNInstaller
[2006/08/31 19:15:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jack Kolle\Application Data\OverDrive
[2010/08/26 11:19:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jack Kolle\Application Data\WinPatrol
[2009/06/20 21:25:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jack Kolle\Application Data\YoudaGames
[2009/05/30 12:44:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2010/11/22 11:59:29 | 000,000,290 | -H-- | M] () -- C:\WINDOWS\Tasks\466603fa.job
[2010/11/07 09:58:41 | 000,000,458 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2010/10/25 23:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
[2010/11/22 09:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\Tasks\At10.job
[2010/11/22 10:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\Tasks\At11.job
[2010/11/22 11:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\Tasks\At12.job
[2010/11/22 12:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\Tasks\At13.job
[2010/11/22 13:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\Tasks\At14.job
[2010/11/22 14:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\Tasks\At15.job
[2010/11/22 15:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\Tasks\At16.job
[2010/11/22 16:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\Tasks\At17.job
[2010/11/21 17:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\Tasks\At18.job
[2010/11/21 18:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\Tasks\At19.job
[2010/10/26 00:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\Tasks\At2.job
[2010/11/21 19:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\Tasks\At20.job
[2010/11/21 20:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\Tasks\At21.job
[2010/11/21 21:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\Tasks\At22.job
[2010/11/14 22:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\Tasks\At23.job
[2010/10/25 22:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\Tasks\At24.job
[2010/10/26 01:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\Tasks\At3.job
[2010/10/26 02:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\Tasks\At4.job
[2010/10/26 03:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\Tasks\At5.job
[2010/10/26 04:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\Tasks\At6.job
[2010/10/26 05:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\Tasks\At7.job
[2010/10/26 06:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\Tasks\At8.job
[2010/11/11 08:38:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\Tasks\At9.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7920E530
@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8B4B9596
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4EE323A4
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B1FBBD09
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5CE2502D

< End of report >

OTL Extras logfile created on: 11/22/2010 4:36:59 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Jack Kolle\My Documents\malware2
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 498.00 Mb Available Physical Memory | 49.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 74.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.21 Gb Total Space | 15.17 Gb Free Space | 40.77% Space Free | Partition Type: NTFS
Unable to calculate disk information.

Computer Name: JACKSLAPTOP | User Name: Jack Kolle | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UacDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"3724:TCP" = 3724:TCP:*:Enabled:Blizzard Downloader: 3724
"6112:TCP" = 6112:TCP:*:Enabled:Blizzard Downloader

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- File not found
"C:\Program Files\World of Warcraft Trial\BackgroundDownloader.exe" = C:\Program Files\World of Warcraft Trial\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader -- File not found
"C:\Documents and Settings\Jack Kolle\Local Settings\Temp\Blizzard Launcher Temporary - 063a8b20\Launcher.exe" = C:\Documents and Settings\Jack Kolle\Local Settings\Temp\Blizzard Launcher Temporary - 063a8b20\Launcher.exe:*:Enabled:Blizzard Launcher -- File not found
"C:\Program Files\World of Warcraft\BackgroundDownloader.exe" = C:\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader -- File not found
"C:\Program Files\World of Warcraft\Launcher.exe" = C:\Program Files\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher -- File not found
"C:\Program Files\World of Warcraft\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- File not found
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0B0A2153-58A6-4244-B458-25EDF5FCD809}" = Private Information Manager
"{1F528948-0E80-4C96-B455-DE4167CB1DF7}" = Internal Network Card Power Management
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 21
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35748B06-FCFC-4700-8285-DAD41689E4FE}" = Broadcom TPM Driver Installer
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = URL Assistant
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{51AE9E42-640D-4C14-A9B6-43F64AA4E3E2}" = Document Manager Lite
"{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}" = Sony USB Driver
"{5C6F884D-680C-448B-B4C9-22296EE1B206}" = Logitech Harmony Remote Software 7
"{5C9DDCE0-66CF-11D4-9100-0090274FBE9A}" = Intel® System Information Viewer
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.7
"{6CDAED1C-5B60-4818-88A7-E4A90CD367AF}" = Wave Support Software
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{8471021C-F529-43DE-84DF-3612E10F58C4}" = Remote Control USB Driver
"{84F1DE76-C48C-4281-87A0-CC9548D1E7F9}" = Rhapsody Player Engine
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91CA0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Small Business Edition 2003
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{A5BB72E8-1DFC-452E-A65F-2EB3D92D7772}" = SolidWorks eDrawings 2009
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{ABBA2EA4-740E-4052-902B-9CA70B081E3F}" = Dell Embassy Trust Suite by Wave Systems
"{AC76BA86-0000-0000-0000-6028747ADE01}" = Adobe Acrobat - Reader 6.0.2 Update
"{AC76BA86-1033-0000-BA7E-000000000001}" = Adobe Acrobat 6.0 Standard
"{AC76BA86-7AD7-1033-7B44-A00000000001}" = Adobe Reader 6.0.1
"{AE765884-4770-4A92-82D9-AB3192512B31}" = Preboot Manager
"{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
"{B5AB9CB4-4AAE-44CC-A6AF-37388326E85F}" = Wave Infrastructure Installer
"{BA68600E-96D9-4E92-80F2-26B9681B5A63}" = Microsoft Office Outlook 2003 with Business Contact Manager Update
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{D1183FA8-AA29-4C82-B998-9593D7AF42FE}" = NTRU Hybrid TSS v2.0.7
"{D1E829E9-88B8-47C6-A75E-0D40E2C09D50}" = Secure Update
"{D2988E9B-C73F-422C-AD4B-A66EBE257120}" = MCU
"{D61524CF-93FE-4193-91AD-C6E21FEEAA5A}" = Logitech Harmony Remote Software 7
"{DD41AC25-61B2-4FC9-90AA-672F32139AC3}" = ETS Launch Pad
"{DF6A589A-7A1A-430C-9FF2-A0BDB42669DC}" = Search Assist
"{E0783143-EAE2-4047-A8D6-E155523C594C}" = Garmin WebUpdater
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{EC84E3E6-C2D6-4DFB-81E0-448324C8FDF4}" = Security Wizards
"{EEAFE1E5-076B-430A-96D9-B567792AFA88}" = EMBASSY Security Center
"{F1802FA6-54E9-4B24-BD2A-B50866819795}" = EMBASSY Trust Suite by Wave Systems
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
"45A7283175C62FAC673F913C1F532C5361F97841" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
"AutoCAD LT 98 Uninstall" = AutoCAD LT 98
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"Dell Photo Printer 720" = Dell Photo Printer 720
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{0B0A2153-58A6-4244-B458-25EDF5FCD809}" = Private Information Manager
"InstallShield_{51AE9E42-640D-4C14-A9B6-43F64AA4E3E2}" = Document Manager Lite
"InstallShield_{6CDAED1C-5B60-4818-88A7-E4A90CD367AF}" = Wave Support Software
"InstallShield_{D1E829E9-88B8-47C6-A75E-0D40E2C09D50}" = Secure Update
"InstallShield_{DD41AC25-61B2-4FC9-90AA-672F32139AC3}" = ETS Launch Pad
"InstallShield_{EC84E3E6-C2D6-4DFB-81E0-448324C8FDF4}" = Security Wizards
"InstallShield_{EEAFE1E5-076B-430A-96D9-B567792AFA88}" = EMBASSY Security Center
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McAfee Uninstall Utility" = McAfee Uninstaller
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSN Music Assistant" = MSN Music Assistant
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PC Pitstop Optimize3_is1" = PC Pitstop Optimize3 3.0
"Picasa 3" = Picasa 3
"SpywareBlaster_is1" = SpywareBlaster 4.3
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-4245878917-3946568406-3561998704-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting 4.0.0.320
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/22/2010 3:09:53 PM | Computer Name = JACKSLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application mcmscsvc.exe, version 9.15.126.0, faulting module
ntdll.dll, version 5.1.2600.5755, fault address 0x000101b3.

Error - 11/22/2010 3:12:05 PM | Computer Name = JACKSLAPTOP | Source = McLogEvent | ID = 5022
Description = MCSCAN32 Engine Initialisation failed. Engine returned error : 3

Error - 11/22/2010 3:12:50 PM | Computer Name = JACKSLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application mcmscsvc.exe, version 9.15.126.0, faulting module
ntdll.dll, version 5.1.2600.5755, fault address 0x000101b3.

Error - 11/22/2010 3:14:24 PM | Computer Name = JACKSLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application mcmscsvc.exe, version 9.15.126.0, faulting module
ntdll.dll, version 5.1.2600.5755, fault address 0x000101b3.

Error - 11/22/2010 3:14:45 PM | Computer Name = JACKSLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application mcmscsvc.exe, version 9.15.126.0, faulting module
ntdll.dll, version 5.1.2600.5755, fault address 0x000101b3.

Error - 11/22/2010 3:17:36 PM | Computer Name = JACKSLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application mcmscsvc.exe, version 9.15.126.0, faulting module
ntdll.dll, version 5.1.2600.5755, fault address 0x000101b3.

Error - 11/22/2010 3:22:49 PM | Computer Name = JACKSLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application mcmscsvc.exe, version 9.15.126.0, faulting module
mcmscsvc.exe, version 9.15.126.0, fault address 0x000178c5.

Error - 11/22/2010 6:17:24 PM | Computer Name = JACKSLAPTOP | Source = MsiInstaller | ID = 11706
Description = Product: Adobe Acrobat 6.0.1 Standard -- Error 1706.No valid source
could be found for product Adobe Acrobat 6.0.1 Standard. The Windows Installer
cannot continue.

Error - 11/22/2010 6:17:26 PM | Computer Name = JACKSLAPTOP | Source = MsiInstaller | ID = 1024
Description = Product: Adobe Acrobat 6.0.1 Standard - Update '{B6F867E8-F092-4C5E-ACA0-F30547DC3874}'
could not be installed. Error code 1603. Windows Installer can create logs to help
troubleshoot issues with installing software packages. Use the following link for
instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

Error - 11/22/2010 8:36:47 PM | Computer Name = JACKSLAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application OTL.exe, version 3.2.17.3, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 11/22/2010 3:14:32 PM | Computer Name = JACKSLAPTOP | Source = Service Control Manager | ID = 7031
Description = The McAfee Services service terminated unexpectedly. It has done
this 2 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 11/22/2010 3:14:58 PM | Computer Name = JACKSLAPTOP | Source = Service Control Manager | ID = 7034
Description = The McAfee Services service terminated unexpectedly. It has done
this 3 time(s).

Error - 11/22/2010 3:17:39 PM | Computer Name = JACKSLAPTOP | Source = Service Control Manager | ID = 7034
Description = The McAfee Services service terminated unexpectedly. It has done
this 4 time(s).

Error - 11/22/2010 3:38:00 PM | Computer Name = JACKSLAPTOP | Source = Schedule | ID = 7901
Description = The At12.job command failed to start due to the following error: %%2147942402

Error - 11/22/2010 3:59:00 PM | Computer Name = JACKSLAPTOP | Source = Service Control Manager | ID = 7000
Description = The Google Update Service (gupdate) service failed to start due to
the following error: %%2

Error - 11/22/2010 4:38:00 PM | Computer Name = JACKSLAPTOP | Source = Schedule | ID = 7901
Description = The At13.job command failed to start due to the following error: %%2147942402

Error - 11/22/2010 5:38:00 PM | Computer Name = JACKSLAPTOP | Source = Schedule | ID = 7901
Description = The At14.job command failed to start due to the following error: %%2147942402

Error - 11/22/2010 6:38:00 PM | Computer Name = JACKSLAPTOP | Source = Schedule | ID = 7901
Description = The At15.job command failed to start due to the following error: %%2147942402

Error - 11/22/2010 7:38:00 PM | Computer Name = JACKSLAPTOP | Source = Schedule | ID = 7901
Description = The At16.job command failed to start due to the following error: %%2147942402

Error - 11/22/2010 8:38:00 PM | Computer Name = JACKSLAPTOP | Source = Schedule | ID = 7901
Description = The At17.job command failed to start due to the following error: %%2147942402


< End of report >

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:20 PM

Posted 23 November 2010 - 06:51 AM

Please reset your router, it appears you have a router hijacker. If you are not sure how to do this, provide me with your router specs.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 jkolle

jkolle
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 23 November 2010 - 01:02 PM

Elise,

Thank you for your response. I suspected this and will try to figure out how to reset the router. I will not respond for a week because of the holiday.

Best Regards and Happy Holiday
Jack Kolle

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:20 PM

Posted 23 November 2010 - 03:07 PM

Hi, happy holidays!

If you are not sure how to do it, you can call your ISP, or post me your router specs. Typically you have to push the reset button with a small object for about 10 seconds when the router is powered off.

After that, please run Combofix and post the log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 jkolle

jkolle
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 28 November 2010 - 04:54 PM

Hi Elise,

I am back from the holiday and online on the home laptop. I reset the router and ran Combofix a

Best Regards,
Jack


ComboFix 10-11-28.01 - Jack Kolle 11/28/2010 13:24:11.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.621 [GMT -8:00]
Running from: c:\documents and settings\Jack Kolle\My Documents\malware2\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jack Kolle\Desktop\Internet Explorer.lnk
c:\documents and settings\Jack Kolle\g2mdlhlpx.exe
c:\documents and settings\Jack Kolle\Local Settings\Application Data\{5C3C3D32-9DBD-41E9-ADD0-47C13ABB88EC}
c:\documents and settings\Jack Kolle\Local Settings\Application Data\{5C3C3D32-9DBD-41E9-ADD0-47C13ABB88EC}\chrome.manifest
c:\documents and settings\Jack Kolle\Local Settings\Application Data\{5C3C3D32-9DBD-41E9-ADD0-47C13ABB88EC}\chrome\content\overlay.xul
c:\documents and settings\Jack Kolle\Local Settings\Application Data\{5C3C3D32-9DBD-41E9-ADD0-47C13ABB88EC}\install.rdf
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\system32\logs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS


((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-28 )))))))))))))))))))))))))))))))
.

2010-11-23 05:58 . 2010-11-23 05:58 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-11-23 05:50 . 2010-09-01 23:51 35136 ----a-w- c:\program files\Mozilla Firefox\plugins\np_gp.dll
2010-11-23 01:02 . 2010-11-23 01:02 -------- d-----w- c:\program files\7-Zip
2010-11-22 20:43 . 2010-10-14 06:28 24376 ----a-w- c:\program files\Mozilla Firefox\components\Scriptff.dll
2010-11-22 20:43 . 2010-10-14 06:28 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-11-22 20:43 . 2010-10-14 06:28 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-11-22 20:43 . 2010-10-14 06:28 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-11-22 20:43 . 2010-10-14 06:28 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-11-22 20:43 . 2010-10-14 06:28 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-11-22 20:43 . 2010-10-14 06:28 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-11-22 20:43 . 2010-10-14 06:28 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-11-22 20:43 . 2010-10-14 06:28 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-11-22 20:43 . 2010-11-22 20:43 -------- d-----w- c:\program files\McAfee.com
2010-11-22 19:19 . 2010-10-14 06:28 141792 ----a-w- c:\windows\system32\mfevtps.exe
2010-11-22 18:23 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-11-22 18:23 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-11-22 18:23 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-11-22 18:14 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-11-22 17:58 . 2010-11-22 17:58 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-22 17:57 . 2010-11-23 05:51 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-11-22 17:57 . 2010-11-22 17:57 -------- d-----w- c:\program files\NOS
2010-11-10 20:49 . 2010-11-10 20:49 135568 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-11-10 20:49 . 2010-11-10 20:49 135568 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2010-11-07 17:05 . 2010-11-22 17:52 -------- d-----w- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-14 06:28 . 2010-10-14 06:28 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-10-14 06:28 . 2007-03-16 21:08 386840 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-09-18 20:23 . 2004-08-10 17:51 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-10 17:51 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-10 17:51 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-10 17:51 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2004-08-10 17:50 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-10 17:51 1852800 ----a-w- c:\windows\system32\win32k.sys
2008-03-01 19:26 . 2008-03-01 19:26 98224311 ----a-w- c:\program files\QX3Plus.exe
2006-07-08 04:17 . 2006-07-08 04:17 774144 ----a-w- c:\program files\RngInterstitial.dll
2006-05-02 01:12 . 2006-05-02 01:12 22490584 ----a-w- c:\program files\WaveStar.exe
2010-10-14 06:28 . 2010-11-22 20:43 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
<pre>
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\CyberLink\PowerDVD\DVDLauncher .exe
c:\program files\QuickTime\qttask  .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [N/A]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2005-11-30 192512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wxvault.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [11/22/2010 12:43 PM 84072]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 10:41 AM 67656]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [11/22/2010 12:43 PM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [11/22/2010 12:43 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [11/22/2010 12:43 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [11/22/2010 12:43 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [11/22/2010 11:19 AM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [11/22/2010 12:43 PM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [11/22/2010 12:43 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [11/22/2010 12:43 PM 88544]
S0 ycljwcy;ycljwcy; [x]
S2 0255431290978493mcinstcleanup;McAfee Application Installer Cleanup (0255431290978493);c:\windows\TEMP\025543~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\025543~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [11/22/2010 12:43 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [11/22/2010 12:43 PM 84264]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/10/2004 9:51 AM 14336]
S3 STVqx3;Intel Play QX3 Microscope;c:\windows\system32\drivers\stvqx3.sys [3/1/2008 11:29 AM 131776]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [8/26/2010 11:39 AM 90352]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 0255431290978493MCINSTCLEANUP
*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/root/learnmore/learnmore.asp?close=true&lcode=en-us
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Jack Kolle\Application Data\Mozilla\Firefox\Profiles\5i5uojfc.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
SafeBoot-klmdb.sys
AddRemove-McAfee Uninstall Utility - c:\progra~1\McAfee.com\Shared\mcappins.exe
AddRemove-{E1E502E2-C006-49DB-9C0C-F2196E51826F}_is1 - c:\documents and settings\Jack Kolle\My Documents\malware2\MustBeRandomlyNamed\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-28 13:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1384)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2560)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\System32\SCardSvr.exe
c:\program files\Wave Systems Corp\Common\DataServer.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2010-11-28 13:41:01 - machine was rebooted


ComboFix-quarantined-files.txt 2010-11-28 21:40

Pre-Run: 16,435,113,984 bytes free
Post-Run: 16,411,631,616 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - D0B638C19710BE64F04660D073A54054

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:20 PM

Posted 29 November 2010 - 04:22 AM

Hi, please let me know how things are running after the following fix.

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
RenV::
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\CyberLink\PowerDVD\DVDLauncher .exe
c:\program files\QuickTime\qttask  .exe

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:20 PM

Posted 02 December 2010 - 06:59 AM

Hi, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:20 PM

Posted 06 December 2010 - 07:48 AM

Due to lack of feedback this topic will now be closed.

If you need it reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users