Blocked from running Spybot or any other malware remover [Archive]

ryodin

2011-08-20, 01:37

Hi,

First off, I'm using Windows XP, and have run all the necessary updates to the best of my knowledge promptly and accurately.

I am being blocked from running Spybot, so I cannot even create a log to submit here. I will try my best to explain the problem as best I can figure it out, but please bear in mind that I am not very technical literate when it comes to such matters.

If anyone can help, I would sincerely appreciate it.

Now, I first started noticing something was amiss when the latest Microsoft Windows auto update came through several days ago. I saw the little icon in my system tray, and I clicked on it, and then installed the update. Afterwards, I was told to restart my PC. I did so. However, now I constantly see the Windows Updater icon in my system tray as if there is an update, even when I have already run the update.

I looked into just what it was that Windows wanted me to update, and I found that it is the "Windows Malicious Software Removal Tool - August 2011 (KB890830)". Except, it's listed as having "0 bytes". I don't know if that important or not, but I'm making notice of it here just the same. I since downloaded this file over and over, but it still won't disappear.

Furthermore, now whenever I shut my PC down for the day, I notice the little Windows install shield promising to install the update before shutting my PC down. I let it do this each time, and each time it is still there the next time I shut my PC down.

In addition to this, I might add, my McAfee Security Center has been unable to run a scan for two weeks now. Whenever I try to run one, I get an error code.

Realizing that I might be infected with some kind of malware, I went to all my usual steps. I tried HijackThis first. I ran the updates on it first, then tried to open the program. I receive a message saying that Windows could not gain access to this particular file.

I tried Spybot S&D next, but the same thing occurred. I uninstalled Spybot and downloaded a more up to date version from Safer Networking, but again I was told that Windows could not access this file after the program was installed.

Lastly, I tried Ad-Aware, but . . . you get the picture.

I even went to Microsoft's Windows site and manually downloaded the Malicious Software Removal tool, which succeeded in getting the installer onto my desktop. But after installing the tool and running it, halfway through the quick scan the process suddenly shut down.

I received a message from my Firewall saying that it blocked a program from accessing the web. This happened again when I tried to run it from MS online directly.

I'm afraid I'm fresh out of ideas!

I even went to Safer Networking and purchased the bootable CD, but that could take many days to arrive and I don't even know if that is the right step to take in combating whatever this problem might be.

I don't know if anyone can help me, but I hope so. I'm at my wit's end! I apologize for the rather long post, but I figured it was best to be as thorough as possible.

Thanks!

Sincerely,

Ryodin

redcar92

2011-08-20, 02:02

Hello Ryodin and welcome to Safer-Networking Form.
I'm RedCar92 and my name is Bill, I'll be glad to help you with your computer problems.

Please observe these rules while we work: Read the entire procedure It is important to perform ALL actions in sequence. If you don't know, stop and ask! Don't keep going on. Please reply to this thread. Do not start a new topic. Stick with me till you're given the all clear. Malware removal can be stressful but we will clean it. Remember, absence of symptoms does not mean the infection is all gone. Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.

Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise, this will be a team effort.
This may cause a delay, but I will do my best to keep it as short as possible.

Please bear with me, I will post back to you as soon as I can.

IMPORTANT NOTE : Please do not delete anything unless instructed to.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperative and could require a full reinstall of your OS, losing all your programs and data.

Stay with this topic until I give you the all clean post.

ryodin

2011-08-20, 04:00

Hi Bill,

Thank you so much for the speedy reply. I will do as you suggest and wait until you can get back to me. I understand this may take some time, but I'm in it for the long haul.

If it helps any, I will include below the message window that pops up whenever I try to run a malware removal program (SpyBot, Ad-Aware, etc.):

"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

Again, this happens anytime I try to open and/or run an anti-malware tool. I don't experience this problem with any other programs on my PC, however.

Thanks again!

--Ryodin

redcar92

2011-08-20, 04:04

Thanks Ryodin, I will be back asap. :bigthumb:

redcar92

2011-08-20, 14:30

Greetings ryodin,
I feel your pain, so let's get started,

First
Please download exeHelper (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

Next

Please download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.
Double click the aswMBR.exe icon to run it
Click the Scan button to start the scan
On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Next

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Under Custom Scan paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT

Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
You may need two posts to fit them both in.

Logs to post:

aswMBR.txt
OTL.txt
Extras.txt

ryodin

2011-08-20, 18:51

Bill,

Sorry for the late reply. I've been having trouble running these steps you outlined above. As I mentioned before, whatever it is that's infecting my PC seems to be blocking attempts to run .exe files I try to open. With this in mind, I decided against saving "exeHelper" and "aswMBR" to my desktop. I opted instead to press "run" instead of "save" and run them off the host site directly.

This worked for the above two .exe files, but not for the third: OTL. When I tried to run OTL from the website, I was told that I could not do so and would have to save it first. So I did so. I was able to open OTL and implement all the steps you outlined, up to and including pasting the "Custom Scan" list. Once I did this, I clicked the "Run Scan" button. The program immediately closed and would not respond. Upon attempting to open OTL a second time, I received that familiar message: "Windows cannot access the specified device, path, or file . . ." as I mentioned earlier in this thread.

Additionally, I'm not even allowed to remove the OTL .exe from my desktop. When I tried to delete it, I'm told that I am not allowed to.

So, unfortunately, I cannot post any logs from OTL. I do, however, have logs from exeHelper and aswMBR. Since you did not ask me to post the log from the exeHelper scan, I will instead only paste the aswMBR one below.

However, before I do so, I would like to point out that it seems the aswMBR scan did not completely cycle through. It found a bunch of errors, but then appeared to stall out near the end. Or perhaps it was already at the end of the scan? I can't tell because there was no message or anything telling me that the scan had been completed. To me it appears like as if it simply stopped scanning beyond a certain point. So after 30 minutes of waiting, I finally hit the "save log" button and generated a report.

Maybe you can make sense of it. Here is a copy of the log:

========================aswMBR.txt=========================

11:07:09.250 Disk 0 Vendor: ST3120026AS 8.05 Size: 114440MB BusType: 3
11:07:11.312 Disk 0 MBR read successfully
11:07:11.312 Disk 0 MBR scan
11:07:12.515 Disk 0 Windows XP default MBR code
11:07:12.531 Disk 0 scanning sectors +234372285
11:07:12.781 Disk 0 scanning C:\WINDOWS\system32\drivers
11:08:59.218 File: C:\WINDOWS\system32\drivers\serial.sys **INFECTED** Win32:Sirefef-H [Rtk]
11:09:14.109 Service scanning
11:09:20.656 Modules scanning
11:09:32.093 Module: C:\WINDOWS\System32\DRIVERS\serial.sys **SUSPICIOUS**
11:10:02.218 Disk 0 trace - called modules:
11:10:02.250 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a5247c0]<<
11:10:02.625 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a699ab8]
11:10:02.625 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> [0x8a512e48]
11:10:02.625 \Driver\00000696[0x8a5bcb60] -> IRP_MJ_CREATE -> 0x8a5247c0
11:10:07.375 AVAST engine scan C:\WINDOWS
11:11:33.968 AVAST engine scan C:\WINDOWS\system32
11:20:46.812 AVAST engine scan C:\WINDOWS\system32\drivers
11:21:36.875 File: C:\WINDOWS\system32\drivers\serial.sys **INFECTED** Win32:Sirefef-H [Rtk]
11:21:59.125 AVAST engine scan C:\Documents and Settings\David Batista
11:55:38.031 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\David Batista\Desktop\Logs\MBR.dat"
11:55:38.031 The log file has been saved successfully to "C:\Documents and Settings\David Batista\Desktop\Logs\aswMBR.txt"

=========================================================

I would also like to mention that I do own another, more up-to-date PC, running Windows 7. I also own a flash thumb drive. I'm only making you aware of this in case we might be able to use that to fix my infected PC.

Thanks for the help again!

-Ryodin

redcar92

2011-08-20, 21:43

Hello Ryodin
Exehelper.com is a com file, reboot and try saving as requested and running again.
Then try OTL again please. Let me know results, there are other ways to skin this cat you know.

ryodin

2011-08-20, 22:06

Bill,

I'm running aswMBR again, because I feel that it did not finish through that first scan I posted the log for. As of right now, it's been running for almost 4 hours, and I don't think it's done yet. What I thought was a stall was just in fact a very long scan segment. So the log I posted above was incomplete.

I'm going to let this run for as long as it takes. This means it might be many hours before I can try the new suggestions you mentioned above.

Or do you think I should stop the aswMBR process altogether and try to do what you suggest?

Also, because I have already downloaded and saved OTL to my desktop, I seem to be unable to download it again. The file is refusing to be replaced by the newer copy, and I'm not being allowed to delete it. And as you know now, I'm being denied from opening OTL on my desktop, too. So I'm damned if I don't and damned if I do here.

What can I do?

--Ryodin

redcar92

2011-08-20, 22:15

Hello Ryodin,
aswmbr log looks like it finished to me. It usually doesn't take more than 10min to run. You can kill it if you wish. I will get back to you soon with another action plan.

ryodin

2011-08-20, 22:18

P.S. -- I downloaded to my destop and ran exeHelper.com. So here are the two logs, seemingly identical, that resulted from both attempts. The first one I tried in the morning as soon as I got your message, and which was generated from an online direct run only:

exeHelper by Raktor
Build 20100414
Run at 10:56:21 on 08/20/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...

The second one was generated just now after I saved the program and ran it:

exeHelper by Raktor
Build 20100414
Run at 16:09:30 on 08/20/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Curiously enough, after I ran it the second time, suddenly my McAfee Security Center went haywire. I keep getting pop up windows telling me that my Firewall is turned off. When I turn it back on, it shuts back down again. And then it comes on by itself a few seconds later, only to shut down once more again a few seconds after that. It keeps doing this until I restart the computer. I'm still running aswMBR, though, so I don't want to reboot my PC at this moment. I'll just leave the Firewall running haywire until the scan is done.

ryodin

2011-08-20, 22:23

Bill,

Okay, well here is the 2nd aswMBR log. Because I let it run a lot longer this time, I noticed there is a 5th error being reported now. The original log only showed 4 error lines in red. So I'm copying the log of the second scan below just in case:

aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-08-20 12:12:33
-----------------------------
12:12:33.015 OS Version: Windows 5.1.2600 Service Pack 3
12:12:33.015 Number of processors: 1 586 0x209
12:12:33.015 ComputerName: D139KB41 UserName:
12:12:57.375 Initialize success
12:13:30.765 AVAST engine defs: 11082000
12:13:58.062 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17
12:13:58.062 Disk 0 Vendor: ST3120026AS 8.05 Size: 114440MB BusType: 3
12:14:00.093 Disk 0 MBR read successfully
12:14:00.093 Disk 0 MBR scan
12:14:00.250 Disk 0 Windows XP default MBR code
12:14:00.296 Disk 0 scanning sectors +234372285
12:14:00.390 Disk 0 scanning C:\WINDOWS\system32\drivers
12:14:42.187 File: C:\WINDOWS\system32\drivers\serial.sys **INFECTED** Win32:Sirefef-H [Rtk]
12:14:55.015 Service scanning
12:15:08.468 Modules scanning
12:15:11.656 Module: C:\WINDOWS\System32\DRIVERS\serial.sys **SUSPICIOUS**
12:15:16.546 Disk 0 trace - called modules:
12:15:16.562 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a5297c0]<<
12:15:16.937 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a699ab8]
12:15:16.937 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> [0x8a4d5030]
12:15:16.937 \Driver\00000711[0x8a5b68e8] -> IRP_MJ_CREATE -> 0x8a5297c0
12:15:20.281 AVAST engine scan C:\WINDOWS
12:15:51.140 AVAST engine scan C:\WINDOWS\system32
12:20:40.171 AVAST engine scan C:\WINDOWS\system32\drivers
12:20:56.921 File: C:\WINDOWS\system32\drivers\serial.sys **INFECTED** Win32:Sirefef-H [Rtk]
12:21:04.156 AVAST engine scan C:\Documents and Settings\David Batista
16:19:41.163 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\David Batista\Desktop\Logs\MBR.dat"
16:19:41.663 The log file has been saved successfully to "C:\Documents and Settings\David Batista\Desktop\Logs\aswMBR2.txt"

--Ryodin (aka David Batista)

redcar92

2011-08-20, 22:44

OK Ryodin,
Let's try it this way please.

Print out these instructions as we may need to close every window that is open later in the fix.
It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

Do not reboot your computer after running rkill as the malware programs will start again.

Please download and run one of the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 3 different versions. If one of them won't run then download and try to run the other one.

You only need to get one of them to run, not all of them.

rkill.exe (http://download.bleepingcomputer.com/grinler/rkill.exe)
rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
Do not reboot your computer after running rkill as the malware programs will start again.
Remember, RKill must be run each time your PC is booted until exe files will run with out it.

Next
Please read carefully and follow these steps.

Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i1176.photobucket.com/albums/x337/redcar92/WTT/TDSSKiller/TDSSKiller1.png
If an infected file is detected, the default action will be Cure, click on Continue.

http://i1176.photobucket.com/albums/x337/redcar92/WTT/TDSSKiller/TDSSKiller2.png

If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i1176.photobucket.com/albums/x337/redcar92/WTT/TDSSKiller/TDSSKiller3.png
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file in your next post.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file in your next post.

Next
If that works then OTL again please

Logs to post:

TDSKiller.txt
OTL.txt

ryodin

2011-08-20, 23:35

Okay, I was able to download rkill.exe to the desktop of my infected PC. I then ran it and it seemed to have eliminated a piece of malware. I saved the log of that, and then moved on to the next step.

Next I downloaded and extracted TDSSKiller to the infected PC, I was able to run that process as well. However, the program said it found no infections. None at all.

So, at a loss for what to do next, I tried running OTL again. Now remember, I cannot run the OTL file I previously downloaded. It ran the first time, and then the window suddenly vanished and nothing happened.

So, I had to download OTL anew. Mind you, the previous two downloads are still on my PC, but after failing twice they now refuse to open again or to be sent to the trash bin. This means that I cannot download OTL anew without first choosing a different location other than my desktop. If I don't, the download tries to replace the existing copy of the program and then fails to do so because of some kind of conflict.

So, that all being said now, I went and downloaded a fresh copy of OTL and saved it to a new folder on my desktop. I opened OTL, and selected all the steps I'm supposed to select. I then copied and pasted the info you gave me under "Custom Scan", and hit the "Run Scan" button.

Immediately the OTL window vanished, and I'm left staring at the screen now wondering what to do next. It's been 20 minutes now, and nothing has popped up. I know if I try to open OTL again, I will get that access denied message once more. So I won't do that.

I'm writing this message from my Netbook now, because I don't want to touch the infected PC or reboot it until I hear back from you.

Sorry this is being so difficult. If you would like me to paste copies of the rkill and tdsskiller logs, let me know.

--Ryodin

ryodin

2011-08-21, 00:20

Bill,

I'm just going to go ahead and paste the rkill log in the interim, for whatever it's worth. Here it is:

========================================================
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 08/20/2011 at 17:09:00.
Operating System: Microsoft Windows XP

Processes terminated by Rkill or while it was running:

\\.\globalroot\Device\svchost.exe\svchost.exe
C:\Documents and Settings\David Batista\Application Data\Dropbox\bin\Dropbox.exe

Rkill completed on 08/20/2011 at 17:09:09.
=======================================================

The rkill program seemed to have killed something related to my Dropbox folder. I find this interesting because, come to think of it, my Dropbox folder has been acting screwy for a long while. Say, for the past 2 to 3 months or so. Since this folder connects to a cloud service, should I perhaps disengage from Dropbox and remove the folder?

I have Dropbox on my Netbook as well, but have never experienced any problems with the Netbook. It could be that this is because my infected desktop PC is running on Windows XP, whereas my Netbook is running on Windows 7. Don't know if any of this matters, but figured I'd put it out there.

Thanks again for all the wonderful help! I hope we can get to the bottom of this.

--Ryodin

P.S. -- I have not rebooted my PC yet since running rkill.

redcar92

2011-08-21, 01:06

I am not seeing anything wrong with dropbox.exe. You can reboot your pc anytime you wish, just rerun rkill after booting.
Back soon.

redcar92

2011-08-21, 01:52

Greetings Ryodin,
This one is a bit stubborn. Let's go at it from this direction.

***Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.***
Download Combofix from any of the links below and save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.

Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

ryodin

2011-08-21, 03:33

Bill,

I was away from the PC for a bit, sorry about the delay. I'm writing this from my Netbook, which is not infected. Right now ComboFix is running on the infected machine. In the meantime I wanted you to know that I received a message from ComboFix saying that it detected an infection of "Rootkit.ZeroAccess." ComboFix then went on to call it a "particularly difficult infection."

I was told to be patient and to let ComboFix run its course. Also, that if I should lose Internet access at anytime, to wait for ComboFix to run completely and automatically reboot the machine. That should fix it. If not, to run ComboFix one more time.

I checked, and sure enough I no longer had Internet access.

ComboFix just finished its run and confirmed that I did indeed have a rootkit infection. It has now rebooted my PC and now I'm waiting. I'll post back in a little while when I can.

--Ryodin

redcar92

2011-08-21, 04:01

No problem post back when you can. :bigthumb:

ryodin

2011-08-21, 04:38

Okay, I'm starting to get worried now.

My PC rebooted and immediately upon startup ComboFix continued running. It started listing each stage as it completed. Sometime around Stage 30, I received a pop-up window stating that "PEV.exe encountered a problem and needs to close."

I have no idea what PEV.exe is, but I hope it doesn't cause a problem.

ComboFix continued to run after this. It completed Stage 50, then it started deleting a bunch of files.

However, now it seems to have stalled. ComboFix has been on the same line now for 35 minutes. Nothing's changed in all that time. Every now and then an hour glass shows up, then vanishes. And the cursor in the ComboFix window is still blinking.

What should I do? None of my desktop icons are showing, and I can't access any other area of my PC. The only thing on the screen right now is this ComboFix window. I'm afraid if I shut the machine down in the middle of the process I won't be able to start it up again.

Until I hear back from you, I'll let it continue to run.

--Ryodin

redcar92

2011-08-21, 04:47

It is almost 11:00 so let it go tonight. Sometimes CF takes quite a while, I have seen over half hour on a clean machine. If you are a night owl stop it in 2 hrs. The fact that it completed stage 50 is good, and deleting files is also good. It found a nasty rootkit and is trying to deal with it now. Some times it will stall.

ryodin

2011-08-21, 04:59

Okay, I'll let it run as long as it needs to then. I am a night owl, in fact, so I'll try to keep an eye on it for the next 2 to 3 hours.

Thanks for everything so far!

ryodin

2011-08-21, 11:30

Okay, I let it run for 4 hours more and still nothing changed. So finally I had to quit ComboFix and do a hard reboot. After starting my PC again, I ran ComobFix one more time.

This time it updated itself before starting a new scan. Again, it made it past Stage 50, then stalled once more. I left it running for 1 hour, then had to do a forced quit once more. I've given up on trying to get a log out of this program now. It refuses to let me reach the end of the scan.

So, what next?

--Ryodin

P.S. -- I've downloaded my 4th copy of OTL to my infected machine and will give that another chance. Keep in my mind that I still have 3 previous copies that refuse to be accessed or deleted. I don't know how to get rid of those. This 4th copy, however, seems to actually be working now. I'm in the process of running an actual scan in OTL! I've never gotten this far before! Will post the two logs from this if I get that far.

ryodin

2011-08-21, 13:27

Phew! For a second there it seemed like OTL stalled halfway through as well. But then I walked away and came back in an hour and found the two log files waiting for me! :)

So, first I'm going to paste the OTL log below. In my next post, I'll paste the Extras log separately.

==========================================================
OTL logfile created on: 8/21/2011 5:27:38 AM - Run 1
OTL by OldTimer - Version 3.2.26.5 Folder = C:\Documents and Settings\David Batista\Desktop\OTL3
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.33 Gb Available Physical Memory | 66.53% Memory free
3.85 Gb Paging File | 3.17 Gb Available in Paging File | 82.23% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.73 Gb Total Space | 37.75 Gb Free Space | 33.79% Space Free | Partition Type: NTFS
Drive F: | 931.48 Gb Total Space | 657.48 Gb Free Space | 70.58% Space Free | Partition Type: NTFS

Computer Name: D139KB41 | User Name: David Batista | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\David Batista\Desktop\OTL3\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Documents and Settings\David Batista\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
PRC - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe ()
PRC - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe ()
PRC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe (Western Digital Technologies, Inc.)
PRC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe (WDC)
PRC - C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe (Sony Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Zune\ZuneNss.exe (Microsoft Corporation)
PRC - C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
PRC - C:\Program Files\Palm\Hotsync.exe (PalmSource, Inc)

========== Modules (No Company Name) ==========

MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Transactions\846dd505f97805f00999ee26aec9bf75\System.Transactions.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\70a1400affdc775d7c7398e036359286\System.ServiceProcess.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management\6e563a58e6fc0117070d5b8fd59e4e1b\System.Management.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\585e68739b2a8aff61ee6b2786513245\System.Configuration.Install.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\75f452279422a7898e840ee5768c9d2e\System.EnterpriseServices.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\77df2cd21a5b85a1605b335aa9ad9d44\System.Configuration.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\e3a0205acab2215fbad7927d9d483aeb\System.ServiceModel.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\10154dcad2d62f226af2fd4211460a4b\System.Xml.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data\db2d84e279807592a680ef4135e9fe9a\System.Data.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e6c79e1d71b0c9000afd7e5e439b5c54\System.ni.dll ()
MOD - C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll ()
MOD - C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\0309936a8e1672d39b9cf14463ce69f9\mscorlib.ni.dll ()
MOD - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\System.Data.SQLite.dll ()
MOD - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe ()
MOD - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Haali\MatroskaSplitter\mmfinfo.dll ()
MOD - C:\Program Files\Haali\MatroskaSplitter\mkunicode.dll ()
MOD - C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\LXBLPP5C.DLL ()

========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe ()
SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (mfevtp) -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee, Inc.)
SRV - (mfefire) -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe ()
SRV - (McShield) -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe ()
SRV - (McProxy) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McNASvc) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McNaiAnn) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (mcmscsvc) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McMPFSvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (WDFME) -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe ()
SRV - (WDSC) -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe ()
SRV - (WDDMService) -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe (WDC)
SRV - (DSBrokerService) -- C:\Program Files\DellSupport\brkrsvc.exe ()
SRV - (ZuneNetworkSvc) -- C:\Program Files\Zune\ZuneNss.exe (Microsoft Corporation)
SRV - (CCALib8) -- C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
SRV - (PACSPTISVR) -- C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe (Sony Corporation)
SRV - (SPTISRV) -- C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe (Sony Corporation)
SRV - (NetSvc) -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe (Intel(R) Corporation)

========== Driver Services (SafeList) ==========

DRV - (mfehidk) -- C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys (McAfee, Inc.)
DRV - (mfefirek) -- C:\WINDOWS\SYSTEM32\DRIVERS\mfefirek.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys (McAfee, Inc.)
DRV - (mfeapfk) -- C:\WINDOWS\SYSTEM32\DRIVERS\mfeapfk.sys (McAfee, Inc.)
DRV - (mfetdi2k) -- C:\WINDOWS\SYSTEM32\DRIVERS\mfetdi2k.sys (McAfee, Inc.)
DRV - (mferkdet) -- C:\WINDOWS\SYSTEM32\DRIVERS\mferkdet.sys (McAfee, Inc.)
DRV - (mfendiskmp) -- C:\WINDOWS\SYSTEM32\DRIVERS\mfendisk.sys (McAfee, Inc.)
DRV - (mfendisk) -- C:\WINDOWS\SYSTEM32\DRIVERS\mfendisk.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys (McAfee, Inc.)
DRV - (cfwids) -- C:\WINDOWS\SYSTEM32\DRIVERS\cfwids.sys (McAfee, Inc.)
DRV - (Lavasoft Kernexplorer) -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys ()
DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (WDC_SAM) -- C:\WINDOWS\SYSTEM32\DRIVERS\wdcsam.sys (Western Digital Technologies)
DRV - (BVRPMPR5) -- C:\WINDOWS\SYSTEM32\DRIVERS\BVRPMPR5.SYS (Avanquest Software)
DRV - (Serial) -- C:\WINDOWS\SYSTEM32\DRIVERS\serial.sys ()
DRV - (PalmUSBD) -- C:\WINDOWS\SYSTEM32\DRIVERS\PalmUSBD.sys (PalmSource, Inc.)
DRV - (dsunidrv) -- C:\WINDOWS\SYSTEM32\DRIVERS\dsunidrv.sys (Gteko Ltd.)
DRV - (GoProto) -- C:\WINDOWS\SYSTEM32\DRIVERS\goprot51.sys (Gteko Ltd.)
DRV - (DSproct) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys (Gteko Ltd.)
DRV - (SDDMI2) -- C:\WINDOWS\SYSTEM32\DDMI2.sys (Gteko Ltd.)
DRV - (RIOUNIV) -- C:\WINDOWS\SYSTEM32\DRIVERS\RIOUNIV.SYS (Digital Networks North America, Inc.)
DRV - (Jukebox) -- C:\WINDOWS\SYSTEM32\DRIVERS\ctpdusb2.sys (Creative Technology Ltd.)
DRV - (iAimFP4) -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys (Intel(R) Corporation)
DRV - (iAimFP3) -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys (Intel(R) Corporation)
DRV - (iAimTV4) -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys (Intel(R) Corporation)
DRV - (iAimTV3) -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys (Intel(R) Corporation)
DRV - (iAimTV1) -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys (Intel(R) Corporation)
DRV - (iAimTV0) -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys (Intel(R) Corporation)
DRV - (iAimFP0) -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys (Intel(R) Corporation)
DRV - (iAimFP1) -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys (Intel(R) Corporation)
DRV - (iAimFP2) -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys (Intel(R) Corporation)
DRV - (i81x) -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys (Intel(R) Corporation)
DRV - (HSFHWBS2) -- C:\WINDOWS\SYSTEM32\DRIVERS\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSF_DP) -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_DP.sys (Conexant Systems, Inc.)
DRV - (omci) -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys (Dell Computer Corporation)
DRV - (EL90XBC) -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS (3Com Corporation)
DRV - (SbcpHid) -- C:\WINDOWS\SYSTEM32\DRIVERS\SbcpHid.sys ()

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 22 D2 04 02 82 18 EE 45 BA B4 82 4C BA 7E EB 8F [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\progra~1\mcafee\msc\npmcsn~1.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/npracplug;version=1.0.0.0: File not found
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\\npViewpoint.dll ()

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/04/08 17:26:30 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Netscape 7.1\Extensions\\Components: C:\Program Files\Netscape\Netscape\Components [2010/12/09 23:11:49 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Netscape 7.1\Extensions\\Plugins: C:\Program Files\Netscape\Netscape\Plugins [2011/06/17 15:58:14 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/04/08 17:26:30 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Netscape 7.1\Extensions\\Components: C:\Program Files\Netscape\Netscape\Components [2010/12/09 23:11:49 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Netscape 7.1\Extensions\\Plugins: C:\Program Files\Netscape\Netscape\Plugins [2011/06/17 15:58:14 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2010/05/12 21:10:38 | 000,394,487 | R--- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 13648 more lines...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110820163657.dll (McAfee, Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk = C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe (Western Digital Technologies, Inc.)
O4 - Startup: C:\Documents and Settings\David Batista\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\David Batista\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O4 - Startup: C:\Documents and Settings\David Batista\Start Menu\Programs\Startup\HotSync Manager.LNK = C:\Program Files\Palm\Hotsync.exe (PalmSource, Inc)
O4 - Startup: C:\Documents and Settings\David Batista\Start Menu\Programs\Startup\PMB Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe (Sony Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O8 - Extra context menu item: &ieSpell Options - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O8 - Extra context menu item: Check &Spelling - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O8 - Extra context menu item: Lookup on Merriam Webster - C:\Program Files\ieSpell\Merriam Webster.HTM ()
O8 - Extra context menu item: Lookup on Wikipedia - C:\Program Files\ieSpell\wikipedia.HTM ()
O9 - Extra Button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - Reg Error: Key error. File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - File not found
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://support.microsoft.com/OAS/ActiveX/MSDcode.cab (Microsoft Data Collection Control)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} http://www.ipix.com/viewers/ipixx.cab (iPIX ActiveX Control)
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1080172047671 (MSSecurityAdvisor Class)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc.cab (Office Update Installation Engine)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab (McAfee.com Operating System Class)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} http://www.webshots.com/samplers/WSDownloader.ocx (WSDownloader Control)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1216138451140 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164772634593 (MUWebControl Class)
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab (Ofoto Upload Manager Class)
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab (Kodak Gallery Easy Upload Manager Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} http://www.microsoft.com/security/controls/DoomCln.CAB (DoomCln Object)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab (DwnldGroupMgr Class)
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} http://www.systemrequirementslab.com/sysreqlab.cab (System Requirements Lab Class)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4342/mcfscan.cab (McFreeScan Class)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/dana-cached/sc/JuniperSetupClient.cab (JuniperSetupClientControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\SYSTEM32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\David Batista\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\David Batista\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/09/03 10:59:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011/08/21 05:24:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David Batista\Desktop\OTL3
[2011/08/21 05:17:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
[2011/08/21 03:27:54 | 000,000,000 | --SD | C] -- C:\ComboFix
[2011/08/20 21:20:57 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/08/20 21:20:57 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/08/20 21:20:57 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/08/20 21:20:57 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/08/20 21:20:36 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/08/20 21:20:28 | 000,000,000 | R--D | C] -- C:\Documents and Settings\David Batista\Start Menu\Programs\Administrative Tools
[2011/08/20 20:02:04 | 004,179,400 | R--- | C] (Swearware) -- C:\Documents and Settings\David Batista\Desktop\ComboFix.exe
[2011/08/20 17:20:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David Batista\Desktop\OTL2
[2011/08/20 17:13:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David Batista\Desktop\tdsskiller
[2011/08/20 11:59:52 | 001,915,904 | ---- | C] (AVAST Software) -- C:\Documents and Settings\David Batista\Desktop\aswMBR.exe
[2011/08/20 10:57:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David Batista\Desktop\Logs
[2011/08/19 19:31:41 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2011/08/18 22:16:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David Batista\Start Menu\Programs\HiJackThis
[2011/08/13 19:51:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David Batista\Desktop\Justified Season 2
[2011/07/23 11:15:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2011/07/23 11:02:27 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2006/03/25 20:23:03 | 000,774,144 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[15 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/08/21 05:18:09 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2011/08/21 05:16:56 | 2145,439,744 | -HS- | M] () -- C:\hiberfil.sys
[2011/08/21 05:16:56 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2011/08/21 03:26:42 | 004,179,400 | R--- | M] (Swearware) -- C:\Documents and Settings\David Batista\Desktop\ComboFix.exe
[2011/08/20 17:12:22 | 001,389,603 | ---- | M] () -- C:\Documents and Settings\David Batista\Desktop\tdsskiller.zip
[2011/08/20 17:07:18 | 001,008,092 | ---- | M] () -- C:\Documents and Settings\David Batista\Desktop\rkill.exe
[2011/08/20 16:08:57 | 000,294,400 | ---- | M] () -- C:\Documents and Settings\David Batista\Desktop\exeHelper.com
[2011/08/20 11:59:52 | 001,915,904 | ---- | M] (AVAST Software) -- C:\Documents and Settings\David Batista\Desktop\aswMBR.exe
[2011/08/20 11:59:19 | 000,580,096 | ---- | M] () -- C:\Documents and Settings\David Batista\Desktop\OTL.exe
[2011/08/20 10:59:11 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/08/19 18:19:22 | 072,274,320 | ---- | M] () -- C:\Documents and Settings\David Batista\Desktop\msert.exe
[2011/08/18 23:03:55 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/08/13 21:52:13 | 000,098,304 | ---- | M] () -- C:\Documents and Settings\David Batista\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/08/13 12:13:04 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/08/10 18:03:29 | 000,460,718 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2011/08/10 18:03:29 | 000,079,804 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2011/08/10 17:59:10 | 052,390,856 | ---- | M] () -- C:\WINDOWS\System32\MRT.exe
[2011/07/31 13:05:34 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/07/31 13:05:34 | 000,000,044 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/07/25 11:17:44 | 005,969,920 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[15 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/08/20 21:20:57 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/08/20 21:20:57 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/08/20 21:20:57 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/08/20 21:20:57 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/08/20 21:20:57 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/08/20 17:12:22 | 001,389,603 | ---- | C] () -- C:\Documents and Settings\David Batista\Desktop\tdsskiller.zip
[2011/08/20 17:07:16 | 001,008,092 | ---- | C] () -- C:\Documents and Settings\David Batista\Desktop\rkill.exe
[2011/08/20 16:08:57 | 000,294,400 | ---- | C] () -- C:\Documents and Settings\David Batista\Desktop\exeHelper.com
[2011/08/20 11:59:17 | 000,580,096 | ---- | C] () -- C:\Documents and Settings\David Batista\Desktop\OTL.exe
[2011/08/19 18:19:17 | 072,274,320 | ---- | C] () -- C:\Documents and Settings\David Batista\Desktop\msert.exe
[2011/05/29 13:02:53 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/05/29 13:02:53 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/04/08 18:05:09 | 000,000,418 | ---- | C] () -- C:\WINDOWS\hpwmdl28.dat.temp
[2011/04/08 17:08:21 | 000,207,553 | ---- | C] () -- C:\WINDOWS\hpwins28.dat
[2011/04/08 17:08:21 | 000,000,418 | ---- | C] () -- C:\WINDOWS\hpwmdl28.dat
[2011/01/09 19:13:14 | 000,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2011/01/08 12:23:23 | 000,074,703 | ---- | C] () -- C:\WINDOWS\System32\mfc45.dll
[2011/01/05 20:50:26 | 000,003,018 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp FLAC Codec.dat
[2011/01/05 20:49:12 | 000,522,928 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall.exe
[2011/01/05 20:49:12 | 000,017,766 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp Music Converter.dat
[2010/12/27 02:45:44 | 000,365,032 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/11/14 22:13:04 | 000,055,524 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2008/03/12 18:45:04 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/02/16 11:54:31 | 000,691,545 | ---- | C] () -- C:\WINDOWS\unins000.exe
[2008/02/16 11:54:31 | 000,003,453 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2007/06/20 22:44:39 | 000,032,397 | ---- | C] () -- C:\WINDOWS\SGTBox.INI
[2006/12/25 15:08:14 | 000,115,200 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/08/29 20:43:15 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\PdeSrv2p.dll
[2006/06/05 22:00:42 | 000,000,008 | RHS- | C] () -- C:\WINDOWS\System32\DC5F143025.sys
[2006/01/29 17:40:02 | 000,000,056 | RHS- | C] () -- C:\WINDOWS\System32\2530145FDC.sys
[2006/01/29 17:37:52 | 000,003,350 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/01/12 01:15:15 | 000,761,856 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2006/01/12 01:15:15 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2005/11/23 00:00:00 | 000,778,240 | ---- | C] () -- C:\WINDOWS\System32\DivXsm.exe
[2005/11/06 23:30:40 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2005/11/06 23:19:14 | 000,000,907 | ---- | C] () -- C:\WINDOWS\DIPLOMA.INI
[2005/11/06 23:19:08 | 000,000,143 | ---- | C] () -- C:\WINDOWS\BRGVARS.INI
[2005/11/06 23:18:21 | 000,000,367 | ---- | C] () -- C:\WINDOWS\SETUPEXE.INI
[2005/11/02 23:20:48 | 000,001,359 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005/09/26 15:37:48 | 000,000,112 | ---- | C] () -- C:\WINDOWS\ActiveSkin.INI
[2005/08/12 17:57:09 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/05/11 23:33:09 | 052,390,856 | ---- | C] () -- C:\WINDOWS\System32\MRT.exe
[2005/03/05 20:35:36 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\TDI-SonyOMG.dll
[2004/12/04 21:20:04 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\David Batista\Local Settings\Application Data\fusioncache.dat
[2004/11/28 18:58:31 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\BurnData.bin
[2004/09/30 18:37:44 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/09/06 16:05:08 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2004/06/16 21:44:49 | 000,000,037 | ---- | C] () -- C:\WINDOWS\ipixActivex.ini
[2004/03/29 22:19:01 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI
[2004/03/27 18:43:43 | 000,095,440 | ---- | C] () -- C:\WINDOWS\GREUninstall.exe
[2004/03/27 18:43:40 | 000,009,372 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2004/03/21 23:10:51 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\StaticIm.dll
[2004/03/21 23:10:51 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\VService.dll
[2004/02/28 01:30:47 | 000,000,008 | ---- | C] () -- C:\WINDOWS\System32\PdSACKey.sys
[2004/02/21 19:40:33 | 000,003,859 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2004/02/21 17:04:33 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A4W.INI
[2004/02/21 17:03:51 | 000,000,021 | ---- | C] () -- C:\WINDOWS\phbase.ini
[2004/02/21 17:03:01 | 000,000,572 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2004/02/21 17:01:55 | 000,000,022 | ---- | C] () -- C:\WINDOWS\OP70.INI
[2004/02/21 17:00:25 | 000,001,652 | ---- | C] () -- C:\WINDOWS\pstudio.ini
[2004/02/21 17:00:25 | 000,000,028 | ---- | C] () -- C:\WINDOWS\album.ini
[2004/02/21 17:00:25 | 000,000,021 | ---- | C] () -- C:\WINDOWS\Ps_setup.ini
[2004/02/21 03:27:14 | 000,098,304 | ---- | C] () -- C:\Documents and Settings\David Batista\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/02/21 03:21:07 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\instlsp.exe
[2004/02/21 01:54:56 | 000,000,427 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2004/02/17 04:57:04 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/02/17 04:48:18 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/02/17 04:45:36 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2004/02/17 04:41:25 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2004/02/17 04:40:32 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2004/02/17 04:37:36 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/02/17 04:25:50 | 000,002,048 | --S- | C] () -- C:\WINDOWS\BOOTSTAT.DAT
[2004/02/17 04:23:36 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/02/17 04:23:34 | 000,460,718 | ---- | C] () -- C:\WINDOWS\System32\PERFH009.DAT
[2004/02/17 04:23:34 | 000,079,804 | ---- | C] () -- C:\WINDOWS\System32\PERFC009.DAT
[2004/02/17 04:23:23 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/02/17 04:11:26 | 000,000,549 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2003/11/16 05:48:02 | 000,909,312 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2003/11/16 05:48:00 | 001,060,864 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2003/11/15 12:54:18 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll
[2003/08/14 00:54:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/03/26 10:23:46 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\LXBLIH.EXE
[2003/03/26 10:19:44 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\LXBLLCNP.DLL
[2003/01/07 17:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/11/13 11:40:22 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxblvs.dll
[2002/10/06 18:42:58 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2002/09/03 11:05:08 | 000,267,008 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2002/09/03 10:59:14 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2002/09/03 10:56:30 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2002/09/03 10:31:46 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002/09/03 10:31:44 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2002/08/29 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\MLANG.DAT
[2002/08/29 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\PERFI009.DAT
[2002/08/29 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\DSSEC.DAT
[2002/08/29 07:00:00 | 000,064,512 | ---- | C] () -- C:\WINDOWS\System32\drivers\serial.sys
[2002/08/29 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\MIB.BIN
[2002/08/29 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\PERFD009.DAT
[2002/08/29 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2002/08/29 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\NOISE.DAT
[2001/07/19 10:52:39 | 000,038,176 | ---- | C] () -- C:\WINDOWS\System32\drivers\SbcpHid.sys
[2001/01/19 11:50:20 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\INSTMON.EXE
[1980/01/01 02:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll

========== LOP Check ==========

[2007/08/18 14:36:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DataViz
[2007/08/18 14:35:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HotSync
[2011/08/18 22:00:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iolo
[2010/08/16 17:33:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Juniper Networks
[2004/11/28 19:08:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2006/03/26 17:24:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sandlot Games
[2004/02/17 04:42:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/12/23 01:22:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Western Digital
[2006/12/23 20:30:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2011/01/09 13:58:19 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
[2010/04/01 21:56:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/09/10 21:16:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/05/20 19:12:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2011/01/01 14:11:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David Batista\Application Data\Canon
[2008/09/28 15:04:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David Batista\Application Data\CoreCodec
[2011/08/21 05:19:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David Batista\Application Data\Dropbox
[2009/07/25 12:55:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David Batista\Application Data\FUJIFILM
[2007/08/18 14:31:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David Batista\Application Data\HotSync
[2009/11/24 21:42:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David Batista\Application Data\ieSpell
[2011/01/08 15:18:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David Batista\Application Data\iolo
[2010/08/16 17:33:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David Batista\Application Data\Juniper Networks
[2004/02/21 17:48:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David Batista\Application Data\Leadertech
[2006/08/29 20:41:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David Batista\Application Data\Musicmatch
[2005/10/07 17:21:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David Batista\Application Data\Red Chair Software
[2007/01/28 14:05:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David Batista\Application Data\Viewpoint
[2011/08/18 23:03:55 | 000,000,486 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >
[2005/10/31 11:56:00 | 000,700,416 | ---- | M] (LimeWire) -- C:\StubInstaller.exe
[2001/05/24 12:59:30 | 000,162,304 | ---- | M] () -- C:\UNWISE.EXE

< MD5 for: AGP440.SYS >
[2004/09/30 18:41:14 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp2.cab:AGP440.sys
[2008/07/22 22:04:39 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp3.cab:AGP440.sys
[2004/09/30 18:41:14 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008/07/22 22:04:39 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SYSTEM32\DLLCACHE\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SYSTEM32\DRIVERS\agp440.sys
[2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2001/08/17 15:58:00 | 000,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\I386\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2002/08/29 07:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\I386\sp1.cab:atapi.sys
[2002/08/29 07:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp1.cab:atapi.sys
[2004/09/30 18:41:14 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp2.cab:atapi.sys
[2008/07/22 22:04:39 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp3.cab:atapi.sys
[2004/09/30 18:41:14 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2008/07/22 22:04:39 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2002/08/29 03:27:50 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\SYSTEM32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys
[2002/08/29 03:27:50 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\SYSTEM32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SYSTEM32\DLLCACHE\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys
[2004/08/04 01:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2003/04/23 11:29:54 | 000,087,296 | ---- | M] (Microsoft Corporation) MD5=E52B3B3F78C9AE85806CE49DCDD80C18 -- C:\I386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SYSTEM32\DLLCACHE\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SYSTEM32\eventlog.dll
[2004/08/04 03:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
[2002/08/29 07:00:00 | 000,049,152 | ---- | M] (Microsoft Corporation) MD5=BF3C8CF53C77B48206B39910B6D6CBCC -- C:\I386\EVENTLOG.DLL

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SYSTEM32\DLLCACHE\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SYSTEM32\netlogon.dll
[2002/08/29 07:00:00 | 000,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\I386\NETLOGON.DLL
[2004/08/04 03:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 03:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2002/08/29 07:00:00 | 000,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\I386\SCECLI.DLL
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SYSTEM32\DLLCACHE\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SYSTEM32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[15 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2002/09/03 10:47:18 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\DEFAULT.SAV
[2002/09/03 10:47:18 | 000,602,112 | ---- | M] () -- C:\WINDOWS\System32\config\SOFTWARE.SAV
[2002/09/03 10:47:18 | 000,380,928 | ---- | M] () -- C:\WINDOWS\System32\config\SYSTEM.SAV

< End of report >
=========================================================

--Ryodin

ryodin

2011-08-21, 13:32

Here is the Extras log:

=========================================================
OTL Extras logfile created on: 8/21/2011 5:27:38 AM - Run 1
OTL by OldTimer - Version 3.2.26.5 Folder = C:\Documents and Settings\David Batista\Desktop\OTL3
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.33 Gb Available Physical Memory | 66.53% Memory free
3.85 Gb Paging File | 3.17 Gb Available in Paging File | 82.23% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.73 Gb Total Space | 37.75 Gb Free Space | 33.79% Space Free | Partition Type: NTFS
Drive F: | 931.48 Gb Total Space | 657.48 Gb Free Space | 70.58% Space Free | Partition Type: NTFS

Computer Name: D139KB41 | User Name: David Batista | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [FinePix] -- "C:\Program Files\FinePixViewer\FinePixViewer.exe" "%1" (FUJIFILM Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10244:TCP" = 10244:TCP:LocalSubNet:Enabled:Zune Network Sharing Service
"10285:UDP" = 10285:UDP:LocalSubNet:Enabled:Zune Network Sharing Service
"10286:UDP" = 10286:UDP:LocalSubNet:Enabled:Zune Network Sharing Service
"10287:UDP" = 10287:UDP:LocalSubNet:Enabled:Zune Network Sharing Service
"10288:UDP" = 10288:UDP:LocalSubNet:Enabled:Zune Network Sharing Service
"10289:UDP" = 10289:UDP:LocalSubNet:Enabled:Zune Network Sharing Service
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"427:TCP" = 427:TCP:LocalSubNet:Enabled:SLP_Port(427)_TCP
"427:UDP" = 427:UDP:LocalSubNet:Enabled:SLP_Port(427)_UDP

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10244:TCP" = 10244:TCP:LocalSubNet:Enabled:Zune Network Sharing Service
"10285:UDP" = 10285:UDP:LocalSubNet:Enabled:Zune Network Sharing Service
"10286:UDP" = 10286:UDP:LocalSubNet:Enabled:Zune Network Sharing Service
"10287:UDP" = 10287:UDP:LocalSubNet:Enabled:Zune Network Sharing Service
"10288:UDP" = 10288:UDP:LocalSubNet:Enabled:Zune Network Sharing Service
"10289:UDP" = 10289:UDP:LocalSubNet:Enabled:Zune Network Sharing Service
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"427:TCP" = 427:TCP:LocalSubNet:Enabled:SLP_Port(427)_TCP
"427:UDP" = 427:UDP:LocalSubNet:Enabled:SLP_Port(427)_UDP

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe -- ()
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpofxs08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxs08.exe:*:Enabled:hpofxs08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqfxt08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqfxt08.exe:*:Enabled:hpqfxt08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe:*:Enabled:hpqgplgtupl.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe:*:Enabled:hpqusgm.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe:*:Enabled:hpqusgh.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\HP Software Update\HPWUCli.exe" = C:\Program Files\HP\HP Software Update\HPWUCli.exe:*:Enabled:hpwucli.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\smart web printing\SmartWebPrintExe.exe" = C:\Program Files\HP\Digital Imaging\smart web printing\SmartWebPrintExe.exe:*:Enabled:smartwebprintexe.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\{7E0E61CC-1C99-429D-BEA7-C4DD5B898D2A}\setup\hpznui01.exe" = C:\Program Files\HP\Digital Imaging\{7E0E61CC-1C99-429D-BEA7-C4DD5B898D2A}\setup\hpznui01.exe:*:Enabled:hpznui01.exe -- (Hewlett-Packard)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Palm\HOTSYNC.EXE" = C:\Program Files\Palm\HOTSYNC.EXE:*:Enabled:HotSync® Manager Application -- (PalmSource, Inc)
"C:\Program Files\Red Chair Software\Dudebox Explorer\dudemgr.exe" = C:\Program Files\Red Chair Software\Dudebox Explorer\dudemgr.exe:*:Enabled:Red Chair Manager -- (Red Chair Software, Inc.)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire
"C:\Program Files\Red Chair Software\Deubox Explorer\deumgr.exe" = C:\Program Files\Red Chair Software\Deubox Explorer\deumgr.exe:*:Enabled:Deubox Xtreamer -- (Red Chair Software, Inc.)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent
"C:\Documents and Settings\David Batista\Application Data\Dropbox\bin\Dropbox.exe" = C:\Documents and Settings\David Batista\Application Data\Dropbox\bin\Dropbox.exe:*:Enabled:Dropbox -- (Dropbox, Inc.)
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe -- ()
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpofxs08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxs08.exe:*:Enabled:hpofxs08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqfxt08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqfxt08.exe:*:Enabled:hpqfxt08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe:*:Enabled:hpqgplgtupl.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe:*:Enabled:hpqusgm.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe:*:Enabled:hpqusgh.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\HP Software Update\HPWUCli.exe" = C:\Program Files\HP\HP Software Update\HPWUCli.exe:*:Enabled:hpwucli.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\smart web printing\SmartWebPrintExe.exe" = C:\Program Files\HP\Digital Imaging\smart web printing\SmartWebPrintExe.exe:*:Enabled:smartwebprintexe.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\{7E0E61CC-1C99-429D-BEA7-C4DD5B898D2A}\setup\hpznui01.exe" = C:\Program Files\HP\Digital Imaging\{7E0E61CC-1C99-429D-BEA7-C4DD5B898D2A}\setup\hpznui01.exe:*:Enabled:hpznui01.exe -- (Hewlett-Packard)
"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" = C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe:*:Enabled:McAfee Shared Service Host -- (McAfee, Inc.)
"C:\Program Files\BitLord\BitLord.exe" = C:\Program Files\BitLord\BitLord.exe:*:Enabled:BitLord -- (www.BitLord.com)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{0F367CA3-3B2F-43F9-A44A-25A8EE69E45D}" = Scan
"{11F1920A-56A2-4642-B6E0-3B31A12C9288}" = Dell Solution Center
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{14291118-0C19-45EA-A4FA-5C1C0F5FDE09}" = Primo
"{175F0111-2968-4935-8F70-33108C6A4DE3}" = MarketResearch
"{1D643CD7-4DD6-11D7-A4E0-000874180BB3}" = Microsoft Money 2004
"{21A2F5EE-1DC5-488A-BE7E-E526F8C61488}" = DeviceDiscovery
"{24ED4D80-8294-11D5-96CD-0040266301AD}" = FinePixViewer Ver.5.5
"{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Dell Media Experience
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 23
"{26C849AB-1865-412D-B87D-B18BC5CB6C60}" = OpenMG Secure Module 3.4.01
"{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm
"{2EFA4E4C-7B5F-48F7-A1C0-1AA882B7A9C3}" = HP Update
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{3A4D5E2D-988D-4ee9-8E7F-3AC200A2B8F5}" = 4500G510nz_Software_Min
"{3D047C15-C859-45F7-81CE-F2681778069B}" = iPod for Windows 2006-01-10
"{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}" = Google Earth
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{43CDF946-F5D9-4292-B006-BA0D92013021}" = WebReg
"{43FCA273-9534-40DB-B7C5-D7758875616A}" = Dell Support
"{440B915A-0C85-45DB-92AE-75AE14704A64}" = Fax
"{44A537A5-859C-43A6-8285-C0668142A090}" = iPod for Windows 2005-03-23
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter
"{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}" = Banctec Service Agreement
"{523BD5B6-E904-493C-B902-1BC9B7D44DF4}" = Lexmark Photo Center
"{55937F00-A69B-4049-8D3A-1C7729742B6F}" = BUM
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{582D2A53-F426-4C5E-A2E6-43C1AB36B907}" = Safari
"{5B05FF91-F20C-4832-A8DE-E1912639C17C}" = 4500G510nz
"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2
"{66563AD8-637B-407F-BCA7-0233A16891AB}" = Business Contact Manager for Outlook 2003
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{68A10D12-0D0F-4212-BDE6-D87FAD32A8FA}" = SmartWebPrinting
"{68D60342-7686-45C9-B8EB-40EF843D0460}" = Dell Networking Guide
"{690879A5-18EF-447B-98D6-B699D51008AB}" = 4500_G510nz_Help
"{6B2FFB21-AC88-45C3-9A7D-4BB3E744EC91}" = HPSSupply
"{6BBA26E9-AB03-4FE7-831A-3535584CA002}" = Toolbox
"{71D6CE84-B7DC-4166-8E0D-56C1C37BFB5A}" = SonicStage 2.0.06
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{7E0E61CC-1C99-429D-BEA7-C4DD5B898D2A}" = HP Officejet 4500 G510n-z
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{81A34902-9D0B-4920-A25C-4CDC5D14B328}" = Jasc Paint Shop Pro 8 Dell Edition
"{81D62C32-0984-11D3-86CD-00105AD33021}" = Caere Scan Manager 5.1
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics 2 Driver
"{8A9B8148-DDD7-448F-BD6C-358386D32354}" = Corel Photo Album 6
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8C64E145-54BA-11D6-91B1-00500462BE80}" = Microsoft Money 2004 System Pack
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{90D55A3F-1D99-4C94-A77E-46DC14F0BF08}" = Help and Support Customization
"{91CA0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Small Business Edition 2003
"{92A51949-EE4C-466D-AAF0-99E74A49A63F}" = DocMgr
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{98D451C4-4ACA-4273-BB47-57CFE46B048E}" = WD SmartWare
"{98DF85D9-96C0-4F57-A92E-C3539477EF5E}" = DVDSentry
"{9B2CFE3B-7F55-4786-A20D-BB244914F6D8}" = EarthLink Setup Files
"{9B362566-EC1B-4700-BB9C-EC661BDE2175}" = DocProc
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}" = Intel(R) PROSet
"{A80FA752-C491-4ED9-ABF0-4278563160B2}" = 32 Bit HP CIO Components Installer
"{AC76BA86-7AD7-1033-7B44-A83000000003}" = Adobe Reader 8.3.0
"{ADAED43C-BBD9-42C5-8B21-F4FBFA81E3C3}" = Palm
"{AE8705FB-E13C-40A9-8A2D-68D6733FBFC2}" = Status
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B2455727-ED8F-4643-8A6E-F4AB8DE3633D}" = Network
"{B3575D00-27EF-49C2-B9E0-14B3D954E992}" = Apple Application Support
"{B44529FF-501E-47CD-A06D-223C161BE058}" = FinePixViewer Resource
"{B7F98125-4955-41E3-8A71-4CE11CE9C198}" = KODAK Gallery Upload Software
"{BD7204BA-DD64-499E-9B55-6A282CDF4FA4}" = Destinations
"{BEF56F2D-56ED-4176-BF72-7B68D4A3B98D}" = Canon PhotoRecord
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C23CD6DA-1958-43A5-ADD0-59396572E02E}" = Apple Mobile Device Support
"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant
"{C73CA646-73B3-4AEF-A136-C37505745174}" = iTunes
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}" = Jasc Paint Shop Photo Album
"{CE2121C6-C94D-4A73-8EA4-6943F33EE335}" = Music Transfer
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D03482C5-9AD8-496D-B388-692AE04C93AF}" = Bonjour
"{D4936AAF-FFD0-44A1-A7EA-A2DB41CEB5BC}" = iPod for Windows 2005-09-23
"{D5068583-D569-468B-9755-5FBF5848F46F}" = Sony Picture Utility
"{DABF43D9-1104-4764-927B-5BED1274A3B0}" = Runtime
"{DC0A5F99-FD66-433F-9D3A-05DCBA64BE42}" = TrayApp
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E3B3AB03-8ABC-46CF-8CA9-DB5581E1F368}" = FinePix Studio
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{EB807EB6-5179-48B7-98D4-7B4934A57A81}" = Documents To Go
"{ED55BFEF-90F3-4926-9536-D94FDBBF65DC}" = Zune
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F445476A-42DE-11D4-80D0-00C04F2750A6}" = Epocrates Essentials
"{FA66D65A-6413-43AF-8F29-B22EFEC29869}" = Diagnosaurus
"{FC4ED75D-916C-4A8C-BB67-3C6F6E06D62B}" = Banctec Service Agreement
"360Share" = 360Share(remove only)
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"ArcSoft PhotoBase" = ArcSoft PhotoBase
"ArcSoft PhotoStudio 2000" = ArcSoft PhotoStudio 2000
"AudibleDownloadManager" = Audible Download Manager
"BitLord" = BitLord 1.1
"BitTorrent" = BitTorrent 3.4.1
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Camera Window DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"Canon ScanGear Toolbox CS" = Canon ScanGear Toolbox CS 2.2
"CNXT_MODEM_PCI_VEN_14F1&DEV_2702" = Conexant SmartHSFi V.9x 56K DF PCI Modem
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2008-09-21 16:18
"CSCLIB" = Canon Camera Support Core Library
"dBpoweramp FLAC Codec" = dBpoweramp FLAC Codec
"dBpoweramp Music Converter" = dBpoweramp Music Converter
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"Dell File Manager" = Dell File Manager
"Deubox Explorer" = Deubox Explorer (remove only)
"Dudebox Explorer" = Dudebox Explorer (remove only)
"E0429B4C05C33DC75CE1CFFF1BAEFFAC69815744" = Windows Driver Package - Microsoft WPD (12/01/2006 1.2.0.0)
"EOS Utility" = Canon Utilities EOS Utility
"FLV Player2.0.25" = FLV Player
"HaaliMkx" = Haali Media Splitter
"HijackThis" = HijackThis 2.0.2
"HP Document Manager" = HP Document Manager 2.0
"HP Imaging Device Functions" = HP Imaging Device Functions 13.0
"HP Smart Web Printing" = HP Smart Web Printing 4.5
"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0
"HPExtendedCapabilities" = HP Customer Participation Program 13.0
"HPOCR" = OCR Software by I.R.I.S. 13.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"ieSpell" = ieSpell
"InstallShield_{3D047C15-C859-45F7-81CE-F2681778069B}" = iPod for Windows 2006-01-10
"InstallShield_{44A537A5-859C-43A6-8285-C0668142A090}" = iPod for Windows 2005-03-23
"InstallShield_{523BD5B6-E904-493C-B902-1BC9B7D44DF4}" = Lexmark Photo Center
"InstallShield_{D4936AAF-FFD0-44A1-A7EA-A2DB41CEB5BC}" = iPod for Windows 2005-09-23
"Java Web Start" = Java Web Start
"Juniper_Setup_Client Activex Control" = Juniper Networks Setup Client Activex Control
"Lexmark Z700-P700 Series" = Lexmark Z700-P700 Series
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MKV TO AVI CONVERTER_is1" = MKV TO AVI CONVERTER version 3.1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Netscape (7.1)" = Netscape (7.1)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OfotoEZUpload" = KODAK EASYSHARE Gallery Upload ActiveX Control
"OmniPagePro9.0DeinstKey" = OmniPage Pro 9.0
"OpenMG HotFix3.4-04-14-17-01" = OpenMG Limited Patch 3.4-04-17-06-01
"Optimum Online net guide" = Optimum Online net guide
"PhotoStitch" = Canon Utilities PhotoStitch
"PROSet" = Intel(R) PRO Network Adapters and Drivers
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX
"Sandlot Games Client Services_is1" = Sandlot Games Client Services
"Scrivener 021" = Scrivener
"Scrivener 022" = Scrivener
"Shop for HP Supplies" = Shop for HP Supplies
"StreetPlugin" = Learn2 Player (Uninstall Only)
"Super Bounce Out!" = Super Bounce Out!
"System Requirements Lab" = System Requirements Lab
"The Core Media Player" = The Core Media Player 4.0
"ViewpointMediaPlayer" = Viewpoint Media Player (Remove Only)
"Webshots Desktop" = Webshots Desktop
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinMX" = WinMX
"WinRAR archiver" = WinRAR archiver
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XviD_is1" = XviD MPEG-4 Video Codec
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{9863F141-7A33-4c9a-A5F2-96996461B216}" = KODAK EASYSHARE Gallery Easy Upload, v2.1
"Adobe Digital Editions" = Adobe Digital Editions
"Dropbox" = Dropbox
"Juniper_Setup_Client" = Juniper Networks Setup Client
"Lexi-CONNECT" = Lexi-CONNECT

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/20/2011 11:05:11 PM | Computer Name = D139KB41 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 6/20/2011 11:05:11 PM | Computer Name = D139KB41 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 6/20/2011 11:05:11 PM | Computer Name = D139KB41 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 6/20/2011 11:05:11 PM | Computer Name = D139KB41 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 6/26/2011 1:04:52 PM | Computer Name = D139KB41 | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 7/9/2011 8:34:09 PM | Computer Name = D139KB41 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module mshtml.dll, version 8.0.6001.19088, fault address 0x0029c203.

Error - 7/21/2011 5:06:54 PM | Computer Name = D139KB41 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/24/2011 1:06:33 PM | Computer Name = D139KB41 | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 7/31/2011 1:05:52 PM | Computer Name = D139KB41 | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 8/3/2011 11:31:24 PM | Computer Name = D139KB41 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 8/21/2011 3:39:35 AM | Computer Name = D139KB41 | Source = WMPNetworkSvc | ID = 866312
Description = A new media server was not initialized because WMCreateDeviceRegistration()
encountered error '0x80070057'. The Windows Media DRM components on your computer
might be corrupted. Verify that protected files play correctly in Windows Media
Player, and then restart the WMPNetworkSvc service.

Error - 8/21/2011 3:39:35 AM | Computer Name = D139KB41 | Source = WMPNetworkSvc | ID = 866312
Description = A new media server was not initialized because WMCreateDeviceRegistration()
encountered error '0x80070057'. The Windows Media DRM components on your computer
might be corrupted. Verify that protected files play correctly in Windows Media
Player, and then restart the WMPNetworkSvc service.

Error - 8/21/2011 4:51:02 AM | Computer Name = D139KB41 | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 8/21/2011 5:08:53 AM | Computer Name = D139KB41 | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 8/21/2011 5:18:44 AM | Computer Name = D139KB41 | Source = WMPNetworkSvc | ID = 866312
Description = A new media server was not initialized because WMCreateDeviceRegistration()
encountered error '0x80070057'. The Windows Media DRM components on your computer
might be corrupted. Verify that protected files play correctly in Windows Media
Player, and then restart the WMPNetworkSvc service.

Error - 8/21/2011 5:18:46 AM | Computer Name = D139KB41 | Source = ZuneNetworkSvc | ID = 866312
Description = A new media server was not initialized because WMCreateDeviceRegistration()
encountered error '0x80070057'. The Windows Media DRM components on your computer
might be corrupted. Verify that protected files play correctly in the Zune software,
and then restart the ZuneNetworkSvc service.

Error - 8/21/2011 5:18:46 AM | Computer Name = D139KB41 | Source = ZuneNetworkSvc | ID = 866312
Description = A new media server was not initialized because WMCreateDeviceRegistration()
encountered error '0x80070057'. The Windows Media DRM components on your computer
might be corrupted. Verify that protected files play correctly in the Zune software,
and then restart the ZuneNetworkSvc service.

Error - 8/21/2011 5:18:46 AM | Computer Name = D139KB41 | Source = WMPNetworkSvc | ID = 866312
Description = A new media server was not initialized because WMCreateDeviceRegistration()
encountered error '0x80070057'. The Windows Media DRM components on your computer
might be corrupted. Verify that protected files play correctly in Windows Media
Player, and then restart the WMPNetworkSvc service.

Error - 8/21/2011 5:52:40 AM | Computer Name = D139KB41 | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 8/21/2011 6:10:31 AM | Computer Name = D139KB41 | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

< End of report >
=========================================================

--Ryodin

redcar92

2011-08-21, 14:42

I apologize for not telling you earlier, combofix.txt is on c:\

ryodin

2011-08-21, 17:21

Oh, I know. I looked for it, but it's not there. There's a folder called "ComboFix" on my C: drive, but when I double click on it, it shows me an identical map of my "My Computer" folder. Meaning, I see all my drives and external hardware listed just as if I had clicked open the "My Computer" folder. It's strange. I can't find a .txt file related to ComboFix anywhere, either.

As I mentioned before, I can't seem to get to the end of the scan with ComboFix where it generates a log.

ryodin

2011-08-21, 18:26

Bill,

I just received a warning from my McAfee Security Center informing me that it is blocking a potentially unwanted program from running on my PC.

Here's the message:

"About This Potentially Unwanted Program
Name: Tool-NirCmd
Quarantined from: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP921\A0129834.exe"

McAfee is asking me if I want to "Remove" or "Allow" the program. What should I do?

--Ryodin

redcar92

2011-08-21, 18:45

That file is in the C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624} witch is the location of your system restore point data and files. I would leave it. We will delete all old restore points that may contain infections, soon. If you wish you can turn off system restore now and loose all of your restore points and data, restart system restore and create a restore point now.

ryodin

2011-08-21, 18:51

Okay, I'll leave it. And I don't want to mess around with the system restore points until we're completely done.

Thanks, Bill!

--Ryodin

redcar92

2011-08-21, 21:48

Greetings Ryodin,
We really need to see the combofix log, so let's try it this way. Please note there are a couple of changed steps.

First
Boot to Safe mode with networking by restarting your PC and begin tapping the F8 key at one second intervals. When the Windows Advanced Options menu appears use the arrow key to scroll down to Safe Mode with Networking. Hit enter and boot to a desktop.

Next
***Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.***
Download Combofix from any of the links below. Save it to your desktop. When saving select Save As ... and change the name to ryod.exe.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

http://i1176.photobucket.com/albums/x337/redcar92/WTT/CF/CFRCNeeded.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i1176.photobucket.com/albums/x337/redcar92/WTT/CF/CF2.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

ryodin

2011-08-21, 22:50

I booted up in Safe Mode and am running ComboFix now.

The scan started at 4:20. It made it to Stage 50 complete at 4:35. It's 4:50 now and it has not gone beyond this point. Just as before, I'm fearing that this may be the best I can get out of ComboFix. The last time it sat there after Stage 50 complete for an hour before I gave up and shut it down.

I get the feeling this is going to happen again, even though it's only been 15 minutes. I'm leaving it running for now, but I'm not so sure it's going to make a difference.

--Ryodin

ryodin

2011-08-22, 01:10

Quick update.

It's been over 2 hours now and still no change. The c:\Autoscan window is still open, and the command prompt is still blinking, but nothing has finalized.

Since I have no other options at this point, I suppose I'll just keep ComboFix running all night. If there's something else you want me to try, I'll do it. But for now I won't reply back tonight unless something changes.

--Ryodin

ryodin

2011-08-22, 04:13

Well, looks like I have to learn a little patience. :D:

It took 5 hours, but it seems I've got my ComboFix log for you after all! I'm pasting it below. For now I'm keeping my PC in Safe Mode. Let me know if it is safe for me to reboot into normal mode.

========================================================
ComboFix 11-08-21.01 - David Batista 08/21/2011 16:19:14.5.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1683 [GMT -4:00]
Running from: c:\documents and settings\David Batista\Desktop\ryod.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((( Files Created from 2011-07-22 to 2011-08-22 )))))))))))))))))))))))))))))))
.
.
2011-08-19 23:31 . 2011-08-19 23:31 -------- d--h--w- c:\windows\PIF
2011-08-19 02:16 . 2011-08-19 02:16 388096 ----a-r- c:\documents and settings\David Batista\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-23 15:02 . 2011-07-23 15:02 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-13 16:13 . 2011-05-19 02:11 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-17 17:20 . 2011-01-09 18:00 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-07-15 13:29 . 2002-08-29 11:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-08 14:02 . 2002-08-29 11:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2002-08-29 11:00 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2002-08-29 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2002-08-29 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2002-08-29 11:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2002-08-29 11:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2006-03-26 00:22 . 2006-03-26 00:23 774144 ----a-w- c:\program files\RngInterstitial.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\David Batista\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\David Batista\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\David Batista\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\David Batista\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-06-23 1306728]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]
.
c:\documents and settings\David Batista\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\David Batista\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
HotSync Manager.LNK - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2010-3-17 327680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-2-17 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-9-8 5185536]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Palm\\HOTSYNC.EXE"=
"c:\\Program Files\\Red Chair Software\\Dudebox Explorer\\dudemgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Red Chair Software\\Deubox Explorer\\deumgr.exe"=
"c:\\Documents and Settings\\David Batista\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\{7E0E61CC-1C99-429D-BEA7-C4DD5B898D2A}\\setup\\hpznui01.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
.
R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [1/9/2011 2:00 PM 64288]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [5/8/2010 3:40 PM 89368]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/8/2010 3:40 PM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [5/8/2010 3:41 PM 159832]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [5/8/2010 3:41 PM 148520]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [5/8/2010 3:40 PM 337912]
R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [5/8/2010 3:40 PM 83688]
S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [5/8/2010 3:40 PM 214904]
S2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [9/8/2010 11:41 AM 237056]
S2 WDFME;WD File Management Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [9/8/2010 11:45 AM 1034752]
S2 WDSC;WD File Management Shadow Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [9/8/2010 11:44 AM 484352]
S3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [5/8/2010 3:40 PM 57432]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 5:05 AM 2151640]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/3/2010 5:05 AM 15232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [5/8/2010 3:40 PM 83688]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [5/8/2010 3:40 PM 85984]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\SYSTEM32\DRIVERS\wdcsam.sys [5/6/2008 5:06 PM 11520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 11:19]
.
2011-08-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
TCP: DhcpNameServer = 192.168.1.1
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-21 21:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(884)
c:\windows\System32\l3codeca.acm
c:\windows\system32\DivXa32.acm
.
- - - - - - - > 'explorer.exe'(824)
c:\windows\system32\WININET.dll
c:\documents and settings\David Batista\Application Data\Dropbox\bin\DropboxExt.14.dll
.
Completion time: 2011-08-21 21:21:05
ComboFix-quarantined-files.txt 2011-08-22 01:20
ComboFix2.txt 2008-07-22 22:54
.
Pre-Run: 42,585,219,072 bytes free
Post-Run: 73,111,101,440 bytes free
.
- - End Of File - - 132128C627B6F54B188D0BA44F6C22D4
========================================================

--Ryodin

redcar92

2011-08-22, 04:18

Allll right, way to go, :bigthumb: :thanks:

ryodin

2011-08-23, 04:51

Are there any other programs to run or steps to take? I get the feeling I'm not done yet, correct?

And I still cannot delete the corrupted .exe files from off my desktop.

--Ryodin

redcar92

2011-08-23, 05:02

Oh yes there is more to do , you will know when we are done I will post All Clean,
Back soon.

ryodin

2011-08-23, 05:09

Oh okay, great. :thanks:

redcar92

2011-08-23, 18:47

Greetings Ryodin,

Please go to one of the below sites to scan the following files:
Virus Total (http://www.virustotal.com)
VirScan (http://virscan.org/)
jotti.org (http://virusscan.jotti.org/)

click on Browse, and upload the following file for analysis:
C:\WINDOWS\System32\DC5F143025.sys

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.
When done please do this file also, C:\WINDOWS\System32[\2530145FDC.sys

ryodin

2011-08-23, 19:32

Bill,

Okay, I analyzed the first file and here are the results below. I'll analyze the second file in a follow-up post.

=========================================================
Antivirus Version Last Update Result
AhnLab-V3 2011.08.23.01 2011.08.23 -
AntiVir 7.11.13.192 2011.08.23 -
Antiy-AVL 2.0.3.7 2011.08.23 -
Avast 4.8.1351.0 2011.08.23 -
Avast5 5.0.677.0 2011.08.23 -
AVG 10.0.0.1190 2011.08.23 -
BitDefender 7.2 2011.08.23 -
ByteHero 1.0.0.1 2011.08.22 -
CAT-QuickHeal 11.00 2011.08.23 -
ClamAV 0.97.0.0 2011.08.23 -
Commtouch 5.3.2.6 2011.08.23 -
Comodo 9847 2011.08.23 -
DrWeb 5.0.2.03300 2011.08.23 -
Emsisoft 5.1.0.10 2011.08.23 -
eSafe 7.0.17.0 2011.08.22 -
eTrust-Vet 36.1.8516 2011.08.23 -
F-Prot 4.6.2.117 2011.08.23 -
F-Secure 9.0.16440.0 2011.08.23 -
Fortinet 4.2.257.0 2011.08.23 -
GData 22 2011.08.23 -
Ikarus T3.1.1.107.0 2011.08.23 -
Jiangmin 13.0.900 2011.08.23 -
K7AntiVirus 9.111.5047 2011.08.23 -
Kaspersky 9.0.0.837 2011.08.23 -
McAfee 5.400.0.1158 2011.08.23 -
McAfee-GW-Edition 2010.1D 2011.08.23 -
Microsoft 1.7604 2011.08.23 -
NOD32 6404 2011.08.23 -
Norman 6.07.10 2011.08.23 -
nProtect 2011-08-23.01 2011.08.23 -
Panda 10.0.3.5 2011.08.23 -
PCTools 8.0.0.5 2011.08.23 -
Prevx 3.0 2011.08.23 -
Rising 23.72.01.03 2011.08.23 -
Sophos 4.68.0 2011.08.23 -
SUPERAntiSpyware 4.40.0.1006 2011.08.23 -
Symantec 20111.2.0.82 2011.08.23 -
TheHacker 6.7.0.1.282 2011.08.22 -
TrendMicro 9.500.0.1008 2011.08.23 -
TrendMicro-HouseCall 9.500.0.1008 2011.08.23 -
VBA32 3.12.16.4 2011.08.23 -
VIPRE 10248 2011.08.23 -
ViRobot 2011.8.23.4635 2011.08.23 -
VirusBuster 14.0.181.1 2011.08.22 -
Additional informationShow all
MD5 : 0641a46f1e58529a42ead4573a3a0861
SHA1 : 2fa91927668fb0b3a4da32722825e15080cb5c21
SHA256: 9d7d948ef1329cc1db5fb77cbe9ed7bbf7d74cd8be1ad214689ebbe52a2267cb
ssdeep: 3:hl/n:r
File size : 8 bytes
First seen: 2008-03-02 16:02:20
Last seen : 2011-08-23 17:13:19
TrID:
MS Flight Simulator Aircraft Performance Info (100.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
=========================================================

--Ryodin

ryodin

2011-08-23, 19:37

And here is the second file analyzed:

========================================================
File name: 2530145FDC.sys
Submission date: 2011-08-23 17:21:05 (UTC)
Current status: queued queued analysing finished

Result: 0/ 44 (0.0%)
VT Community

not reviewed
Safety score: -
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.08.23.01 2011.08.23 -
AntiVir 7.11.13.192 2011.08.23 -
Antiy-AVL 2.0.3.7 2011.08.23 -
Avast 4.8.1351.0 2011.08.23 -
Avast5 5.0.677.0 2011.08.23 -
AVG 10.0.0.1190 2011.08.23 -
BitDefender 7.2 2011.08.23 -
ByteHero 1.0.0.1 2011.08.22 -
CAT-QuickHeal 11.00 2011.08.23 -
ClamAV 0.97.0.0 2011.08.23 -
Commtouch 5.3.2.6 2011.08.23 -
Comodo 9847 2011.08.23 -
DrWeb 5.0.2.03300 2011.08.23 -
Emsisoft 5.1.0.10 2011.08.23 -
eSafe 7.0.17.0 2011.08.22 -
eTrust-Vet 36.1.8516 2011.08.23 -
F-Prot 4.6.2.117 2011.08.23 -
F-Secure 9.0.16440.0 2011.08.23 -
Fortinet 4.2.257.0 2011.08.23 -
GData 22 2011.08.23 -
Ikarus T3.1.1.107.0 2011.08.23 -
Jiangmin 13.0.900 2011.08.23 -
K7AntiVirus 9.111.5047 2011.08.23 -
Kaspersky 9.0.0.837 2011.08.23 -
McAfee 5.400.0.1158 2011.08.23 -
McAfee-GW-Edition 2010.1D 2011.08.23 -
Microsoft 1.7604 2011.08.23 -
NOD32 6404 2011.08.23 -
Norman 6.07.10 2011.08.23 -
nProtect 2011-08-23.01 2011.08.23 -
Panda 10.0.3.5 2011.08.23 -
PCTools 8.0.0.5 2011.08.23 -
Prevx 3.0 2011.08.23 -
Rising 23.72.01.03 2011.08.23 -
Sophos 4.68.0 2011.08.23 -
SUPERAntiSpyware 4.40.0.1006 2011.08.23 -
Symantec 20111.2.0.82 2011.08.23 -
TheHacker 6.7.0.1.282 2011.08.22 -
TrendMicro 9.500.0.1008 2011.08.23 -
TrendMicro-HouseCall 9.500.0.1008 2011.08.23 -
VBA32 3.12.16.4 2011.08.23 -
VIPRE 10248 2011.08.23 -
ViRobot 2011.8.23.4635 2011.08.23 -
VirusBuster 14.0.181.1 2011.08.22 -
Additional informationShow all
MD5 : 521d9a238efc6f855bb98ea868a8ec55
SHA1 : 5c336f141a8496ff44b80e744cbac6f3f54fc6f8
SHA256: b1bd8cbc91e6d5c668f902c5cd8c2c3a97905e3389f5c24cac238791390b21bc
=========================================================

Apparently both files came back with 0.0% results.

--Ryodin

redcar92

2011-08-23, 20:22

How is your PC behaving now?

ryodin

2011-08-23, 21:08

It *seems* normal now. I'm still getting the prompt in my sys tray to download the latest Windows automatic update from MS. If you recall, I had mentioned that one of the problems I was having was that I would download this update for the latest Malicious Software Remover tool version over and over, only to have the prompt show up again each time I restarted my PC.

Also, whenever I shut down my PC I see the same prompt to allow the Windows update to install while shutting down. No matter how many times I allow it to do so, it's still there the next time I shut down.

Since running these fixes, I've refrained from initiating the Windows update download for fear of making any changes to my PC during this time.

--Ryodin

redcar92

2011-08-24, 00:59

Greetings Ryodin,
We need to check one more please.

Please go to one of the below sites to scan the following files:
Virus Total (http://www.virustotal.com)
VirScan (http://virscan.org/)
jotti.org (http://virusscan.jotti.org/)

click on Browse, and upload the following file for analysis:
C:\WINDOWS\system32\drivers\serial.sys

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.

ryodin

2011-08-24, 02:26

Whoa! Seems we hit the jackpot! Quite a few suspicious looking items on this one. Here's the results:

=========================================================
File name: serial.sys
Submission date: 2011-08-24 00:16:08 (UTC)
Current status: queued (#4) queued analysing finished

Result: 22/ 44 (50.0%)

Antivirus Version Last Update Result

AhnLab-V3 2011.08.23.01 2011.08.23 Backdoor/Win32.ZAccess
AntiVir 7.11.13.196 2011.08.23 TR/Gendal.kdv.302318
Antiy-AVL 2.0.3.7 2011.08.23 -
Avast 4.8.1351.0 2011.08.24 Win32:Sirefef-H [Rtk]
Avast5 5.0.677.0 2011.08.24 Win32:Sirefef-H [Rtk]
AVG 10.0.0.1190 2011.08.24 BackDoor.Generic14.PXV
BitDefender 7.2 2011.08.24 Trojan.Generic.KDV.302318
ByteHero 1.0.0.1 2011.08.22 -
CAT-QuickHeal 11.00 2011.08.23 -
ClamAV 0.97.0.0 2011.08.23 -
Commtouch 5.3.2.6 2011.08.23 -
Comodo 9849 2011.08.23 UnclassifiedMalware
DrWeb 5.0.2.03300 2011.08.24 -
Emsisoft 5.1.0.10 2011.08.23 -
eSafe 7.0.17.0 2011.08.22 -
eTrust-Vet 36.1.8518 2011.08.24 -
F-Prot 4.6.2.117 2011.08.23 -
F-Secure 9.0.16440.0 2011.08.24 Trojan.Generic.KDV.302318
Fortinet 4.2.257.0 2011.08.23 -
GData 22 2011.08.24 Trojan.Generic.KDV.302318
Ikarus T3.1.1.107.0 2011.08.23 -
Jiangmin 13.0.900 2011.08.23 Trojan/Generic.jdvy
K7AntiVirus 9.111.5047 2011.08.23 -
Kaspersky 9.0.0.837 2011.08.24 HEUR:Trojan.Win32.Generic
McAfee 5.400.0.1158 2011.08.24 Artemis!1B7E9A275B4E
McAfee-GW-Edition 2010.1D 2011.08.23 Artemis!1B7E9A275B4E
Microsoft 1.7604 2011.08.24 -
NOD32 6404 2011.08.24 a variant of Win32/Rootkit.Kryptik.DM
Norman 6.07.10 2011.08.23 -
nProtect 2011-08-23.01 2011.08.23 Gen:Variant.TDss.15
Panda 10.0.3.5 2011.08.23 Generic Trojan
PCTools 8.0.0.5 2011.08.24 Trojan.ADH
Prevx 3.0 2011.08.24 -
Rising 23.72.01.03 2011.08.23 -
Sophos 4.68.0 2011.08.24 Mal/TDSSPack-A
SUPERAntiSpyware 4.40.0.1006 2011.08.24 -
Symantec 20111.2.0.82 2011.08.24 Trojan.ADH
TheHacker 6.7.0.1.284 2011.08.23 Trojan/Kryptik.dm
TrendMicro 9.500.0.1008 2011.08.23 -
TrendMicro-HouseCall 9.500.0.1008 2011.08.24 -
VBA32 3.12.16.4 2011.08.23 -
VIPRE 10251 2011.08.24 Trojan.Win32.Generic!BT
ViRobot 2011.8.23.4635 2011.08.23 -
VirusBuster 14.0.182.0 2011.08.23 Rootkit.Kryptik!PC535YpzZcY
Additional informationShow all
MD5 : 1b7e9a275b4e01615667611596608c5c
SHA1 : 705c9da83bd825b2014f0c734d312be26cb119ed
SHA256: 6744d39c417292c96f71f38e69f7eb618b4281f779f7d63c5a1b768020c806cb
=========================================================

--Ryodin

redcar92

2011-08-24, 04:00

Greetings Ryodin,
Here we go with Combofix

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:

File::
Filelook::
C:\WINDOWS\system32\drivers\serial.sys
Folder::
Registry::
Driver::

Save this as "CFScript.txt", and as* Type: All Files (*.*) in the same location as ComboFix.exe

http://i1176.photobucket.com/albums/x337/redcar92/WTT/CF/CFscript.png

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

ryodin

2011-08-24, 04:42

Everything went smoothly. Phew!

Here's the log of the results:

=========================================================
ComboFix 11-08-23.06 - David Batista 08/23/2011 22:20:00.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1293 [GMT -4:00]
Running from: c:\documents and settings\David Batista\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\David Batista\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\comct332.ocx
.
.
((((((((((((((((((((((((( Files Created from 2011-07-24 to 2011-08-24 )))))))))))))))))))))))))))))))
.
.
2011-08-23 11:01 . 2011-08-23 11:01 -------- d-----w- c:\windows\LastGood
2011-08-19 23:31 . 2011-08-19 23:31 -------- d--h--w- c:\windows\PIF
2011-08-19 02:16 . 2011-08-19 02:16 388096 ----a-r- c:\documents and settings\David Batista\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-13 16:13 . 2011-05-19 02:11 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-17 17:20 . 2011-01-09 18:00 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-07-15 13:29 . 2002-08-29 11:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-08 14:02 . 2002-08-29 11:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2002-08-29 11:00 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2002-08-29 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2002-08-29 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2002-08-29 11:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2002-08-29 11:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2006-03-26 00:22 . 2006-03-26 00:23 774144 ----a-w- c:\program files\RngInterstitial.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--- c:\windows\system32\drivers\serial.sys ---
Company: Microsoft Corporation
File Description: Serial Device Driver
File Version: 5.1.2600.5512 (xpsp.080413-2108)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: serial.sys
File size: 64512
Created time: 2002-08-29 11:00
Modified time: 2008-04-13 19:15
MD5: CCA207A8896D4C6A0C9CE29A4AE411A7
SHA1: 57F1FAE6A306BF14F6EF3E43C0C4252E9F21C0DC
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-22_01.16.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-23 10:57 . 2011-08-23 10:57 16384 c:\windows\temp\Perflib_Perfdata_344.dat
+ 2002-09-03 08:08 . 2011-08-23 22:23 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
- 2002-09-03 08:08 . 2011-08-21 15:49 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
+ 2002-09-03 08:08 . 2011-08-23 22:23 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2002-09-03 08:08 . 2011-08-21 15:49 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2009-07-01 03:00 . 2011-08-23 22:23 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\IETldCache\index.dat
- 2009-07-01 03:00 . 2011-08-21 15:49 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\IETldCache\index.dat
- 2002-09-03 08:08 . 2011-08-21 15:49 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2011-08-23 03:51 . 2011-08-23 22:23 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2011-08-23 11:01 . 2002-09-03 14:31 4594 c:\windows\LastGood\system32\oembios.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\David Batista\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\David Batista\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\David Batista\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\David Batista\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-06-23 1306728]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]
.
c:\documents and settings\David Batista\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\David Batista\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
HotSync Manager.LNK - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2010-3-17 327680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-2-17 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-9-8 5185536]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Palm\\HOTSYNC.EXE"=
"c:\\Program Files\\Red Chair Software\\Dudebox Explorer\\dudemgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Red Chair Software\\Deubox Explorer\\deumgr.exe"=
"c:\\Documents and Settings\\David Batista\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\{7E0E61CC-1C99-429D-BEA7-C4DD5B898D2A}\\setup\\hpznui01.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
.
R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [1/9/2011 2:00 PM 64288]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [5/8/2010 3:40 PM 89368]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/8/2010 3:40 PM 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [5/8/2010 3:40 PM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [5/8/2010 3:41 PM 159832]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [5/8/2010 3:41 PM 148520]
R2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [9/8/2010 11:41 AM 237056]
R2 WDFME;WD File Management Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [9/8/2010 11:45 AM 1034752]
R2 WDSC;WD File Management Shadow Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [9/8/2010 11:44 AM 484352]
R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [5/8/2010 3:40 PM 57432]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [5/8/2010 3:40 PM 337912]
R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [5/8/2010 3:40 PM 83688]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\SYSTEM32\DRIVERS\wdcsam.sys [5/6/2008 5:06 PM 11520]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 5:05 AM 2151640]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/3/2010 5:05 AM 15232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [5/8/2010 3:40 PM 83688]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [5/8/2010 3:40 PM 85984]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 11:19]
.
2011-08-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-23 22:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(972)
c:\windows\system32\igfxdev.dll
.
Completion time: 2011-08-23 22:34:46
ComboFix-quarantined-files.txt 2011-08-24 02:34
ComboFix2.txt 2011-08-22 01:21
ComboFix3.txt 2008-07-22 22:54
.
Pre-Run: 70,550,511,616 bytes free
Post-Run: 70,587,117,568 bytes free
.
- - End Of File - - 5CC3C1B1A26A530F12DBABA71AB75CB5
=========================================================

--Ryodin

redcar92

2011-08-25, 16:15

Greetings Ryodin,
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:

:filefind
serial.sys

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

ryodin

2011-08-26, 00:31

Here is the log of the SystemLook scan:

=========================================================
SystemLook 30.07.11 by jpshortstuff
Log created at 18:20 on 25/08/2011 by David Batista
Administrator - Elevation successful

========== filefind ==========

Searching for "serial.sys"
C:\I386\SERIAL.SYS --a---- 62464 bytes [05:54 21/02/2004] [11:00 29/08/2002] DC7CBFEC14B1B38BCF32ABA922FFEAAD
C:\WINDOWS\$NtServicePackUninstall$\serial.sys -----c- 64896 bytes [02:06 23/07/2008] [06:15 04/08/2004] CD9404D115A00D249F70A371B46D5A26
C:\WINDOWS\ServicePackFiles\i386\serial.sys ------- 64512 bytes [06:15 04/08/2004] [19:15 13/04/2008] CCA207A8896D4C6A0C9CE29A4AE411A7
C:\WINDOWS\SYSTEM32\DLLCACHE\serial.sys --a---- 64512 bytes [11:00 29/08/2002] [19:15 13/04/2008] CCA207A8896D4C6A0C9CE29A4AE411A7
C:\WINDOWS\SYSTEM32\DRIVERS\serial.sys --a---- 64512 bytes [11:00 29/08/2002] [19:15 13/04/2008] CCA207A8896D4C6A0C9CE29A4AE411A7

-= EOF =-
=========================================================

--Ryodin

ken545

2011-08-26, 03:30

Bump to next post

redcar92

2011-08-26, 03:40

Greetings Ryodin,
Let's run aswMBR to see if serial.sys still shows up.
Double click the aswMBR.exe icon to run it
Click the Scan button to start the scan
On completion of the scan, click the**save log button, save it to your desktop and post it in your next reply.

ryodin

2011-08-26, 06:10

Here are the results of the latest aswMBR scan:

=========================================================
aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-08-25 22:09:02
-----------------------------
22:09:02.390 OS Version: Windows 5.1.2600 Service Pack 3
22:09:02.390 Number of processors: 1 586 0x209
22:09:02.390 ComputerName: D139KB41 UserName:
22:09:04.453 Initialize success
22:10:49.484 AVAST engine defs: 11082501
22:10:55.312 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17
22:10:55.312 Disk 0 Vendor: ST3120026AS 8.05 Size: 114440MB BusType: 3
22:10:57.328 Disk 0 MBR read successfully
22:10:57.328 Disk 0 MBR scan
22:10:57.343 Disk 0 Windows XP default MBR code
22:10:57.343 Disk 0 scanning sectors +234372285
22:10:57.421 Disk 0 scanning C:\WINDOWS\system32\drivers
22:11:44.015 Service scanning
22:11:49.109 Modules scanning
22:11:55.250 Disk 0 trace - called modules:
22:11:55.250 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
22:11:55.265 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ac32ab8]
22:11:55.265 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-17[0x8ac81d98]
22:11:56.750 AVAST engine scan C:\WINDOWS
22:12:22.359 AVAST engine scan C:\WINDOWS\system32
22:17:32.625 AVAST engine scan C:\WINDOWS\system32\drivers
22:17:50.906 AVAST engine scan C:\Documents and Settings\David Batista
22:48:15.875 AVAST engine scan C:\Documents and Settings\All Users
23:55:42.656 Scan finished successfully
00:08:21.546 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\David Batista\Desktop\Logs\MBR.dat"
00:08:21.546 The log file has been saved successfully to "C:\Documents and Settings\David Batista\Desktop\Logs\aswMBR3.txt"
=========================================================

--Ryodin

ken545

2011-08-26, 16:05

Hello,

Hope you dont mind me jumping in, serial.sys may be related to a newer version of a Rootkit named Zero Access, but its not showing up on the new aswMBR scan, can you tell me outside of what Redcar had you run what programs if any did you run on your own ?

ryodin

2011-08-26, 17:02

I haven't run any programs on my own ever since starting this thread, other than the ones Redcar had me run.

I thought we came across something called Zero Access a while back, during one of the scans earlier in the process?

redcar92

2011-08-26, 17:17

Greetings Ryodin,
Please drag Combofix to Recycle Bin.
Download a new Combofix from
Here (http://download.bleepingcomputer.com/sUBs/ComboFix.com)
or
revised version here (http://download.bleepingcomputer.com/sUBs/Iexplore.exe)
save to your desktop.

Reboot in to Safe Mode with networking.
To start the computer in “Safe Mode with Networking”, follow these steps:
To get into the Windows Safe Mode With Networking, as the computer is booting continuously tap the F8 Key which should bring up the Windows Advanced Options Menu.
Use the arrow keys to move to Safe Mode With Networking and press your Enter key.
Once you're done in Safe Mode With Networking and you want to get back into Normal Windows simply restart the computer like you normally would and let it boot normally.

Run Combofix, it may be called ielplorer.exe, that you previously down loaded.
Please be sure that Recovery Console gets installed, we will probably need it soon.

Post the combofix.txt please.

ryodin

2011-08-26, 20:29

I'm running ComboFix now, so this could take several hours. In the meantime, how do I know if the Recovery Console has been installed? In all the times I've run ComboFix, I don't believe I've ever seen this being installed.

--Ryodin

redcar92

2011-08-26, 20:50

The very first time you run Combofix it looks to see if Recovery Console is setup on your system. If it isn't CF stop and ask to install it. If the Recovery Console is installed CF will continue on.
If Recovery Console was installed you should see a black screen with option to select Windows XP or Recovery Console very soon after turning on your PC.

ryodin

2011-08-26, 20:52

Well, looks like it didn't take long to run at all. ComboFix has finished. After all 50 stages cleared, it suddenly rebooted my PC. After the reboot, it generated a log, which I will paste below.

However, I just got a warning from my McAfee Security Center warning me of a potentially unwanted program it's blocking:

"About This Potentially Unwanted Program:
"Name: Artemis!753BC16326FE
"Quarantined From: C:\ComboFix\NIRCmd.3XE"

McAfee then asks me if I want to "Remove" or "Allow" this program.

What should I do?

And, now, here is the latest ComboFix log:

=========================================================
ComboFix 11-08-26.04 - David Batista 08/26/2011 14:15:07.7.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1723 [GMT -4:00]
Running from: c:\documents and settings\David Batista\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((( Files Created from 2011-07-26 to 2011-08-26 )))))))))))))))))))))))))))))))
.
.
2011-08-19 23:31 . 2011-08-19 23:31 -------- d--h--w- c:\windows\PIF
2011-08-19 02:16 . 2011-08-19 02:16 388096 ----a-r- c:\documents and settings\David Batista\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-13 16:13 . 2011-05-19 02:11 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-17 17:20 . 2011-01-09 18:00 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-07-15 13:29 . 2002-08-29 11:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-08 14:02 . 2002-08-29 11:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2002-08-29 11:00 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2002-08-29 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2002-08-29 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2002-08-29 11:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2002-08-29 11:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2006-03-26 00:22 . 2006-03-26 00:23 774144 ----a-w- c:\program files\RngInterstitial.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-22_01.16.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-26 18:34 . 2011-08-26 18:34 16384 c:\windows\temp\Perflib_Perfdata_f8.dat
+ 2002-09-03 08:08 . 2011-08-26 13:11 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
- 2002-09-03 08:08 . 2011-08-21 15:49 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
- 2002-09-03 08:08 . 2011-08-21 15:49 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2002-09-03 08:08 . 2011-08-26 13:11 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2009-07-01 03:00 . 2011-08-26 13:11 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\IETldCache\index.dat
- 2009-07-01 03:00 . 2011-08-21 15:49 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\IETldCache\index.dat
+ 2011-08-24 03:00 . 2011-08-26 13:11 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2002-09-03 08:08 . 2011-08-21 15:49 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\David Batista\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\David Batista\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\David Batista\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\David Batista\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-07-13 1312384]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]
.
c:\documents and settings\David Batista\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\David Batista\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
HotSync Manager.LNK - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2010-3-17 327680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-2-17 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-9-8 5185536]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Palm\\HOTSYNC.EXE"=
"c:\\Program Files\\Red Chair Software\\Dudebox Explorer\\dudemgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Red Chair Software\\Deubox Explorer\\deumgr.exe"=
"c:\\Documents and Settings\\David Batista\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\{7E0E61CC-1C99-429D-BEA7-C4DD5B898D2A}\\setup\\hpznui01.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
.
R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [1/9/2011 2:00 PM 64288]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [5/8/2010 3:40 PM 89368]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/8/2010 3:40 PM 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [5/8/2010 3:40 PM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [5/8/2010 3:41 PM 159832]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [5/8/2010 3:41 PM 148520]
R2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [9/8/2010 11:41 AM 237056]
R2 WDFME;WD File Management Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [9/8/2010 11:45 AM 1034752]
R2 WDSC;WD File Management Shadow Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [9/8/2010 11:44 AM 484352]
R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [5/8/2010 3:40 PM 57432]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [5/8/2010 3:40 PM 337912]
R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [5/8/2010 3:40 PM 83688]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\SYSTEM32\DRIVERS\wdcsam.sys [5/6/2008 5:06 PM 11520]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 5:05 AM 2151640]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/3/2010 5:05 AM 15232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [5/8/2010 3:40 PM 83688]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [5/8/2010 3:40 PM 85984]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 11:19]
.
2011-08-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
TCP: DhcpNameServer = 192.168.1.1
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-26 14:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(376)
c:\windows\system32\WININET.dll
c:\documents and settings\David Batista\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\Zune\ZuneNss.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2011-08-26 14:44:34 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-26 18:44
ComboFix2.txt 2011-08-24 02:34
ComboFix3.txt 2011-08-22 01:21
ComboFix4.txt 2008-07-22 22:54
.
Pre-Run: 71,606,595,584 bytes free
Post-Run: 69,474,693,120 bytes free
.
- - End Of File - - C26BF37B7FA61698F4BC6194A98498AB
=========================================================

--Ryodin

redcar92

2011-08-26, 22:28

For the next step it is necessary to be sure Recovery Console is installed on your PC. When you boot up do you see the black screen, for about 3 seconds with Windows XP and Recovery Console listed? If you hit an arrow key the timer will stop. You can then arrow down to Recovery Console then hit enter. It will bring you to a black window with DOS prompt.

ryodin

2011-08-26, 22:46

Yes, when rebooting my PC and putting it in Safe Mode, I did in fact notice an option to launch the Revovery Console.

Before I do anything else, what about the McAfee security warning? I've left the message window open asking me if I should "remove" or "allow" this "Artemis!753BC16326FE" program it's quarantined.

--Ryodin

redcar92

2011-08-26, 23:04

You should allow "Artemis!753BC16326FE" it is part of Combo fix.

ryodin

2011-08-26, 23:16

Okay, done. Thank you.

I'll await further instructions.

--Ryodin

redcar92

2011-08-27, 00:21

Greetings Ryodin,
I need to relay to you that your PC has/had a very serious and difficult infection and not easily fixed. Besides me there are two other senior experts working on our problem.

This next procedure is a bit tricky.
Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or have this page open on another computer for reference as you will not have access to any browsers while you are carrying out portions of these instructions.

===============================================================

Next, please download maxlook (http://noahdfear.net/downloads/maxlook.exe), saving the file to your desktop.

Double click maxlook.exe to run it. Note - you must run it only once

The tool will prompt you to restart the machine and boot into the Recovery Console.

===============================================================

1. Reboot your computer and press any key on the keyboard when prompted.

2. Press R to load the Recovery Console.

3. The Recovery Console will start and ask you which Windows installation you would like to log on to. If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press enter.

4. It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter.

5. You should now be presented with a C:\Windows> prompt

At that prompt, type in the following bolded text and press Enter

batch look.bat

(Note - there is a space between the words batch and look.bat)

Reduced: 99% of original size [ 641 x 397 ] - Click to view full image
http://noahdfear.net/WTT/lookXP.gif

You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.

Once back in Windows, click Start > Run, and copy/paste the following then press Enter.

maxlook -sig

Follow the prompts, and attach the C:\looklog.txt in your next reply

ryodin

2011-08-27, 01:17

My sincerest thanks goes out to all of you working on this problem. I am aware of the tremendous help you and your colleagues are providing me.

I will begin running the processes you outlined above. Hopefully I'll have a log for you in short order.

See you on the other side.

--Ryodin

ryodin

2011-08-27, 01:38

Okay, I have a question already.

When running Maxlook, after asking me to restart my machine and boot into the Recovery Console, it prompts me to "press any key to continue". I pressed the key, and then maxlook promptly ended. I restarted my machine, but wasn't clear if I was supposed to keep pressing F8 or not upon startup. When I didn't press F8, I booted into normal Windows mode.

Am I supposed to press F8 after startup? If not, how do I get into Recovery Console? There were no other prompts upon startup.

--Ryodin

ryodin

2011-08-27, 01:43

Never mind, I think I got it now. Will post a follow-up reply shortly.

ryodin

2011-08-27, 01:56

Okay, here is the log:

=========================================================

Run from C:\Documents and Settings\David Batista\Desktop\maxlook.exe on Fri 08/26/2011 at 19:46:43.90

--------- maxlook unsigned files ---------

c:\windows\maxdrive\BVRPMPR5.SYS:
Verified: Unsigned
File date: 11:58 PM 9/8/2008
Publisher: Avanquest Software
Description: BVRP NDIS 5.0 MPR Protocol Driver
Product: BVRPNDIS Rawether for Windows
Version: 2.00.00.01
File version: 2.00.00.01
c:\windows\maxdrive\drvmcdb.sys:
Verified: Unsigned
File date: 5:21 AM 7/31/2003
Publisher: Sonic Solutions
Description: Device Driver
Product: n/a
Version: n/a
File version: 3.21.65a
c:\windows\maxdrive\drvnddm.sys:
Verified: Unsigned
File date: 4:56 AM 6/20/2003
Publisher: Sonic Solutions
Description: Device Driver Manager
Product: n/a
Version: n/a
File version: 2.56.38a
c:\windows\maxdrive\goprot51.sys:
Verified: Unsigned
File date: 11:22 PM 12/15/2006
Publisher: Gteko Ltd.
Description: Gteko's GoProto protocol driver
Product: Gteko Diagnostics Network Module
Version: 2, 1, 0, 21
File version: 2, 1, 0, 21
c:\windows\maxdrive\hnm_wrls_pkt.sys:
Verified: Unsigned
File date: 2:01 AM 7/14/2006
Publisher: SingleClick Systems
Description: SCS NDIS 5.0 Wireless Protocol Driver
Product: Wireless Protocol Driver
Version: 1, 0, 0, 0
File version: 1, 0, 0, 0
c:\windows\maxdrive\iqvw32.sys:
Verified: Unsigned
File date: 7:39 PM 3/17/2003
Publisher: Intel Corporation
Description: Intel(R) Network Adapter Diagnostic Driver
Product: Intel(R) iQVW32.SYS
Version: 1.00.12.0
File version: 1.00.12.0 built by: WinDDK
c:\windows\maxdrive\omci.sys:
Verified: Unsigned
File date: 3:45 PM 11/8/2002
Publisher: Dell Computer Corporation
Description: OMCI Device Driver
Product: OMCI Driver
Version: 7, 0, 323, 0
File version: 7, 0, 323, 0
c:\windows\maxdrive\packet.sys:
Verified: Unsigned
File date: 2:00 AM 7/14/2006
Publisher: SingleClick Systems
Description: SCS NDIS 5.0 Auto IP Protocol Driver
Product: Auto IP Protocol Driver
Version: 1, 0, 0, 0
File version: 1, 0, 0, 0
c:\windows\maxdrive\SbcpHid.sys:
Verified: Unsigned
File date: 10:52 AM 7/19/2001
Publisher:
Description:
Product:
Version: 5,00,21,0
File version: 5,00,21,0
c:\windows\maxdrive\sscdbhk5.sys:
Verified: Unsigned
File date: 1:28 PM 7/14/2003
Publisher: Sonic Solutions
Description: Shared Driver Component
Product: n/a
Version: n/a
File version: 1.10.81a
c:\windows\maxdrive\ssrtln.sys:
Verified: Unsigned
File date: 1:28 PM 7/14/2003
Publisher: Sonic Solutions
Description: Shared Driver Component
Product: n/a
Version: n/a
File version: 1.10.81a
c:\windows\maxdrive\StMp3Rec.sys:
Verified: Unsigned
File date: 9:32 PM 12/18/2004
Publisher: Generic
Description: Generic MP3 Player USB Driver
Product: Generic MP3 Player
Version: 139, 0, 551, 1
File version: 1, 551, 0, 139
c:\windows\maxdrive\wsp_pkt.sys:
Verified: Unsigned
File date: 2:02 AM 7/14/2006
Publisher: SingleClick Systems
Description: SCS NDIS 5.0 Wireless Security Protocol Driver
Product: Wireless Security Protocol Driver
Version: 1, 0, 0, 0
File version: 1, 0, 0, 0

--------- system32\drivers unsigned files ---------

c:\windows\system32\drivers\BVRPMPR5.SYS:
Verified: Unsigned
File date: 11:58 PM 9/8/2008
Publisher: Avanquest Software
Description: BVRP NDIS 5.0 MPR Protocol Driver
Product: BVRPNDIS Rawether for Windows
Version: 2.00.00.01
File version: 2.00.00.01
c:\windows\system32\drivers\drvmcdb.sys:
Verified: Unsigned
File date: 5:21 AM 7/31/2003
Publisher: Sonic Solutions
Description: Device Driver
Product: n/a
Version: n/a
File version: 3.21.65a
c:\windows\system32\drivers\drvnddm.sys:
Verified: Unsigned
File date: 4:56 AM 6/20/2003
Publisher: Sonic Solutions
Description: Device Driver Manager
Product: n/a
Version: n/a
File version: 2.56.38a
c:\windows\system32\drivers\goprot51.sys:
Verified: Unsigned
File date: 11:22 PM 12/15/2006
Publisher: Gteko Ltd.
Description: Gteko's GoProto protocol driver
Product: Gteko Diagnostics Network Module
Version: 2, 1, 0, 21
File version: 2, 1, 0, 21
c:\windows\system32\drivers\hnm_wrls_pkt.sys:
Verified: Unsigned
File date: 2:01 AM 7/14/2006
Publisher: SingleClick Systems
Description: SCS NDIS 5.0 Wireless Protocol Driver
Product: Wireless Protocol Driver
Version: 1, 0, 0, 0
File version: 1, 0, 0, 0
c:\windows\system32\drivers\iqvw32.sys:
Verified: Unsigned
File date: 7:39 PM 3/17/2003
Publisher: Intel Corporation
Description: Intel(R) Network Adapter Diagnostic Driver
Product: Intel(R) iQVW32.SYS
Version: 1.00.12.0
File version: 1.00.12.0 built by: WinDDK
c:\windows\system32\drivers\omci.sys:
Verified: Unsigned
File date: 3:45 PM 11/8/2002
Publisher: Dell Computer Corporation
Description: OMCI Device Driver
Product: OMCI Driver
Version: 7, 0, 323, 0
File version: 7, 0, 323, 0
c:\windows\system32\drivers\packet.sys:
Verified: Unsigned
File date: 2:00 AM 7/14/2006
Publisher: SingleClick Systems
Description: SCS NDIS 5.0 Auto IP Protocol Driver
Product: Auto IP Protocol Driver
Version: 1, 0, 0, 0
File version: 1, 0, 0, 0
c:\windows\system32\drivers\SbcpHid.sys:
Verified: Unsigned
File date: 10:52 AM 7/19/2001
Publisher:
Description:
Product:
Version: 5,00,21,0
File version: 5,00,21,0
c:\windows\system32\drivers\sscdbhk5.sys:
Verified: Unsigned
File date: 1:28 PM 7/14/2003
Publisher: Sonic Solutions
Description: Shared Driver Component
Product: n/a
Version: n/a
File version: 1.10.81a
c:\windows\system32\drivers\ssrtln.sys:
Verified: Unsigned
File date: 1:28 PM 7/14/2003
Publisher: Sonic Solutions
Description: Shared Driver Component
Product: n/a
Version: n/a
File version: 1.10.81a
c:\windows\system32\drivers\StMp3Rec.sys:
Verified: Unsigned
File date: 9:32 PM 12/18/2004
Publisher: Generic
Description: Generic MP3 Player USB Driver
Product: Generic MP3 Player
Version: 139, 0, 551, 1
File version: 1, 551, 0, 139
c:\windows\system32\drivers\wsp_pkt.sys:
Verified: Unsigned
File date: 2:02 AM 7/14/2006
Publisher: SingleClick Systems
Description: SCS NDIS 5.0 Wireless Security Protocol Driver
Product: Wireless Security Protocol Driver
Version: 1, 0, 0, 0
File version: 1, 0, 0, 0

=========================================================

--Ryodin

redcar92

2011-08-27, 17:32

Hello ryodin,

Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).

Extract the contents of the zipped file to desktop.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif

Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
Click the image to enlarge it

In the right panel, you will see several boxes that have been checked. Uncheck the following ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot

be uploaded to your post.

Save it where you can easily find it, such as your desktop, and attach it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

ryodin

2011-08-28, 00:59

Sorry for the delay. It took nearly 7 whole hours for the program to scan through everything, but I finally have a log for you.

I'm being told that the log is too long to paste in one post, so I will split in half if I can. Here is the 1st part:

=========================================================
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-27 18:52:36
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17 ST3120026AS rev.8.05
Running: gmer.exe; Driver: C:\DOCUME~1\DAVIDB~1\LOCALS~1\Temp\uwtyapoc.sys

---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF764787E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7647BFE]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF745FD86]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF745FDB2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF745FE08]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF745FD5C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF745FD34]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF745FD48]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF745FD9C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF745FDDE]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF745FE32]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF745FE1E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF745FDF2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[128] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01920000
.text C:\WINDOWS\system32\svchost.exe[128] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01920022
.text C:\WINDOWS\system32\svchost.exe[128] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01920011
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01970FE5
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01970F43
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01970042
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01970031
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01970F68
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01970F83
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0197008B
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0197007A
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01970F0D
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 019700A6
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01970EFC
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0197000A
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01970FD4
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01970053
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01970F94
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01970FAF
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01970F28
.text C:\WINDOWS\system32\svchost.exe[128] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0196001B
.text C:\WINDOWS\system32\svchost.exe[128] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01960058
.text C:\WINDOWS\system32\svchost.exe[128] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01960FCA
.text C:\WINDOWS\system32\svchost.exe[128] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01960FE5
.text C:\WINDOWS\system32\svchost.exe[128] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01960047
.text C:\WINDOWS\system32\svchost.exe[128] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01960000
.text C:\WINDOWS\system32\svchost.exe[128] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01960036
.text C:\WINDOWS\system32\svchost.exe[128] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01960FAF
.text C:\WINDOWS\system32\svchost.exe[128] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0195005F
.text C:\WINDOWS\system32\svchost.exe[128] msvcrt.dll!system 77C293C7 5 Bytes JMP 01950044
.text C:\WINDOWS\system32\svchost.exe[128] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01950FEF
.text C:\WINDOWS\system32\svchost.exe[128] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0195000C
.text C:\WINDOWS\system32\svchost.exe[128] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01950FD4
.text C:\WINDOWS\system32\svchost.exe[128] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01950029
.text C:\WINDOWS\system32\svchost.exe[128] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01940000
.text C:\WINDOWS\system32\svchost.exe[128] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 01930FEF
.text C:\WINDOWS\system32\svchost.exe[128] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 01930FD4
.text C:\WINDOWS\system32\svchost.exe[128] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 01930FB9
.text C:\WINDOWS\system32\svchost.exe[128] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 0193000A
.text C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BF0000
.text C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BF0FCA
.text C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\Explorer.EXE[308] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C40000
.text C:\WINDOWS\Explorer.EXE[308] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C40073
.text C:\WINDOWS\Explorer.EXE[308] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C40062
.text C:\WINDOWS\Explorer.EXE[308] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C40051
.text C:\WINDOWS\Explorer.EXE[308] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C40040
.text C:\WINDOWS\Explorer.EXE[308] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C40F9E
.text C:\WINDOWS\Explorer.EXE[308] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C40084
.text C:\WINDOWS\Explorer.EXE[308] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C40F48
.text C:\WINDOWS\Explorer.EXE[308] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C40EE1
.text C:\WINDOWS\Explorer.EXE[308] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C40F06
.text C:\WINDOWS\Explorer.EXE[308] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C40095
.text C:\WINDOWS\Explorer.EXE[308] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C4002F
.text C:\WINDOWS\Explorer.EXE[308] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C40FE5
.text C:\WINDOWS\Explorer.EXE[308] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C40F63
.text C:\WINDOWS\Explorer.EXE[308] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C40FAF
.text C:\WINDOWS\Explorer.EXE[308] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C40FCA
.text C:\WINDOWS\Explorer.EXE[308] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C40F21
.text C:\WINDOWS\Explorer.EXE[308] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C30FDB
.text C:\WINDOWS\Explorer.EXE[308] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C30F94
.text C:\WINDOWS\Explorer.EXE[308] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C3002C
.text C:\WINDOWS\Explorer.EXE[308] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C3001B
.text C:\WINDOWS\Explorer.EXE[308] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C30051
.text C:\WINDOWS\Explorer.EXE[308] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C3000A
.text C:\WINDOWS\Explorer.EXE[308] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C30FAF
.text C:\WINDOWS\Explorer.EXE[308] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E3, 88] {JECXZ 0xffffffffffffff8a}
.text C:\WINDOWS\Explorer.EXE[308] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C30FC0
.text C:\WINDOWS\Explorer.EXE[308] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\Explorer.EXE[308] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C2007A
.text C:\WINDOWS\Explorer.EXE[308] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C20044
.text C:\WINDOWS\Explorer.EXE[308] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C20000
.text C:\WINDOWS\Explorer.EXE[308] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C20055
.text C:\WINDOWS\Explorer.EXE[308] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C20029
.text C:\WINDOWS\Explorer.EXE[308] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\Explorer.EXE[308] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 00C00FDE
.text C:\WINDOWS\Explorer.EXE[308] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[308] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 00C00FB9
.text C:\WINDOWS\Explorer.EXE[308] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C10000
.text C:\WINDOWS\System32\svchost.exe[492] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00900FEF
.text C:\WINDOWS\System32\svchost.exe[492] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0090000A
.text C:\WINDOWS\System32\svchost.exe[492] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00900FD4
.text C:\WINDOWS\System32\svchost.exe[492] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\System32\svchost.exe[492] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB0054
.text C:\WINDOWS\System32\svchost.exe[492] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB0039
.text C:\WINDOWS\System32\svchost.exe[492] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB0F6B
.text C:\WINDOWS\System32\svchost.exe[492] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB0F7C
.text C:\WINDOWS\System32\svchost.exe[492] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB0FA8
.text C:\WINDOWS\System32\svchost.exe[492] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB008C
.text C:\WINDOWS\System32\svchost.exe[492] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB007B
.text C:\WINDOWS\System32\svchost.exe[492] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB00BF
.text C:\WINDOWS\System32\svchost.exe[492] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB00AE
.text C:\WINDOWS\System32\svchost.exe[492] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB00DA
.text C:\WINDOWS\System32\svchost.exe[492] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB0F8D
.text C:\WINDOWS\System32\svchost.exe[492] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB000A
.text C:\WINDOWS\System32\svchost.exe[492] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB0F44
.text C:\WINDOWS\System32\svchost.exe[492] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB0FB9
.text C:\WINDOWS\System32\svchost.exe[492] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB0FCA
.text C:\WINDOWS\System32\svchost.exe[492] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB009D
.text C:\WINDOWS\System32\svchost.exe[492] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BA001B
.text C:\WINDOWS\System32\svchost.exe[492] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BA006C
.text C:\WINDOWS\System32\svchost.exe[492] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\System32\svchost.exe[492] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BA0000
.text C:\WINDOWS\System32\svchost.exe[492] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BA0FAF
.text C:\WINDOWS\System32\svchost.exe[492] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\System32\svchost.exe[492] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BA0047
.text C:\WINDOWS\System32\svchost.exe[492] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BA002C
.text C:\WINDOWS\System32\svchost.exe[492] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00930F93
.text C:\WINDOWS\System32\svchost.exe[492] msvcrt.dll!system 77C293C7 5 Bytes JMP 00930FA4
.text C:\WINDOWS\System32\svchost.exe[492] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00930FC6
.text C:\WINDOWS\System32\svchost.exe[492] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00930000
.text C:\WINDOWS\System32\svchost.exe[492] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00930FB5
.text C:\WINDOWS\System32\svchost.exe[492] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00930FE3
.text C:\WINDOWS\System32\svchost.exe[492] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 00910FEF
.text C:\WINDOWS\System32\svchost.exe[492] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[492] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 0091001B
.text C:\WINDOWS\System32\svchost.exe[492] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 00910FCA
.text C:\WINDOWS\System32\svchost.exe[492] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00920000
.text C:\Program Files\Palm\Hotsync.exe[760] msvcrt.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A93C080 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[760] msvcrt.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[760] msvcrt.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A93C110 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[760] msvcrt.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A93BFE0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[760] msvcrt.dll!_aligned_free 77C29E33 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[760] msvcrt.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A93BFC0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[760] msvcrt.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A93C020 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[760] msvcrt.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A93C000 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[760] msvcrt.dll!_expand 77C29FE5 5 Bytes JMP 0A93BFA0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[760] msvcrt.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A93C160 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[760] msvcrt.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A93C170 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[760] msvcrt.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A93C191 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[760] msvcrt.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A93C260 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[760] msvcrt.dll!_heapused 77C2BE3A 5 Bytes JMP 0A93C230 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[760] msvcrt.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A93C1A0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[760] msvcrt.dll!_msize 77C2BF6C 5 Bytes JMP 0A93BEB0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[760] msvcrt.dll!calloc 77C2C0C3 5 Bytes JMP 0A93BE50 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[760] msvcrt.dll!free 77C2C21B 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[760] msvcrt.dll!malloc 77C2C407 5 Bytes JMP 0A93BE10 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[760] msvcrt.dll!realloc 77C2C437 5 Bytes JMP 0A93BE90 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\WINDOWS\system32\svchost.exe[828] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[828] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BF0FD4
.text C:\WINDOWS\system32\svchost.exe[828] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BF000A
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C20067
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C20056
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C20F7C
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C20F97
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C20FC3
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C2009D
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C2008C
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!CreateProcessW 7C802336 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C20F3A
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C200D3
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C20F29
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C20FB2
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C2000A
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C20F61
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C2002F
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C20FDE
.text C:\WINDOWS\system32\svchost.exe[828] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C200C2
.text C:\WINDOWS\system32\svchost.exe[828] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C10FC3
.text C:\WINDOWS\system32\svchost.exe[828] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C10F79
.text C:\WINDOWS\system32\svchost.exe[828] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C10FD4
.text C:\WINDOWS\system32\svchost.exe[828] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C10000
.text C:\WINDOWS\system32\svchost.exe[828] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C10036
.text C:\WINDOWS\system32\svchost.exe[828] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C10FE5
.text C:\WINDOWS\system32\svchost.exe[828] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C10F94
.text C:\WINDOWS\system32\svchost.exe[828] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E1, 88] {LOOPZ 0xffffffffffffff8a}
.text C:\WINDOWS\system32\svchost.exe[828] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C10025
.text C:\WINDOWS\system32\svchost.exe[828] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C00F9C
.text C:\WINDOWS\system32\svchost.exe[828] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C00FC1
.text C:\WINDOWS\system32\svchost.exe[828] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C00027
.text C:\WINDOWS\system32\svchost.exe[828] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[828] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C00FD2
.text C:\WINDOWS\system32\svchost.exe[828] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C0000C
.text C:\WINDOWS\System32\svchost.exe[896] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F00FEF
.text C:\WINDOWS\System32\svchost.exe[896] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F00FDE
.text C:\WINDOWS\System32\svchost.exe[896] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F0000A
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F40000
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F40F83
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F40F9E
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F40FB9
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F40076
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F40051
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F40F50
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F40F61
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F400CE
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F40F35
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F40F10
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F40FCA
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F40F72
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F40040
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F40025
.text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F400B3
.text C:\WINDOWS\System32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F30FD1
.text C:\WINDOWS\System32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F30084
.text C:\WINDOWS\System32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F30022
.text C:\WINDOWS\System32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F30011
.text C:\WINDOWS\System32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F30073
.text C:\WINDOWS\System32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F30000
.text C:\WINDOWS\System32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F30058
.text C:\WINDOWS\System32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F3003D
.text C:\WINDOWS\System32\svchost.exe[896] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F2002E
.text C:\WINDOWS\System32\svchost.exe[896] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F2001D
.text C:\WINDOWS\System32\svchost.exe[896] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F20FB7
.text C:\WINDOWS\System32\svchost.exe[896] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F20FEF
.text C:\WINDOWS\System32\svchost.exe[896] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F2000C
.text C:\WINDOWS\System32\svchost.exe[896] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F20FD2
.text C:\WINDOWS\System32\svchost.exe[896] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F10000
.text C:\WINDOWS\system32\services.exe[1016] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\services.exe[1016] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00040FCA
.text C:\WINDOWS\system32\services.exe[1016] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00040FDB
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E60FEF
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E60085
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E60F90
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E6006A
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E60FA1
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E60FC3
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E600CE
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E600BD
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E60F3C
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E60F57
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E600FA
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E60FB2
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E6000A
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E600A0
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E6002F
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E60FDE
.text C:\WINDOWS\system32\services.exe[1016] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E600DF
.text C:\WINDOWS\system32\services.exe[1016] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\services.exe[1016] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070F83
.text C:\WINDOWS\system32\services.exe[1016] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[1016] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[1016] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[1016] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[1016] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00070F9E
.text C:\WINDOWS\system32\services.exe[1016] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [27, 88]
.text C:\WINDOWS\system32\services.exe[1016] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[1016] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0006005A
.text C:\WINDOWS\system32\services.exe[1016] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060049
.text C:\WINDOWS\system32\services.exe[1016] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060027
.text C:\WINDOWS\system32\services.exe[1016] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[1016] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060038
.text C:\WINDOWS\system32\services.exe[1016] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0006000C
.text C:\WINDOWS\system32\services.exe[1016] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\lsass.exe[1028] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\lsass.exe[1028] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BC0FCD
.text C:\WINDOWS\system32\lsass.exe[1028] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BC0FDE
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E90000
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E9007F
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E9006E
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E90F94
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E90051
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E90FCA
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E90F37
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E90F48
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E90F01
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E90F1C
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E900B5
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E90FB9
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E90011
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E90F6F
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E90FDB
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E9002C
.text C:\WINDOWS\system32\lsass.exe[1028] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E9009A
.text C:\WINDOWS\system32\lsass.exe[1028] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF0047
.text C:\WINDOWS\system32\lsass.exe[1028] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF009F
.text C:\WINDOWS\system32\lsass.exe[1028] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF002C
.text C:\WINDOWS\system32\lsass.exe[1028] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF0011
.text C:\WINDOWS\system32\lsass.exe[1028] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF008E
.text C:\WINDOWS\system32\lsass.exe[1028] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\lsass.exe[1028] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BF0073
.text C:\WINDOWS\system32\lsass.exe[1028] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF0058
.text C:\WINDOWS\system32\lsass.exe[1028] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0031
.text C:\WINDOWS\system32\lsass.exe[1028] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0F9C
.text C:\WINDOWS\system32\lsass.exe[1028] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0FD2
.text C:\WINDOWS\system32\lsass.exe[1028] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE000C
.text C:\WINDOWS\system32\lsass.exe[1028] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0FB7
.text C:\WINDOWS\system32\lsass.exe[1028] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0FE3
.text C:\WINDOWS\system32\lsass.exe[1028] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[1212] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F80FEF
.text C:\WINDOWS\system32\svchost.exe[1212] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F8002F
.text C:\WINDOWS\system32\svchost.exe[1212] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F8000A
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FC0000
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FC00BF
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FC0FCA
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FC0098
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FC0087
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FC0FDB
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FC0101
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FC00E4
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FC0130
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FC0F8D
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FC0F7C
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FC006C
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FC0011
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FC0FB9
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FC003D
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FC002C
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FC0FA8
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FB0FCA
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FB0051
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FB001B
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FB0000
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FB0040
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FB0FE5
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FB0F9E
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1B, 89]
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FB0FB9
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FA004C
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FA0031
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FA0FD2
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FA0000
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FA0FC1
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FA0FE3
.text C:\WINDOWS\system32\svchost.exe[1212] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F90000
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1228] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 624199A1 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1228] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419A63 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00D9000A
.text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D90025
.text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DD0000
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DD0093
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DD0F94
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DD0FA5
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DD0062
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DD0047
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DD0F52
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DD0F79
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DD0F30
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DD0F41
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DD00E4
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DD0FC0
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DD001B
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DD00A4
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DD002C
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DD0FDB
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DD00BF
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DC0040
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DC0F97
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DC0FEF
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DC001B
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DC0FB2
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DC000A
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00DC0FC3
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [FC, 88]
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DC0FD4
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DB0FA6
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DB0FB7
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DB0FD2
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DB0000
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DB0027
.text =========================================================

---Ryodin

ryodin

2011-08-28, 01:03

Seems I will need to split this into 3 parts -- it's that long!

I think I should have mentioned before, but I've had my machine for almost 8 years now. In that time I think I've accumulated a lot of stuff, some good some bad. That might explain why these scans take so long to run.

Anyway, here is the next segment of the log:

=========================================================
C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DB0FE3
.text C:\WINDOWS\system32\svchost.exe[1296] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DA000A
.text C:\WINDOWS\System32\svchost.exe[1420] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02E90000
.text C:\WINDOWS\System32\svchost.exe[1420] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02E90022
.text C:\WINDOWS\System32\svchost.exe[1420] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02E90011
.text C:\WINDOWS\System32\svchost.exe[1420] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 053C0FEF
.text C:\WINDOWS\System32\svchost.exe[1420] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 053C0F84
.text C:\WINDOWS\System32\svchost.exe[1420] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 053C006F
.text C:\WINDOWS\System32\svchost.exe[1420] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 053C005E
.text C:\WINDOWS\System32\svchost.exe[1420] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 053C0FA1
.text C:\WINDOWS\System32\svchost.exe[1420] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 053C0039
.text C:\WINDOWS\System32\svchost.exe[1420] kernel32.dll!GetStartupInfoW 7C801E54 1 Byte [E9]
.text C:\WINDOWS\System32\svchost.exe[1420] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 053C0F58
.text C:\WINDOWS\System32\svchost.exe[1420] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 053C00A0
.text C:\WINDOWS\System32\svchost.exe[1420] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 053C0F22
.text C:\WINDOWS\System32\svchost.exe[1420] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 053C00BB
.text C:\WINDOWS\System32\svchost.exe[1420] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 053C0F07
.text C:\WINDOWS\System32\svchost.exe[1420] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 053C0FB2
.text C:\WINDOWS\System32\svchost.exe[1420] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 053C0FDE
.text C:\WINDOWS\System32\svchost.exe[1420] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 053C0F69
.text C:\WINDOWS\System32\svchost.exe[1420] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 053C001E
.text C:\WINDOWS\System32\svchost.exe[1420] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 053C0FCD
.text C:\WINDOWS\System32\svchost.exe[1420] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 053C0F3D
.text C:\WINDOWS\System32\svchost.exe[1420] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 053B0FC0
.text C:\WINDOWS\System32\svchost.exe[1420] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 053B0F83
.text C:\WINDOWS\System32\svchost.exe[1420] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 053B0FDB
.text C:\WINDOWS\System32\svchost.exe[1420] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 053B0011
.text C:\WINDOWS\System32\svchost.exe[1420] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 053B0040
.text C:\WINDOWS\System32\svchost.exe[1420] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 053B0000
.text C:\WINDOWS\System32\svchost.exe[1420] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 053B0F9E
.text C:\WINDOWS\System32\svchost.exe[1420] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [5B, 8D]
.text C:\WINDOWS\System32\svchost.exe[1420] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 053B0FAF
.text C:\WINDOWS\System32\svchost.exe[1420] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 030E0038
.text C:\WINDOWS\System32\svchost.exe[1420] msvcrt.dll!system 77C293C7 5 Bytes JMP 030E0FAD
.text C:\WINDOWS\System32\svchost.exe[1420] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 030E0FD2
.text C:\WINDOWS\System32\svchost.exe[1420] msvcrt.dll!_open 77C2F566 5 Bytes JMP 030E000C
.text C:\WINDOWS\System32\svchost.exe[1420] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 030E001D
.text C:\WINDOWS\System32\svchost.exe[1420] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 030E0FE3
.text C:\WINDOWS\System32\svchost.exe[1420] WS2_32.dll!socket 71AB4211 5 Bytes JMP 030D0000
.text C:\WINDOWS\System32\svchost.exe[1420] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 030C0FEF
.text C:\WINDOWS\System32\svchost.exe[1420] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 030C0FDE
.text C:\WINDOWS\System32\svchost.exe[1420] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 030C0FCD
.text C:\WINDOWS\System32\svchost.exe[1420] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 030C001E
.text C:\WINDOWS\System32\svchost.exe[1504] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00690000
.text C:\WINDOWS\System32\svchost.exe[1504] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0069002C
.text C:\WINDOWS\System32\svchost.exe[1504] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0069001B
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006D0000
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006D0087
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006D0F92
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006D006C
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006D005B
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006D0FD4
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006D00D0
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006D00B3
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006D00F5
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006D0F5C
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006D0110
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006D0FB9
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006D001B
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006D00A2
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006D0040
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006D0F77
.text C:\WINDOWS\System32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006C0025
.text C:\WINDOWS\System32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006C004A
.text C:\WINDOWS\System32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006C000A
.text C:\WINDOWS\System32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006C0FD4
.text C:\WINDOWS\System32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006C0F8D
.text C:\WINDOWS\System32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006C0FE5
.text C:\WINDOWS\System32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 006C0FA8
.text C:\WINDOWS\System32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8C, 88]
.text C:\WINDOWS\System32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006C0FB9
.text C:\WINDOWS\System32\svchost.exe[1504] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006B0FA4
.text C:\WINDOWS\System32\svchost.exe[1504] msvcrt.dll!system 77C293C7 5 Bytes JMP 006B0FB5
.text C:\WINDOWS\System32\svchost.exe[1504] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006B000A
.text C:\WINDOWS\System32\svchost.exe[1504] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006B0FE3
.text C:\WINDOWS\System32\svchost.exe[1504] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006B001B
.text C:\WINDOWS\System32\svchost.exe[1504] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006B0FD2
.text C:\WINDOWS\System32\svchost.exe[1504] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006A0000
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00DB0000
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00DB002C
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DB001B
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 11620000
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 11620F43
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 11620F5E
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 11620042
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 11620F79
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 1162001B
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 11620069
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 11620F21
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 11620EE4
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 11620EF5
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 1162008E
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 11620F94
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 11620FE5
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 11620F32
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 11620FAF
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 11620FC0
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 11620F06
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] ADVAPI32.DLL!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 1161001B
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] ADVAPI32.DLL!RegCreateKeyExW 77DD776C 5 Bytes JMP 11610058
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] ADVAPI32.DLL!RegOpenKeyExA 77DD7852 5 Bytes JMP 11610FCA
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] ADVAPI32.DLL!RegOpenKeyW 77DD7946 5 Bytes JMP 11610FE5
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] ADVAPI32.DLL!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 11610F9B
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] ADVAPI32.DLL!RegOpenKeyA 77DDEFC8 5 Bytes JMP 11610000
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] ADVAPI32.DLL!RegCreateKeyW 77DFBA55 5 Bytes JMP 1161003D
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] ADVAPI32.DLL!RegCreateKeyA 77DFBCF3 5 Bytes JMP 1161002C
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] MSVCRT.DLL!_wsystem 77C2931E 5 Bytes JMP 11290FAF
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] MSVCRT.DLL!system 77C293C7 5 Bytes JMP 11290FD4
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] MSVCRT.DLL!_creat 77C2D40F 5 Bytes JMP 11290FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] MSVCRT.DLL!_open 77C2F566 5 Bytes JMP 11290000
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] MSVCRT.DLL!_wcreat 77C2FC9B 5 Bytes JMP 11290044
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] MSVCRT.DLL!_wopen 77C30055 5 Bytes JMP 1129001D
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1520] WS2_32.dll!socket 10E64211 5 Bytes JMP 00DC0000
.text C:\WINDOWS\System32\svchost.exe[1548] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00890000
.text C:\WINDOWS\System32\svchost.exe[1548] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00890FD4
.text C:\WINDOWS\System32\svchost.exe[1548] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00890FEF
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008D0FE5
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008D0F83
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008D0F94
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008D006C
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008D0051
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008D002C
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008D00B8
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008D0F66
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008D0F1F
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008D0F3A
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008D0F0E
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008D0FAF
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008D0000
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008D0093
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008D0FCA
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008D001B
.text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008D0F4B
.text C:\WINDOWS\System32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008C0FD4
.text C:\WINDOWS\System32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008C007D
.text C:\WINDOWS\System32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008C0FE5
.text C:\WINDOWS\System32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008C001B
.text C:\WINDOWS\System32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008C0062
.text C:\WINDOWS\System32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008C0000
.text C:\WINDOWS\System32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 008C0051
.text C:\WINDOWS\System32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008C0040
.text C:\WINDOWS\System32\svchost.exe[1548] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008B0FB4
.text C:\WINDOWS\System32\svchost.exe[1548] msvcrt.dll!system 77C293C7 5 Bytes JMP 008B0049
.text C:\WINDOWS\System32\svchost.exe[1548] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008B001D
.text C:\WINDOWS\System32\svchost.exe[1548] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008B0FEF
.text C:\WINDOWS\System32\svchost.exe[1548] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008B0038
.text C:\WINDOWS\System32\svchost.exe[1548] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008B000C
.text C:\WINDOWS\System32\svchost.exe[1548] WS2_32.dll!socket 71AB4211 5 Bytes JMP 008A0FEF
.text C:\WINDOWS\System32\svchost.exe[1556] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00690000
.text C:\WINDOWS\System32\svchost.exe[1556] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00690036
.text C:\WINDOWS\System32\svchost.exe[1556] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0069001B
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006D0000
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006D0F8A
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006D0FA5
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006D0FB6
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006D0073
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006D0047
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006D00CB
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006D00B0
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006D0F4D
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006D0F5E
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006D010B
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006D0058
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006D001B
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006D0F79
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006D0FDB
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006D002C
.text C:\WINDOWS\System32\svchost.exe[1556] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006D00DC
.text C:\WINDOWS\System32\svchost.exe[1556] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006C0FC0
.text C:\WINDOWS\System32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006C0F6F
.text C:\WINDOWS\System32\svchost.exe[1556] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006C0FD1
.text C:\WINDOWS\System32\svchost.exe[1556] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006C0011
.text C:\WINDOWS\System32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006C0F8A
.text C:\WINDOWS\System32\svchost.exe[1556] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006C0000
.text C:\WINDOWS\System32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 006C0FA5
.text C:\WINDOWS\System32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8C, 88]
.text C:\WINDOWS\System32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006C0036
.text C:\WINDOWS\System32\svchost.exe[1556] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006B0F9C
.text C:\WINDOWS\System32\svchost.exe[1556] msvcrt.dll!system 77C293C7 5 Bytes JMP 006B0FAD
.text C:\WINDOWS\System32\svchost.exe[1556] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006B0FE3
.text C:\WINDOWS\System32\svchost.exe[1556] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006B000C
.text C:\WINDOWS\System32\svchost.exe[1556] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006B0FC8
.text C:\WINDOWS\System32\svchost.exe[1556] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006B001D
.text C:\WINDOWS\System32\svchost.exe[1556] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006A0000
.text C:\WINDOWS\system32\svchost.exe[1612] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00E40000
.text C:\WINDOWS\system32\svchost.exe[1612] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00E40FD4
.text C:\WINDOWS\system32\svchost.exe[1612] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E40FE5
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E80FE5
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E80F3D
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E80032
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E80F4E
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E80F6B
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E80F8D
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E80EFB
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E80F16
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E80EC5
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E8005E
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E80EAA
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E80F7C
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E80FCA
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E8004D
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E80F9E
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E80FAF
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E80EE0
.text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E70036
.text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E7006C
.text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E7001B
.text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E7000A
.text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E70FAF
.text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E70FEF
.text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E70051
.text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E70FD4
.text C:\WINDOWS\system32\svchost.exe[1612] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E6002E
.text C:\WINDOWS\system32\svchost.exe[1612] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E60FA3
.text C:\WINDOWS\system32\svchost.exe[1612] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E60FD9
.text C:\WINDOWS\system32\svchost.exe[1612] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E60000
.text C:\WINDOWS\system32\svchost.exe[1612] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E60FC8
.text C:\WINDOWS\system32\svchost.exe[1612] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E6001D
.text C:\WINDOWS\system32\svchost.exe[1612] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E50FEF
.text C:\WINDOWS\System32\svchost.exe[1784] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BA000A
.text C:\WINDOWS\System32\svchost.exe[1784] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\System32\svchost.exe[1784] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BA0025
.text C:\WINDOWS\System32\svchost.exe[1784] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\System32\svchost.exe[1784] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0FA3
.text C:\WINDOWS\System32\svchost.exe[1784] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0098
.text C:\WINDOWS\System32\svchost.exe[1784] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD007D
.text C:\WINDOWS\System32\svchost.exe[1784] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD006C
.text C:\WINDOWS\System32\svchost.exe[1784] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\System32\svchost.exe[1784] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD0F77
.text C:\WINDOWS\System32\svchost.exe[1784] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD00BF
.text C:\WINDOWS\System32\svchost.exe[1784] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD0F30
.text C:\WINDOWS\System32\svchost.exe[1784] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD0F41
.text C:\WINDOWS\System32\svchost.exe[1784] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD0F1F
.text C:\WINDOWS\System32\svchost.exe[1784] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD005B
.text C:\WINDOWS\System32\svchost.exe[1784] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD0014
.text C:\WINDOWS\System32\svchost.exe[1784] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0F88
.text C:\WINDOWS\System32\svchost.exe[1784] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0036
.text C:\WINDOWS\System32\svchost.exe[1784] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD0025
.text C:\WINDOWS\System32\svchost.exe[1784] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD0F66
.text C:\WINDOWS\System32\svchost.exe[1784] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BC0FDB
.text C:\WINDOWS\System32\svchost.exe[1784] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BC0F79
.text C:\WINDOWS\System32\svchost.exe[1784] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BC0022
.text C:\WINDOWS\System32\svchost.exe[1784] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BC0011
.text C:\WINDOWS\System32\svchost.exe[1784] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BC0F94
.text C:\WINDOWS\System32\svchost.exe[1784] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BC0000
.text C:\WINDOWS\System32\svchost.exe[1784] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BC0FAF
.text C:\WINDOWS\System32\svchost.exe[1784] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DC, 88]
.text C:\WINDOWS\System32\svchost.exe[1784] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BC0FC0
.text C:\WINDOWS\System32\svchost.exe[1784] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BB0042
.text C:\WINDOWS\System32\svchost.exe[1784] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BB0027
.text C:\WINDOWS\System32\svchost.exe[1784] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BB0FD2
.text C:\WINDOWS\System32\svchost.exe[1784] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\System32\svchost.exe[1784] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BB0FB7
.text C:\WINDOWS\System32\svchost.exe[1784] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BB000C
.text C:\WINDOWS\system32\wuauclt.exe[2508] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090000
.text C:\WINDOWS\system32\wuauclt.exe[2508] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090FD1
.text C:\WINDOWS\system32\wuauclt.exe[2508] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090011
.text C:\WINDOWS\system32\wuauclt.exe[2508] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\system32\wuauclt.exe[2508] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C006E
.text C:\WINDOWS\system32\wuauclt.exe[2508] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C005D
.text C:\WINDOWS\system32\wuauclt.exe[2508] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0042
.text C:\WINDOWS\system32\wuauclt.exe[2508] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C0F83
.text C:\WINDOWS\system32\wuauclt.exe[2508] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C001B
.text C:\WINDOWS\system32\wuauclt.exe[2508] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C0F4D
.text C:\WINDOWS\system32\wuauclt.exe[2508] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0F5E
.text C:\WINDOWS\system32\wuauclt.exe[2508] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C00B0
.text C:\WINDOWS\system32\wuauclt.exe[2508] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C0F17
.text C:\WINDOWS\system32\wuauclt.exe[2508] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C0EFC
.text C:\WINDOWS\system32\wuauclt.exe[2508] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C0F94
.text C:\WINDOWS\system32\wuauclt.exe[2508] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C000A
.text C:\WINDOWS\system32\wuauclt.exe[2508] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C0089
.text C:\WINDOWS\system32\wuauclt.exe[2508] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C0FB9
.text C:\WINDOWS\system32\wuauclt.exe[2508] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C0FD4
.text C:\WINDOWS\system32\wuauclt.exe[2508] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C0F28
.text C:\WINDOWS\system32\wuauclt.exe[2508] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0062
.text C:\WINDOWS\system32\wuauclt.exe[2508] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0047
.text C:\WINDOWS\system32\wuauclt.exe[2508] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B001B
.text C:\WINDOWS\system32\wuauclt.exe[2508] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0000
.text C:\WINDOWS\system32\wuauclt.exe[2508] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B002C
.text C:\WINDOWS\system32\wuauclt.exe[2508] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B0FE3
.text C:\WINDOWS\system32\wuauclt.exe[2508] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002C0025
.text C:\WINDOWS\system32\wuauclt.exe[2508] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002C0065
.text C:\WINDOWS\system32\wuauclt.exe[2508] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002C0014
.text C:\WINDOWS\system32\wuauclt.exe[2508] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002C0FD4
.text C:\WINDOWS\system32\wuauclt.exe[2508] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002C0F9E
.text C:\WINDOWS\system32\wuauclt.exe[2508] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\system32\wuauclt.exe[2508] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002C0FB9
.text C:\WINDOWS\system32\wuauclt.exe[2508] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4C, 88]
.text C:\WINDOWS\system32\wuauclt.exe[2508] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002C0040
.text C:\Program Files\internet explorer\iexplore.exe[3416] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00150000
.text C:\Program Files\internet explorer\iexplore.exe[3416] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00150FDB
.text C:\Program Files\internet explorer\iexplore.exe[3416] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00150011
.text C:\Program Files\internet explorer\iexplore.exe[3416] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00270FEF
.text C:\Program Files\internet explorer\iexplore.exe[3416] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\Program Files\internet explorer\iexplore.exe[3416] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00270065
.text C:\Program Files\internet explorer\iexplore.exe[3416] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00270F70
.text C:\Program Files\internet explorer\iexplore.exe[3416] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00270054
.text C:\Program Files\internet explorer\iexplore.exe[3416] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00270F97
.text C:\Program Files\internet explorer\iexplore.exe[3416] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00270FB9
.text C:\Program Files\internet explorer\iexplore.exe[3416] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00270F29
.text C:\Program Files\internet explorer\iexplore.exe[3416] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00270F3A
.text C:\Program Files\internet explorer\iexplore.exe[3416] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 002700AE
.text C:\Program Files\internet explorer\iexplore.exe[3416] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00270093
.text C:\Program Files\internet explorer\iexplore.exe[3416] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00270EF0
.text C:\Program Files\internet explorer\iexplore.exe[3416] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00270FA8
.text C:\Program Files\internet explorer\iexplore.exe[3416] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0027000A
.text C:\Program Files\internet explorer\iexplore.exe[3416] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00270F4B
.text C:\Program Files\internet explorer\iexplore.exe[3416] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00270FCA
.text C:\Program Files\internet explorer\iexplore.exe[3416] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00270025
.text C:\Program Files\internet explorer\iexplore.exe[3416] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00270082
.text C:\Program Files\internet explorer\iexplore.exe[3416] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0036000A
.text =========================================================

ryodin

2011-08-28, 01:04

And here is the 3rd and final leg of this log:

========================================================
C:\Program Files\internet explorer\iexplore.exe[3416] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00360025
.text C:\Program Files\internet explorer\iexplore.exe[3416] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00360FB9
.text C:\Program Files\internet explorer\iexplore.exe[3416] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00360FD4
.text C:\Program Files\internet explorer\iexplore.exe[3416] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00360F68
.text C:\Program Files\internet explorer\iexplore.exe[3416] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00360FE5
.text C:\Program Files\internet explorer\iexplore.exe[3416] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00360F83
.text C:\Program Files\internet explorer\iexplore.exe[3416] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [56, 88]
.text C:\Program Files\internet explorer\iexplore.exe[3416] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00360F9E
.text C:\Program Files\internet explorer\iexplore.exe[3416] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3416] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB3C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3416] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5337 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3416] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5269 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3416] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3416] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E513A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3416] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E519C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3416] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E539A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3416] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51FE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3416] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00370051
.text C:\Program Files\internet explorer\iexplore.exe[3416] msvcrt.dll!system 77C293C7 5 Bytes JMP 0037002C
.text C:\Program Files\internet explorer\iexplore.exe[3416] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00370011
.text C:\Program Files\internet explorer\iexplore.exe[3416] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00370FEF
.text C:\Program Files\internet explorer\iexplore.exe[3416] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00370FBC
.text C:\Program Files\internet explorer\iexplore.exe[3416] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00370000
.text C:\Program Files\internet explorer\iexplore.exe[3416] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 009E0000
.text C:\Program Files\internet explorer\iexplore.exe[3416] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 009E0011
.text C:\Program Files\internet explorer\iexplore.exe[3416] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 009E0FE5
.text C:\Program Files\internet explorer\iexplore.exe[3416] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 009E0FCA
.text C:\Program Files\internet explorer\iexplore.exe[3416] ws2_32.dll!socket 71AB4211 5 Bytes JMP 00A10FEF
.text C:\Program Files\internet explorer\iexplore.exe[4020] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00150000
.text C:\Program Files\internet explorer\iexplore.exe[4020] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00150FD1
.text C:\Program Files\internet explorer\iexplore.exe[4020] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00150011
.text C:\Program Files\internet explorer\iexplore.exe[4020] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00270FEF
.text C:\Program Files\internet explorer\iexplore.exe[4020] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00270082
.text C:\Program Files\internet explorer\iexplore.exe[4020] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00270067
.text C:\Program Files\internet explorer\iexplore.exe[4020] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00270F8D
.text C:\Program Files\internet explorer\iexplore.exe[4020] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0027004A
.text C:\Program Files\internet explorer\iexplore.exe[4020] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00270025
.text C:\Program Files\internet explorer\iexplore.exe[4020] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 002700BA
.text C:\Program Files\internet explorer\iexplore.exe[4020] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 002700A9
.text C:\Program Files\internet explorer\iexplore.exe[4020] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00270F57
.text C:\Program Files\internet explorer\iexplore.exe[4020] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 002700F0
.text C:\Program Files\internet explorer\iexplore.exe[4020] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0027010B
.text C:\Program Files\internet explorer\iexplore.exe[4020] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00270F9E
.text C:\Program Files\internet explorer\iexplore.exe[4020] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00270FD4
.text C:\Program Files\internet explorer\iexplore.exe[4020] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00270F72
.text C:\Program Files\internet explorer\iexplore.exe[4020] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00270014
.text C:\Program Files\internet explorer\iexplore.exe[4020] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00270FC3
.text C:\Program Files\internet explorer\iexplore.exe[4020] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 002700D5
.text C:\Program Files\internet explorer\iexplore.exe[4020] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00360025
.text C:\Program Files\internet explorer\iexplore.exe[4020] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00360051
.text C:\Program Files\internet explorer\iexplore.exe[4020] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00360FCA
.text C:\Program Files\internet explorer\iexplore.exe[4020] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00360FE5
.text C:\Program Files\internet explorer\iexplore.exe[4020] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00360F9E
.text C:\Program Files\internet explorer\iexplore.exe[4020] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00360000
.text C:\Program Files\internet explorer\iexplore.exe[4020] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00360040
.text C:\Program Files\internet explorer\iexplore.exe[4020] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00360FB9
.text C:\Program Files\internet explorer\iexplore.exe[4020] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4020] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4020] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD12D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4020] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB3C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4020] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2546A6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4020] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5337 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4020] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5269 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4020] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4020] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E513A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4020] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E519C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4020] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E539A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4020] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51FE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4020] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0037005D
.text C:\Program Files\internet explorer\iexplore.exe[4020] msvcrt.dll!system 77C293C7 5 Bytes JMP 00370FC8
.text C:\Program Files\internet explorer\iexplore.exe[4020] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0037001D
.text C:\Program Files\internet explorer\iexplore.exe[4020] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00370FEF
.text C:\Program Files\internet explorer\iexplore.exe[4020] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00370038
.text C:\Program Files\internet explorer\iexplore.exe[4020] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0037000C
.text C:\Program Files\internet explorer\iexplore.exe[4020] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB98 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4020] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E569F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4020] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 01180000
.text C:\Program Files\internet explorer\iexplore.exe[4020] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 01180FDB
.text C:\Program Files\internet explorer\iexplore.exe[4020] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 01180FCA
.text C:\Program Files\internet explorer\iexplore.exe[4020] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 01180FB9
.text C:\Program Files\internet explorer\iexplore.exe[4020] ws2_32.dll!socket 71AB4211 5 Bytes JMP 03D00000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

=========================================================

---Ryodin

redcar92

2011-08-28, 02:42

Hello ryodin,
I think we are nearing the end,

Next
Please go to Virus Total (http://www.virustotal.com)
click on Browse, and upload the following file for analysis:
c:\windows\maxdrive\SbcpHid.sys

Then click Submit. Allow the file to be scanned.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.

ryodin

2011-08-28, 03:43

I'm trying to access the VirusTotal site, but it seems to be down. I was able to access it once, select the file, and then hit submit. But suddenly the site stopped loading at that point and I haven't been able to get it to work since.

And it's not just this machine. I tried accessing the site from my netbook and it doesn't work, either.

I'll try waiting a few minutes before making another attempt.

--Ryodin

redcar92

2011-08-28, 03:59

With the storm headed your way, no telling what is happening. It worked for me but was a bit slow. If you loose connection for a while don't worry we will hold the thread open until all parties are back online. Good luck and stay dry.

ryodin

2011-08-28, 04:05

Thank you. We're keeping safe. I was finally able to get the site working again, but it is VERY slow. Right now I've been stuck on the file loading status screen for 5 minutes. My Internet connection seems to be running fine for all other sites, though.

I'll try to be patient. :D:

ryodin

2011-08-28, 04:17

It took two more attempts, but it finally went through!

Here are the results of the scan:

=========================================================
File name: SbcpHid.sys
Submission date: 2011-08-28 02:01:01 (UTC)
Current status: queued queued analysing finished

Result: 0/ 44 (0.0%)

Antivirus Version Last Update Result

AhnLab-V3 2011.08.27.00 2011.08.27 -
AntiVir 7.11.14.0 2011.08.26 -
Antiy-AVL 2.0.3.7 2011.08.27 -
Avast 4.8.1351.0 2011.08.27 -
Avast5 5.0.677.0 2011.08.27 -
AVG 10.0.0.1190 2011.08.28 -
BitDefender 7.2 2011.08.28 -
ByteHero 1.0.0.1 2011.08.22 -
CAT-QuickHeal 11.00 2011.08.27 -
ClamAV 0.97.0.0 2011.08.28 -
Commtouch 5.3.2.6 2011.08.27 -
Comodo 9898 2011.08.27 -
DrWeb 5.0.2.03300 2011.08.28 -
Emsisoft 5.1.0.10 2011.08.27 -
eSafe 7.0.17.0 2011.08.25 -
eTrust-Vet 36.1.8525 2011.08.26 -
F-Prot 4.6.2.117 2011.08.27 -
F-Secure 9.0.16440.0 2011.08.27 -
Fortinet 4.2.257.0 2011.08.27 -
GData 22 2011.08.28 -
Ikarus T3.1.1.107.0 2011.08.27 -
Jiangmin 13.0.900 2011.08.27 -
K7AntiVirus 9.111.5060 2011.08.26 -
Kaspersky 9.0.0.837 2011.08.28 -
McAfee 5.400.0.1158 2011.08.28 -
McAfee-GW-Edition 2010.1D 2011.08.27 -
Microsoft 1.7604 2011.08.27 -
NOD32 6416 2011.08.28 -
Norman 6.07.10 2011.08.27 -
nProtect 2011-08-27.01 2011.08.27 -
Panda 10.0.3.5 2011.08.27 -
PCTools 8.0.0.5 2011.08.28 -
Prevx 3.0 2011.08.28 -
Rising 23.72.04.03 2011.08.26 -
Sophos 4.68.0 2011.08.27 -
SUPERAntiSpyware 4.40.0.1006 2011.08.27 -
Symantec 20111.2.0.82 2011.08.28 -
TheHacker 6.7.0.1.284 2011.08.26 -
TrendMicro 9.500.0.1008 2011.08.25 -
TrendMicro-HouseCall 9.500.0.1008 2011.08.28 -
VBA32 3.12.16.4 2011.08.26 -
VIPRE 10290 2011.08.28 -
ViRobot 2011.8.27.4643 2011.08.27 -
VirusBuster 14.0.188.0 2011.08.27 -

=========================================================

--Ryodin

redcar92

2011-08-29, 16:46

Greetings Ryodin, I hope you survived Irene in good shape.
How is your pc behaving now? Originally you stated that Spybot S&D would not run. Windows updates was not right, shutdown gave you an icon about installing something and MaCafee would not run.
We want to be sure you are in as good a shape as possible before leaving.

ryodin

2011-08-29, 19:26

Thanks for your concern, redcar! We survived Irene perfectly fine here in the big city. Much ado about nothing, really. Outlying areas didn't fare nearly so well, I'm afraid.

The McAfee problem has been rectified. I don't know if the fixes you had me run did it, or the fact that I had to verify my renewal with them did it . . . but it works fine now.

I will try downloading and running Spybot shortly and let you know how that goes.

I still have the issue of not being able to delete those .exe files you first had me download to my desktop, but which I was being denied access to by whatever malware was preventing me from doing so. Those icons refuse to be sent to the recycling bin. I keep getting a message stating that my access in denied and that the file cannot be deleted.

Lastly, I still have the issue with the Windows updates. The install shield keeps appearing in my sys tray still, despite the fact that I've clicked on it numerous times and initialized the software patch install it asks to download.

Related to this, I think, the Windows update install shield also still appears in the shutdown menu. No matter how many times I allow it to run upon shutdown, the shield still appears in both places each time I reboot my system.

--Ryodin

redcar92

2011-08-30, 02:16

Greetings Ryodin,
If you will post the exact name, extension and location of those files that you cannot delete, we can use the tools to do the job.

Next
Here is a program that is excellent for repairing Windows update problems.
We need to repair some of windows' internal registration settings
Please download Dial-A-Fix from one of the following mirrors:
Primary Mirror (http://djlizard.net.nyud.net:8080/software/Dial-a-fix-v0.60.0.24.zip)
Secondary Mirror (http://djlizard.net/software/Dial-a-fix-v0.60.0.24.zip)
Extract the zip file to your desktop.
Double click Dial-a-Fix.exe to start the program.
Press the green double checkmark box (Looks like this: http://billy-oneal.com/BleepingComputer/ScreenShots/DialAFix/checkmark.png)
UNcheck "Empty Temp Folders", as well as "Adjust Time/Date" in the prep section. The prep section should then look like this:
http://billy-oneal.com/BleepingComputer/ScreenShots/DialAFix/toUncheck.png
When the window looks like this, press the GO button in the bottom of the window.
http://billy-oneal.com/BleepingComputer/ScreenShots/DialAFix/mainWindow.png
Exit/Close Dial-A-Fix

Please post back file information and results of Dial-a-fix.

ryodin

2011-08-30, 04:20

It turns out I already have Dial-a-fix on my desktop from quite a few years ago when I had a problem with my Windows updates before. So I used that version instead, which was also v. 0.60.0.24.

It seems the program encountered a few errors along the way, including something called "Error 127" involving registering .dll's or whatever that is. I've included a log of the session below in case you want to try figuring it out.

I'll post the file locations for the other problem once we clear away this issue with the Windows update installer shield first. As of now, I still see the shield in my sys tray and shutdown menu, but perhaps this time it will work and go away if I click to install?

I'll await word from you before I try anything, however.

Dial-a-fix log:

=========================================================
9:57:37 PM | Dial-a-fix was unable to determine your version of Internet Explorer
Notes about this log:
1) "->" denotes an external command being executed, and "-> (number)" indicates
the return code from the previous command
2) Not all external command return codes are accurate, or useful
3) Sometimes commands return 0 (no error) even when they fail or crash
4) If an error occurs while registering an object, please send an email to:
dial-a-fix@DjLizard.net and include a copy of this log

DAF version: v0.60.0.24

--- System info ---
OS: Microsoft Windows XP Service Pack 3
IE version: 8.0.6001.18702
MPC: 55277-OEM
CPU: Intel(R) Pentium(R) 4 CPU 3.00GHz (~2920MHz)
BIOS: 1/15/2004
Memory (approx): 2045MB
Uptime: 9 hour(s)
Current directory: C:\Documents and Settings\David Batista\Desktop\Dial-a-fix-v0.60.0.24\Dial-a-fix-v0.60.0.24
---

8/29/2011 9:57:38 PM -- Dial-a-fix : [v0.60.0.24] -- started
9:57:38 PM | Policy scan started
9:57:38 PM | Policy scan ended - no restrictive policies were found
--- MSI ---
9:58:42 PM | Registered: C:\WINDOWS\system32\msi.dll
--- Windows Update ---
--- Registration: Windows Update/Automatic Update DLLs ---
9:58:51 PM | Unregistered: C:\WINDOWS\system32\msxml.dll
9:58:51 PM | Registered: C:\WINDOWS\system32\msxml.dll
9:58:52 PM | Unregistered: C:\WINDOWS\system32\msxml2.dll
9:58:53 PM | Registered: C:\WINDOWS\system32\msxml2.dll
9:59:14 PM | Unregistered: C:\WINDOWS\system32\msxml3.dll
9:59:15 PM | Registered: C:\WINDOWS\system32\msxml3.dll
9:59:15 PM | Unregistered: C:\WINDOWS\system32\msxml4.dll
9:59:16 PM | Registered: C:\WINDOWS\system32\msxml4.dll
9:59:16 PM | Unregistered: C:\WINDOWS\system32\qmgr.dll
9:59:16 PM | Registered: C:\WINDOWS\system32\qmgr.dll
9:59:16 PM | Unregistered: C:\WINDOWS\system32\qmgrprxy.dll
9:59:16 PM | Registered: C:\WINDOWS\system32\qmgrprxy.dll
9:59:16 PM | Unregistered: C:\WINDOWS\system32\muweb.dll
9:59:16 PM | Registered: C:\WINDOWS\system32\muweb.dll
9:59:16 PM | Unregistered: C:\WINDOWS\system32\winhttp.dll
9:59:16 PM | Registered: C:\WINDOWS\system32\winhttp.dll
9:59:17 PM | Registered: C:\WINDOWS\system32\wuapi.dll
9:59:17 PM | Unregistered: C:\WINDOWS\system32\wuaueng.dll
9:59:18 PM | Registered: C:\WINDOWS\system32\wuaueng.dll
9:59:18 PM | Unregistered: C:\WINDOWS\system32\wuaueng1.dll
9:59:18 PM | Registered: C:\WINDOWS\system32\wuaueng1.dll
9:59:18 PM | Unregistered: C:\WINDOWS\system32\wucltui.dll
9:59:18 PM | Registered: C:\WINDOWS\system32\wucltui.dll
9:59:18 PM | Unregistered: C:\WINDOWS\system32\wups.dll
9:59:18 PM | Registered: C:\WINDOWS\system32\wups.dll
9:59:18 PM | Unregistered: C:\WINDOWS\system32\wups2.dll
9:59:18 PM | Registered: C:\WINDOWS\system32\wups2.dll
9:59:18 PM | Unregistered: C:\WINDOWS\system32\wuweb.dll
9:59:19 PM | Registered: C:\WINDOWS\system32\wuweb.dll
9:59:19 PM | Registered: C:\WINDOWS\system32\ole32.dll
--- SSL/HTTPS/Cryptography ---
9:59:32 PM | Executed 'cmd.exe /c rmdir /q /s C:\WINDOWS\system32\Catroot2'
--- Registration: SSL/HTTPS/Cryptography ---
9:59:36 PM | Unregistered: C:\WINDOWS\system32\cryptdlg.dll
9:59:36 PM | Registered: C:\WINDOWS\system32\cryptdlg.dll
9:59:36 PM | Unregistered: C:\WINDOWS\system32\cryptui.dll
9:59:36 PM | Registered: C:\WINDOWS\system32\cryptui.dll
9:59:36 PM | Unregistered: C:\WINDOWS\system32\cryptext.dll
9:59:36 PM | Registered: C:\WINDOWS\system32\cryptext.dll
9:59:37 PM | Unregistered: C:\WINDOWS\system32\dssenh.dll
9:59:37 PM | Registered: C:\WINDOWS\system32\dssenh.dll
9:59:37 PM | Unregistered: C:\WINDOWS\system32\gpkcsp.dll
9:59:37 PM | Registered: C:\WINDOWS\system32\gpkcsp.dll
9:59:38 PM | Unregistered: C:\WINDOWS\system32\initpki.dll
10:01:58 PM | Registered: C:\WINDOWS\system32\initpki.dll
10:01:58 PM | Unregistered: C:\WINDOWS\system32\licdll.dll
10:01:58 PM | Registered: C:\WINDOWS\system32\licdll.dll
10:01:58 PM | Unregistered: C:\WINDOWS\system32\mssign32.dll
10:01:58 PM | Registered: C:\WINDOWS\system32\mssign32.dll
10:01:58 PM | Unregistered: C:\WINDOWS\system32\mssip32.dll
10:01:58 PM | Registered: C:\WINDOWS\system32\mssip32.dll
10:01:59 PM | Unregistered: C:\WINDOWS\system32\scardssp.dll
10:02:00 PM | Registered: C:\WINDOWS\system32\scardssp.dll
10:02:00 PM | Unregistered: C:\WINDOWS\system32\sccbase.dll
10:02:00 PM | Registered: C:\WINDOWS\system32\sccbase.dll
10:02:00 PM | Unregistered: C:\WINDOWS\system32\scecli.dll
10:02:00 PM | Registered: C:\WINDOWS\system32\scecli.dll
10:02:00 PM | Unregistered: C:\WINDOWS\system32\softpub.dll
10:02:00 PM | Registered: C:\WINDOWS\system32\softpub.dll
10:02:00 PM | Unregistered: C:\WINDOWS\system32\slbcsp.dll
10:02:01 PM | Registered: C:\WINDOWS\system32\slbcsp.dll
10:02:01 PM | Unregistered: C:\WINDOWS\system32\regwizc.dll
10:02:01 PM | Registered: C:\WINDOWS\system32\regwizc.dll
10:02:01 PM | Unregistered: C:\WINDOWS\system32\rsaenh.dll
10:02:01 PM | Registered: C:\WINDOWS\system32\rsaenh.dll
10:02:01 PM | Unregistered: C:\WINDOWS\system32\winhttp.dll
10:02:01 PM | Registered: C:\WINDOWS\system32\winhttp.dll
10:02:01 PM | Unregistered: C:\WINDOWS\system32\wintrust.dll
10:02:02 PM | Registered: C:\WINDOWS\system32\wintrust.dll
--- Registration: ActiveX controls/codecs ---
10:02:02 PM | Registered: C:\WINDOWS\system32\acelpdec.ax
10:02:02 PM | Registered: C:\WINDOWS\system32\actxprxy.dll
10:02:02 PM | Registered: C:\WINDOWS\system32\asctrls.ocx
10:02:03 PM | Registered: C:\WINDOWS\system32\daxctle.ocx
10:02:03 PM | Registered: C:\WINDOWS\system32\hhctrl.ocx
10:02:03 PM | Registered: C:\WINDOWS\system32\l3codecx.ax
10:02:03 PM | Registered: C:\WINDOWS\system32\licmgr10.dll
10:02:03 PM | Registered: C:\WINDOWS\system32\mpg4ds32.ax
10:02:11 PM | Registered: C:\WINDOWS\system32\msdxm.ocx
10:02:12 PM | Registered: C:\WINDOWS\system32\proctexe.ocx
10:02:12 PM | Registered: C:\WINDOWS\system32\tdc.ocx
10:02:12 PM | Registered: C:\WINDOWS\system32\wshom.ocx
--- Registration: Control Panel applets ---
10:02:12 PM | DllInstalled: C:\WINDOWS\system32\inetcpl.cpl
10:02:12 PM | DllInstalled: C:\WINDOWS\system32\appwiz.cpl
10:02:12 PM | Registered: C:\WINDOWS\system32\appwiz.cpl
10:02:12 PM | DllInstalled: C:\WINDOWS\system32\nusrmgr.cpl
10:02:13 PM | Registered: C:\WINDOWS\system32\nusrmgr.cpl
--- Registration: Direct[X|Draw|Show|Media] ---
10:02:13 PM | Registered: C:\WINDOWS\system32\quartz.dll
10:02:14 PM | Registered: C:\WINDOWS\system32\danim.dll
10:02:15 PM | Registered: C:\WINDOWS\system32\dmscript.dll
10:02:15 PM | Registered: C:\WINDOWS\system32\dmstyle.dll
10:02:15 PM | Registered: C:\WINDOWS\system32\dxmasf.dll
10:02:15 PM | Registered: C:\WINDOWS\system32\dxtmsft.dll
10:02:15 PM | Registered: C:\WINDOWS\system32\dxtrans.dll
10:02:15 PM | Registered: C:\WINDOWS\system32\sbe.dll
--- Registration: Programming cores/runtimes ---
10:02:15 PM | Registered: C:\WINDOWS\system32\atl.dll
10:02:15 PM | Registered: C:\WINDOWS\system32\corpol.dll
10:02:15 PM | Registered: C:\WINDOWS\system32\jscript.dll
10:02:15 PM | Registered: C:\WINDOWS\system32\dispex.dll
10:02:16 PM | Registered: C:\WINDOWS\system32\scrrun.dll
10:02:16 PM | Registered: C:\WINDOWS\system32\scrobj.dll
10:02:16 PM | Registered: C:\WINDOWS\system32\vbscript.dll
10:02:16 PM | Registered: C:\WINDOWS\system32\wshext.dll
--- Registration: Explorer/IE/OE/shell/WMP ---
10:02:16 PM | Registered: C:\WINDOWS\system32\activeds.dll
10:02:16 PM | Registered: C:\WINDOWS\system32\audiodev.dll
10:02:18 PM | DllInstalled: C:\WINDOWS\system32\browseui.dll
10:02:18 PM | Registered: C:\WINDOWS\system32\browseui.dll
10:02:19 PM | Registered: C:\WINDOWS\system32\browsewm.dll
10:02:19 PM | Registered: C:\WINDOWS\system32\cabview.dll
10:02:19 PM | Registered: C:\WINDOWS\system32\cdfview.dll
10:02:19 PM | Registered: C:\WINDOWS\system32\clbcatex.dll
10:02:20 PM | Registered: C:\WINDOWS\system32\clbcatq.dll
10:02:20 PM | Registered: C:\WINDOWS\system32\comcat.dll
10:02:20 PM | Registered: C:\WINDOWS\system32\cscui.dll
10:02:20 PM | Registered: C:\WINDOWS\system32\credui.dll
10:02:20 PM | Registered: C:\WINDOWS\system32\datime.dll
10:02:21 PM | Registered: C:\WINDOWS\system32\devmgr.dll
10:02:21 PM | Registered: C:\WINDOWS\system32\dfsshlex.dll
10:02:21 PM | Registered: C:\WINDOWS\system32\dmdlgs.dll
10:02:21 PM | Registered: C:\WINDOWS\system32\dmdskmgr.dll
10:02:21 PM | Registered: C:\WINDOWS\system32\dmloader.dll
10:02:22 PM | Registered: C:\WINDOWS\system32\dmocx.dll
10:02:22 PM | Registered: C:\WINDOWS\system32\dmview.ocx
10:02:22 PM | DllInstalled: C:\WINDOWS\system32\dsuiext.dll
10:02:22 PM | Registered: C:\WINDOWS\system32\dsuiext.dll
10:02:22 PM | DllInstalled: C:\WINDOWS\system32\dsquery.dll
10:02:22 PM | Registered: C:\WINDOWS\system32\dsquery.dll
10:02:22 PM | Registered: C:\WINDOWS\system32\dskquoui.dll
10:02:22 PM | Registered: C:\WINDOWS\system32\els.dll
10:02:23 PM | Registered: C:\WINDOWS\system32\es.dll
10:02:23 PM | Registered: C:\WINDOWS\system32\fontext.dll
10:02:23 PM | Registered: C:\WINDOWS\system32\hlink.dll
10:02:23 PM | Registered: C:\WINDOWS\system32\hnetcfg.dll
10:02:23 PM | Registered: C:\WINDOWS\system32\iedkcs32.dll
10:02:23 PM | Registered: C:\WINDOWS\system32\iepeers.dll
10:02:24 PM | Error 127: C:\WINDOWS\system32\iesetup.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702
10:04:00 PM | Error 127: C:\WINDOWS\system32\iesetup.dll is not DLLInstall-able or the file is corrupted. Version: 8.00.6001.18702
10:04:33 PM | Registered: C:\WINDOWS\system32\ils.dll
10:04:33 PM | Error 127: C:\WINDOWS\system32\imgutil.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702
10:05:22 PM | Registered: C:\WINDOWS\system32\inetcfg.dll
10:05:22 PM | Registered: C:\WINDOWS\system32\inetcomm.dll
10:05:22 PM | Error 127: C:\WINDOWS\system32\inseng.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702
10:05:58 PM | Error 127: C:\WINDOWS\system32\inseng.dll is not DLLInstall-able or the file is corrupted. Version: 8.00.6001.18702
10:06:43 PM | Registered: C:\WINDOWS\system32\laprxy.dll
10:06:44 PM | Registered: C:\WINDOWS\system32\lmrt.dll
10:06:44 PM | Registered: C:\WINDOWS\system32\mlang.dll
10:06:45 PM | Registered: C:\WINDOWS\system32\mmcndmgr.dll
10:06:45 PM | Registered: C:\WINDOWS\system32\mmcshext.dll
10:06:45 PM | Registered: C:\WINDOWS\system32\mscoree.dll
10:06:45 PM | Error 127: C:\WINDOWS\system32\mshtml.dll is not registerable or the file is corrupted. Version: 8.00.6001.19120
10:07:17 PM | Error 127: C:\WINDOWS\system32\mshtml.dll is not DLLInstall-able or the file is corrupted. Version: 8.00.6001.19120
10:07:49 PM | Registered: C:\WINDOWS\system32\mshtmled.dll
10:07:50 PM | Registered: C:\WINDOWS\system32\msieftp.dll
10:07:50 PM | Registered: C:\WINDOWS\system32\msoeacct.dll
10:07:50 PM | Registered: C:\WINDOWS\system32\msr2c.dll
10:07:50 PM | Error 127: C:\WINDOWS\system32\msrating.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702
10:08:32 PM | DllInstalled: C:\WINDOWS\system32\mydocs.dll
10:08:32 PM | Registered: C:\WINDOWS\system32\mydocs.dll
10:08:32 PM | Registered: C:\WINDOWS\system32\mstime.dll
10:08:32 PM | Registered: C:\WINDOWS\system32\netcfgx.dll
10:08:32 PM | DllInstalled: C:\WINDOWS\system32\netplwiz.dll
10:08:32 PM | Registered: C:\WINDOWS\system32\netplwiz.dll
10:08:33 PM | Registered: C:\WINDOWS\system32\netman.dll
10:08:33 PM | Registered: C:\WINDOWS\system32\netshell.dll
10:08:33 PM | Registered: C:\WINDOWS\system32\ntmsevt.dll
10:08:33 PM | Registered: C:\WINDOWS\system32\ntmsmgr.dll
10:08:33 PM | DllInstalled: C:\WINDOWS\system32\ntmssvc.dll
10:08:33 PM | Registered: C:\WINDOWS\system32\ntmssvc.dll
10:08:33 PM | Error 127: C:\WINDOWS\system32\occache.dll is not registerable or the file is corrupted. Version: 8.00.6001.19098
10:09:07 PM | Error 127: C:\WINDOWS\system32\occache.dll is not DLLInstall-able or the file is corrupted. Version: 8.00.6001.19098
10:09:49 PM | Registered: C:\WINDOWS\system32\ole32.dll
10:09:49 PM | Registered: C:\WINDOWS\system32\oleaut32.dll
10:09:49 PM | Registered: C:\WINDOWS\system32\oleacc.dll
10:09:49 PM | Registered: C:\WINDOWS\system32\olepro32.dll
10:09:49 PM | DllInstalled: C:\WINDOWS\system32\photowiz.dll
10:09:49 PM | Registered: C:\WINDOWS\system32\photowiz.dll
10:09:49 PM | Error 127: C:\WINDOWS\system32\pngfilt.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702
10:10:16 PM | Registered: C:\WINDOWS\system32\remotepg.dll
10:10:16 PM | Registered: C:\WINDOWS\system32\rpcrt4.dll
10:10:16 PM | Registered: C:\WINDOWS\system32\rshx32.dll
10:10:16 PM | Registered: C:\WINDOWS\system32\sendmail.dll
10:10:16 PM | Registered: C:\WINDOWS\system32\slayerxp.dll
10:10:19 PM | DllInstalled: C:\WINDOWS\system32\shdocvw.dll
10:10:20 PM | Registered: C:\WINDOWS\system32\shdocvw.dll
10:10:20 PM | Registered: C:\WINDOWS\system32\shell32.dll
10:10:30 PM | DllInstalled: C:\WINDOWS\system32\shell32.dll
10:10:31 PM | Registered: C:\WINDOWS\system32\shmedia.dll
10:10:31 PM | DllInstalled: C:\WINDOWS\system32\shimgvw.dll
10:10:31 PM | Registered: C:\WINDOWS\system32\shimgvw.dll
10:10:31 PM | DllInstalled: C:\WINDOWS\system32\shsvcs.dll
10:10:32 PM | Registered: C:\WINDOWS\system32\shsvcs.dll
10:10:32 PM | Registered: C:\WINDOWS\system32\srclient.dll
10:10:32 PM | Unregistered: C:\WINDOWS\system32\stobject.dll
10:10:32 PM | Registered: C:\WINDOWS\system32\stobject.dll
10:10:32 PM | DllInstalled: C:\WINDOWS\system32\themeui.dll
10:10:33 PM | Registered: C:\WINDOWS\system32\themeui.dll
10:10:33 PM | Registered: C:\WINDOWS\system32\twext.dll
10:10:35 PM | DllInstalled: C:\WINDOWS\system32\urlmon.dll
10:10:35 PM | Registered: C:\WINDOWS\system32\urlmon.dll
10:10:35 PM | Registered: C:\WINDOWS\system32\userenv.dll
10:10:35 PM | Error 127: C:\WINDOWS\system32\webcheck.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702
10:11:16 PM | Error 127: C:\WINDOWS\system32\webcheck.dll is not DLLInstall-able or the file is corrupted. Version: 8.00.6001.18702
10:11:21 PM | Registered: C:\WINDOWS\system32\webvw.dll
10:11:21 PM | Registered: C:\WINDOWS\system32\winhttp.dll
10:11:21 PM | DllInstalled: C:\WINDOWS\system32\wininet.dll
10:11:22 PM | Registered: C:\WINDOWS\system32\zipfldr.dll
10:11:22 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdadc.dll
10:11:22 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaenum.dll
10:11:22 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaer.dll
10:11:22 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaipp.dll
10:11:22 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaora.dll
10:11:22 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaosp.dll
10:11:23 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaps.dll
10:11:23 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdasc.dll
10:11:23 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdasql.dll
10:11:23 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdatt.dll
10:11:23 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaurl.dll
10:11:24 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdmeng.dll
10:11:24 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdmine.dll
10:11:24 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msmdcb80.dll
10:11:25 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msmdgd80.dll
10:11:26 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msolap80.dll
10:11:28 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msolui80.dll
10:11:28 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msxactps.dll
10:11:28 PM | Registered: C:\Program Files\Common Files\system\Ole DB\oledb32.dll
10:11:28 PM | Registered: C:\Program Files\Common Files\system\Ole DB\oledb32r.dll
10:11:28 PM | Registered: C:\Program Files\Common Files\system\Ole DB\sqloledb.dll
10:11:29 PM | Registered: C:\Program Files\Common Files\system\Ole DB\sqlxmlx.dll

=========================================================

--Ryodin

redcar92

2011-08-30, 04:31

If you haven't done so, try a reboot, then see if updates work.

ryodin

2011-08-30, 13:58

I don't know why I didn't get a notification of your reply until this morning. So, sorry for the delayed response.

I've tried several reboots, and have downloaded the updates both from the sys tray and the shutdown menu multiple times. And yet, when the machine reboots, the updates show up again. As I mentioned before, it seems to be stuck on downloading the August update of the Malicious Software Removal tool. When I go to the MS updates site, it lists the tool as being the only update I need to install, yet the file to download is listed as being "0 bytes" in size. According to that site, I've downloaded this update successfully every single day since the patch was released. Sometimes multiple times in one day.

Typically when I install the update, the status screen shows the file being downloaded and installed, followed by a message saying "installed successful." Then the install shield in my sys tray disappears, as well as the one in my shut-down menu. However, around 30 seconds later the shield icon reappears in both locations asking to download and install the exact same file again.

Something strange is going on here. Originally I thought some piece of malware was blocking the updates from installing, which is why I came here to this forum for help. But now I'm not so sure that this is the case. Not for this particular issue, at least.

--Ryodin

redcar92

2011-08-30, 18:53

Greetings Ryodin,

MS has a Windows Fixit Center here http://support.microsoft.com/fixit/ that has .Automatically diagnose and fix common problems with Windows Update After page opens, Step 1 Click on Windows then Step 3 scroll down to and click on Automatically diagnose and fix common problems with Windows Update
You use EI to download and run the tool. Follow on screen instructions. Lets see if that helps.

ryodin

2011-08-30, 18:57

Okay, I will give this a try when I get home from work later today and reply here when I'm done.

Thanks a lot, redcar!

--Ryodin

redcar92

2011-08-30, 19:01

:bigthumb: No problem, my pleasure.

ryodin

2011-08-31, 01:13

Okay, I tried the solution you linked to and ran the tool successfully. According to that, the problem was detected and fixed. But of course, lo and behold it was not. I'm still getting the same shield icon in both locations. I ran the installation in the hopes that this might be the last time since the problem was supposed to be fixed . . . but no such luck. The icons appeared again regardless.

I then restarted my PC, went back to the Windows troubleshooting site, ran the tool again, and rebooted my PC one last time after it was done running. And still the problem persists.

I think I should just hide this particular update, except I don't know how to do so.

Anyway, here is a copy of the report that was generated when I ran the tool.

=========================================================

Windows Update Publisher details

Issues found
Windows Update components must be repairedWindows Update components must be repaired
One or more Windows Update components are configured incorrectly Fixed
Repair Windows Update components Succeeded

Issues checked
Default Windows Update data locations have changedDefault Windows Update data locations have changed
The location where Windows Update stores data has changed and must be repaired Checked

Issues found Detection details

6 Windows Update components must be repaired Fixed

One or more Windows Update components are configured incorrectly
Repair Windows Update components Succeeded

Repairing Windows Update components frequently resolves common Windows Update errors

Issues checked Detection details

6 Default Windows Update data locations have changed Checked

The location where Windows Update stores data has changed and must be repaired
Repair default Windows Update locations Not Run

Change Windows Update locations to Windows default settings

Detection details

Collection information
Computer Name: D139KB41
Windows Version: 5.1
Architecture: x86
Time: 8/30/2011 6:53:53 PM

Publisher details

Windows Update
Resolve problems that prevent you from updating Windows.
Package Version: 4.0.2.20110411
Publisher: Microsoft Corporation

=========================================================

--Ryodin

redcar92

2011-08-31, 02:39

Greetings Ryodin,

I am afraid that we have run to end of our resources in the malware removal forum with your update problem but your logs do look clean. When done here you should post your problem here (http://forums.whatthetech.com/index.php?showforum=119) or here (http://forums.techguy.org/21-windows-xp/) as SaferNetworking does not have Windows OS support.

What about those files on your desktop that won't delete?

ryodin

2011-08-31, 04:04

Thanks, redcar. I came to the same conclusion myself. I'll try the links you've provided.

As for the files, they are .exe files including a Spybot S&D program that cannot be deleted from the "Program Files" folder on my C: drive.

Here are the paths/locations for those files:

C:\Documents and Settings\David Batista\Desktop\msert.exe
C:\Documents and Settings\David Batista\Desktop\OTL.exe
C:\Documents and Settings\David Batista\Desktop\OTL2\OTL.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

--Ryodin

redcar92

2011-08-31, 18:17

Greetings Ryodin,

Have you tried uninstalling Spybot S&D?

Run OTL.exe
Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

:OTL
:Services
:Reg
:Files
C:\Documents and Settings\David Batista\Desktop\msert.exe
:Commands
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
Then post a new OTL log (don't check the boxes beside LOP Check or Purity this time)

Here is a little program that can remove almost any other program.
http://www.revouninstaller.com/revo_uninst...e_download.html

We will get OTL when we cleanup our tools.

ryodin

2011-08-31, 22:48

Yes, I ran the uninstall for Spybot first, but it could not get rid of the folder in the "Program Files" folder on my C: drive. The uninstall only removed Spybot from my desktop and Start --> Programs menu. A manual delete of the folder on the C: drive results in an error message saying that either my disk is too full or I do not have access to the file in question. This, of course, makes it impossible for me to re-install Spybot since it needs to overwrite that file and the error prevents it from doing so.

As for your other suggestions, I'll try those when I get home from work tonight.

Thanks a lot!

--Ryodin

ryodin

2011-09-01, 01:04

Okay, I ran OTL to remove that msert.exe file -- and it worked! Now if only I could use this to remove those corrupt OTL.exe files, too! :D:

Here is the log:

==========================================================
All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Documents and Settings\David Batista\Desktop\msert.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes

User: All Users

User: David Batista
->Temp folder emptied: 4808676 bytes
->Temporary Internet Files folder emptied: 148547900 bytes
->Java cache emptied: 118722743 bytes
->Flash cache emptied: 9290915 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 111826 bytes
->Flash cache emptied: 4864 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Owner

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 39097 bytes
%systemroot%\System32 .tmp files removed: 7379985 bytes
%systemroot%\System32\dllcache .tmp files removed: 474112 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 185364 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33726 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 276.00 mb

OTL by OldTimer - Version 3.2.26.7 log created on 08312011_184922

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_6c.dat not found!

Registry entries deleted on Reboot...

==========================================================

I'll try using the program you linked to in order to remove the other files shortly.

--Ryodin

ryodin

2011-09-01, 01:18

Okay, I downloaded Revo Uninstaller. Unfortunately, it does not list SpyBot under the list of installed programs on my machine. Yet the file is clearly there in my "Program Files" folder on the C: drive.

--Ryodin

redcar92

2011-09-01, 19:43

Greetings Ryodin,
One more thing.

Boot to Safe Mode and delete them. If no joy:
How to set, view, change, or remove file and folder permissions in Windows XP
(Pro/Home)
http://support.microsoft.com/kb/308419

HOW TO: Take Ownership of a File or Folder in Windows XP (Pro/Home)
http://support.microsoft.com/default...b;en-us;308421

How to set, view, change, or remove special permissions for files and folders in
Windows XP -
http://support.microsoft.com/default...b;en-us;308419

Let me know results please.

ryodin

2011-09-02, 01:16

The reboot in Safe Mode didn't do the job. So I clicked on the first link and couldn't quite follow what the instructions were asking me to do. The Security Tab it speaks of doesn't appear in my folder properties, and I couldn't find the check box I need to uncheck to gain access to the tab.

The other two links didn't work for me. I think it has something to do with the ellipses in the URL.

All I want to do is get rid of the faulty OTL files from my desktop. I've already figured a workaround the Spybot problem by renaming the folder in my Program Files. After that, I was able to install a fresh copy of Spybot and run a scan last night.

--Ryodin

redcar92

2011-09-02, 03:14

Greetings Ryodin,

Your Java appears to be down level.
Navigate to Control Panel Add Remove Programs.
Highlight each Java item listed then Remove or Uninstall.
Visit this site (http://www.java.com/en/download/index.jsp) to down load and install the latest Java.

Now to clean up our tools.
The following will implement some cleanup procedures as well as reset System Restore points:

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Next
The following will remove OTL, exehelper, TDSSKiller, & GMER. Let me know about the problem folder after running the following.
Clean up with OTL:

Double-click OTL.exe to start the program.
Close all other programs apart from OTL as this step will require a reboot
On the OTL main screen, press the CLEANUP button
Say Yes to the prompt and then allow the program to reboot your computer.

Next
To remove Hijackthis do the following:
Click Start → Control Panel → Add or Remove Programs
Click on Hijackthis
Click on Remove
When done close all windows.
Navigate to C:\Program files\Trend Micro
Delete the Hijackthis folder.
Close all windows.

On your desktop find RKill.exe/com/scr, right click and click on delete.

On your desktop find aswMBR.exe, right click and click on delete. Do the same for aswMBR.txt

On your desktop find Maxlook.exe, right click and click on delete.

On your desktop find Dial-a-fix.exe, right click and click on delete.

You should keep Malwarebytes and ESET. Updated and run them on a regular basis to keep your pc malware free.

At Last
From the look of your logs are finally, All Clean and the machine seems to be performing as it should. You know how much work and effort you've had to put into getting it back into working order, so hopefully you can impress upon the others who use this machine, to be more careful.

For the future safety of this machine and your data, try to ensure they sit down and read the following threads: (it won't take them very long)

Cracked/Illegal Software (http://www.techsupportforum.com/f50/cracked-illegal-software-248501.html)

Perils of P2P File Sharing (http://www.techsupportforum.com/f50/perils-of-p2p-file-sharing-305923.html)

Think Prevention (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)

If there aren't any more problems, we have some final housekeeping to tend to now.

To help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

* Microsoft Windows Update - http://www.windowsupdate.com (http://www.windowsupdate.com/)
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

* SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
o SpywareBlaster is a preventative program. It sets flags in the registry to prevent the running of a specific list of bad spyware related ActiveX controls. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

* WOT (http://www.mywot.com/), Web of Trust, As 'Googling' is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
o Green to go
o Yellow for caution
o Red to stop
WOT has an addon available for both Firefox and IE.

* Scan here http://secunia.com/software_inspector/ (http://secunia.com/software_inspector/)for out of date & vulnerable common applications on your computer

If the OTL2 folder won't remove, let me know there may be one or two more tricks we can try.
Please post any more questions or issues please let me know.

ryodin

2011-09-02, 08:23

I was able to remove everything from off your list except for that OTL.exe file which is in the OTL2 folder. I forgot to mention that I had yet another bad OTL.exe file in another folder: C:\Documents and Settings\David Batista\Desktop\Logs\OTL.exe

The faulty OTL.exe on my desktop, the newer "good" version of OTL, exehelper, TDSSKiller, and GMER were all removed, however.

So, as of now, the only files I cannot delete are the 2 OTL's and the Spybot.

I will look into all the suggested links and preventative programs tomorrow and over the weekend.

Thanks, redcar! And let me know what last remaining solutions I might have at my disposal for removing those files.

:thanks:

--Ryodin

ryodin

2011-09-02, 08:44

One more thing. You asked me to keep Malwarebytes and ESET, but I don't believe I have these. Where can I get them?

--Ryodin

redcar92

2011-09-03, 04:09

Greetings Ryodin,
Let's go after OTL2 first, if it works we will do the rest.
Press the WinKey + R to open a run box, then copy/paste the following single-line command into the Run box and click OK:
cmd /c del /f/a/q “C:\Documents and Settings\David Batista\Desktop\OTL2\*.* /s”

Press the WinKey + R to open a run box, then copy/paste the following single-line command into the Run box and click OK:
cmd /c rd /s/q “C:\Documents and Settings\David Batista\Desktop\OTL2”

Let me know if this works, if so we can do the others.

Next
Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/mbam/mbam-setup.exe).
Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Next
Please use Internet Explorer to download and run the following scan: Eset Online Scanner (http://www.eset.com/onlinescan/)
Place a check mark in the box YES, I accept the Terms Of Use
Click the Start button.
Now click the Install button.
Click Start. The scanner engine will initialize and update.
Do Not place a check mark in the box beside Remove found threats.
Click the Scan button. The scan will now run, please be patient.
When the scan finishes if there are any infections you will see a List of found threats.
Click Export to text file
Copy and paste the contents of the C:\Program Files\ESET\log.txt into your next reply.
If no threats are found there will be no list, this is good, just tell me that no threats were found.

Logs to post:

mabam.txt
results of ESET scan
results of run command

ryodin

2011-09-03, 07:08

Thank you, thank you, thank you! :D: That seemed to do the trick! Both corrupted files of OTL are gone now. There are no more. The only suspect file left is the Spybot one.

I'll download and run Malwarebytes and Eset next, and paste the logs in a follow-up reply.

--Ryodin

ryodin

2011-09-03, 07:25

Here is the log from the MBAM scan:

=========================================================
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7640

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/3/2011 1:24:21 AM
mbam-log-2011-09-03 (01-24-21).txt

Scan type: Quick scan
Objects scanned: 193765
Time elapsed: 11 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{B0E43034-50F5-1F84-8098-824B44F2DBC3} (Adware.Admedia) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
=========================================================

--Ryodin

ryodin

2011-09-03, 10:41

Finally finished running the ESET scan. No threats were found! :rockon:

--Ryodin

redcar92

2011-09-03, 15:54

Greetings Ryodin,
This should take care of Spybot.
Press the WinKey + R to open a run box, then copy/paste the following single-line command into the Run box and click OK:
cmd /c del /f/a/q “C:\Program Files\Spybot - Search & Destroy\*.* /s”

Press the WinKey + R to open a run box, then copy/paste the following single-line command into the Run box and click OK:
cmd /c rd /s/q “C:\Program Files\Spybot - Search & Destroy”

ryodin

2011-09-03, 18:00

Thank you so much, again. That worked!

Have we reached the end of this long road now?

--Ryodin

redcar92

2011-09-03, 22:32

Thanks again for your patience and hard work.
We will close this thread for now.
Take care and safe surfing.

redcar92

2011-09-03, 22:58

Before we go, is there anything that needs attention?

ryodin

2011-09-04, 01:14

Redcar,

Thank you and your colleagues SO MUCH for all the hard work and assistance you put into fixing these stubborn issues on my machine. I truly, honestly appreciate all the help you have shown me.

You guys are the best! :bigthumb:

As of now, I don't have any more issues to report. Next up I have to figure out how to optimize my PC and get it to run faster. It is rather old, though, so it might be that I won't be able to improve it much more.

But, anyway, a BIG THANKS once again!

--Ryodin

ken545

2011-09-05, 00:03

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.