Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Search Redirect Infection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Search Redirect Infection

Unread postby jaspatton » December 5th, 2010, 8:36 pm

Elusive little sucker, I cant seem to beat it.

Here is the Hijack This log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:10:07 PM, on 12/5/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe
C:\Program Files\Lexmark S300-S400 Series\ezprint.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe
C:\Windows\Pixart\PAP7501\GUCI_AVS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TouchFreeze\TouchFreeze.exe
C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
C:\Windows\Explorer.EXE
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\James\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.us.army.mil/suite/login/log ... ticate-.do (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {05EAC3A7-D219-48F3-A5E4-536234382B43} - C:\Windows\system32\AudioSes32.dll
O2 - BHO: PE_IE_Helper Class - {0941C58F-E461-4E03-BD7D-44C27392ADE1} - C:\Program Files\IBM\Lotus Forms\Viewer\3.5\PEhelper.dll
O2 - BHO: (no name) - {0BD5874F-D219-48F3-A5E4-536234382B43} - C:\Windows\system32\AudioSes32.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: 80851d85 - {EE7C8E0A-ADD1-1DFB-8418-70DE20E5671F} - C:\ProgramData\AudioSes32.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [ApproveItForOfficeSetup] "C:\Program Files\ApproveIt\Support\Tools\ApproveItForOfficeSetup.exe " /1 /p "C:\Program Files\ApproveIt\"
O4 - HKLM\..\Run: [lxdumon.exe] "C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark S300-S400 Series\ezprint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [lxeamon.exe] "C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe"
O4 - HKLM\..\Run: [PAP7501_Monitor] C:\Windows\Pixart\PAP7501\GUCI_AVS.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [acevents] "C:\Program Files\ActivIdentity\ActivClient\acevents.exe"
O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"
O4 - HKLM\..\Run: [AprvRemoveLegacyExcelKeys] "C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe" -k HKCU SOFTWARE\Microsoft\Office\Excel\Addins\OfficeAddIn.OfficeAddIn
O4 - HKLM\..\Run: [AprvRemoveLegacyWordKeys] "C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe" -k HKCU SOFTWARE\Microsoft\Office\Word\Addins\OfficeAddIn.OfficeAddIn
O4 - HKLM\..\RunOnce: [{1017A80C-6F09-4548-A84D-EDD6AC9525F0}] C:\Windows\system32\cmd.exe /c rmdir /q /s "C:\Program Files\Lexmark Toolbar"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [TouchFreeze] C:\Program Files\TouchFreeze\TouchFreeze.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\James\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Magellan CmTray] C:\Program Files\Content Manager\CmTray.exe
O4 - HKCU\..\Run: [chkdTSON] rundll32 "C:\Users\James\AppData\Local\Temp\Dfrgdwm.dll",DllGetVersion
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10k_ActiveX.exe -update activex
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - Global Startup: ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
O4 - Global Startup: ApproveIt StartUp.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O15 - Trusted Zone: http://*.pecinc.com
O15 - Trusted Zone: http://*.softsonline.org
O16 - DPF: {395E58B9-090C-461A-8F27-087D1C727945} (Web Conferencing) - http://www10.pecinc.com/joinie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O20 - AppInit_DLLs: C:\ProgramData\AudioSes32.dll
O23 - Service: ActivIdentity Shared Store Service (ac.sharedstore) - ActivIdentity - C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxduCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxduserv.exe
O23 - Service: lxdu_device - - C:\Windows\system32\lxducoms.exe
O23 - Service: lxeaCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxeaserv.exe
O23 - Service: lxea_device - - C:\Windows\system32\lxeacoms.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: RosettaStoneDaemon - Rosetta Stone Ltd. - C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe

--
End of file - 11253 bytes

And here's the Uninstall List:

Acrobat.com
Acrobat.com
ActivClient CAC x86
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.1
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ApproveIt Desktop
ArcSoft MediaImpression
Bonjour
D3DX10
Dell Resource CD
FrostWire 4.21.1
Google Chrome
Google Earth
Google Talk Plugin
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
IBM Lotus Forms Viewer 3.5.1
InstallRoot 3.13
Intel(R) Graphics Media Accelerator Driver
iTunes
Java 2 Runtime Environment Standard Edition v1.3.1_18
Java(TM) 6 Update 18
Junk Mail filter update
Lexmark 5600-6600 Series
Lexmark Printable Web
Lexmark S300-S400 Series
Lexmark Tools for Office
MapSymbs
McAfee SecurityCenter
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Live Add-in 1.5
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard 2007
Microsoft Office Standard 2007
Microsoft Office Word MUI (English) 2007
Microsoft Outlook Web Access S/MIME
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MSVCRT
MyLife Webcam Kit
OGA Notifier 2.0.0048.0
QuickTime
Rosetta Stone Ltd Services
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB2288953)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Segoe UI
TouchFreeze
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2443839)
Viewer_armyifx
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Mail
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer
Windows Live Writer
Windows Live Writer Resources

Thanks for any and all help!
jaspatton
Active Member
 
Posts: 7
Joined: December 5th, 2010, 8:26 pm
Advertisement
Register to Remove

Re: Search Redirect Infection

Unread postby MWR 3 day Mod » December 9th, 2010, 3:05 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Search Redirect Infection

Unread postby Cypher » December 10th, 2010, 2:43 pm

Checking your logs now be right back.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Search Redirect Infection

Unread postby Cypher » December 10th, 2010, 2:55 pm

Hi and welcome to Malware Removal Forum, sorry for the delay in answering your request for help the forum is really busy.
My name is Cypher, and I will be helping you with your malware problems.
If you no longer require help i would be grateful if you would let me know.

Before we start please note the following important guidelines.
  • The instructions being given are for YOUR computer and system only!.
    Using these instructions on a different computer, can damage that computer and possibly make it inoperable!
  • If you don't know or understand something, please don't hesitate to ask.
  • Only post your problem at One help site. Applying fixes from multiple help sites can cause problems.
  • Only reply to this thread do not start another, Please continue responding until I give you the "All Clean"
    Absence of symptoms does not mean that everything is clear.
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • Please DO NOT install any other software (or hardware) during the cleaning process.
  • Print each set of instructions... if possible...your Internet connection will not be available during some fix processes.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Note: No Reply Within 3 Days Will Result In Your Topic Being Closed!

Note: If you haven't done so already, please read this topic ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.
Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
Backup Made Easy - XP
How to backup your data - Vista



Vista Advice:
  • All applications I ask to be used will require to be run in Administrator mode. IE: Right click on and select Run as Administrator.
  • The Operating System(Vista aka Windows 6) in use comes with a inbuilt utility called User Access Control(UAC).
  • When prompted by this with anything I ask you to do carry out please select the option Allow.



Remove P2P Programs

  • I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

    FrostWire 4.21.1

  • Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
  • Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
  • Click on Start > All programs > Accessories > Run.
  • In the open text box copy/paste appwiz.cpl Then click Ok.
  • Uninstall the programs listed above (in red) and any other P2P you have installed NOW.
  • Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

Next.

Please download ATF Cleaner to your desktop.

  • Right-click ATF-Cleaner.exe And select " Run as administrator " to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
#
Next.

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware and save to your desktop.

  • Right-click mbam-setup.exe And select " Run as administrator " then follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Next.

RSIT (Random's System Information Tool)

Please download RSIT by random/random... and save it to your desktop.
  • Right click on RSIT.exe and select "Run As Administrator" to run it. If Windows UAC prompts you, please allow it.
  • Please read the disclaimer... click on Continue.
  • RSIT will start running. When done... 2 logs files...will be produced.
  • The first one, "log.txt", << will be maximized
  • The second one, "info.txt", << will be minimized.
Please post both... "log.txt" and "info.txt", file contents in your next reply.
(These logs can be lengthy, so post 1 log per reply please.)



Logs/Information to Post in your Next Reply

  • Malwarebytes log.
  • RSIT log.txt and info.txt contents.
  • Please give me an update on your computers performance.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Search Redirect Infection

Unread postby jaspatton » December 10th, 2010, 10:30 pm

Cypher,

Excellent instructions! Very straightforward. Here are the logs:

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5291

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

12/10/2010 9:13:36 PM
mbam-log-2010-12-10 (21-13-36).txt

Scan type: Quick scan
Objects scanned: 136547
Time elapsed: 11 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\Windows\System32\audioses32.dll (Trojan.Tracur.S) -> Delete on reboot.
c:\programdata\audioses32.dll (Trojan.Tracur.S) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{05EAC3A7-D219-48F3-A5E4-536234382B43} (Trojan.Tracur.S) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{05EAC3A7-D219-48F3-A5E4-536234382B43} (Trojan.Tracur.S) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{05EAC3A7-D219-48F3-A5E4-536234382B43} (Trojan.Tracur.S) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{05EAC3A7-D219-48F3-A5E4-536234382B43} (Trojan.Tracur.S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{EE7C8E0A-ADD1-1DFB-8418-70DE20E5671F} (Trojan.Tracur.S) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EE7C8E0A-ADD1-1DFB-8418-70DE20E5671F} (Trojan.Tracur.S) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{EE7C8E0A-ADD1-1DFB-8418-70DE20E5671F} (Trojan.Tracur.S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur.S) -> Bad: (C:\ProgramData\AudioSes32.dll) Good: () -> Quarantined and deleted successfully.

Folders Infected:
c:\programdata\1120152247 (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\Users\James\AppData\Roaming\SysWin (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
c:\Windows\System32\audioses32.dll (Trojan.Tracur.S) -> Delete on reboot.
c:\programdata\audioses32.dll (Trojan.Tracur.S) -> Delete on reboot.
c:\Windows\System32\config\systemprofile\AppData\Roaming\4532.tmp (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Users\James\AppData\Roaming\Adobe\plugs\KB608778.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\James\AppData\Roaming\Adobe\plugs\KB625096.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\020000007a97f1581073c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\020000007a97f1581073o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\020000007a97f1581073p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\020000007a97f1581073s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\020000007a97f1581073c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\020000007a97f1581073o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\020000007a97f1581073p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\020000007a97f1581073s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\gnuhashes.ini (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\Users\James\AppData\Local\Temp\windows_security_center.exe (Trojan.Dropper) -> Quarantined and deleted successfully.



RSIT Log:
Logfile of random's system information tool 1.08 (written by random/random)
Run by James at 2010-12-10 21:23:02
Microsoft® Windows Vista™ Home Basic Service Pack 2
System drive C: has 10 GB (15%) free of 64 GB
Total RAM: 2038 MB (53% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:23:34 PM, on 12/10/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe
C:\Program Files\Lexmark S300-S400 Series\ezprint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe
C:\Windows\Pixart\PAP7501\GUCI_AVS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TouchFreeze\TouchFreeze.exe
C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\James\Desktop\RSIT.exe
C:\Program Files\trend micro\James.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.us.army.mil/suite/login/log ... ticate-.do (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O1 - Hosts: ::1 localhost
O2 - BHO: PE_IE_Helper Class - {0941C58F-E461-4E03-BD7D-44C27392ADE1} - C:\Program Files\IBM\Lotus Forms\Viewer\3.5\PEhelper.dll
O2 - BHO: (no name) - {0BD5874F-D219-48F3-A5E4-536234382B43} - C:\Windows\system32\AudioSes32.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [ApproveItForOfficeSetup] "C:\Program Files\ApproveIt\Support\Tools\ApproveItForOfficeSetup.exe " /1 /p "C:\Program Files\ApproveIt\"
O4 - HKLM\..\Run: [lxdumon.exe] "C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark S300-S400 Series\ezprint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [lxeamon.exe] "C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe"
O4 - HKLM\..\Run: [PAP7501_Monitor] C:\Windows\Pixart\PAP7501\GUCI_AVS.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [acevents] "C:\Program Files\ActivIdentity\ActivClient\acevents.exe"
O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"
O4 - HKLM\..\Run: [AprvRemoveLegacyExcelKeys] "C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe" -k HKCU SOFTWARE\Microsoft\Office\Excel\Addins\OfficeAddIn.OfficeAddIn
O4 - HKLM\..\Run: [AprvRemoveLegacyWordKeys] "C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe" -k HKCU SOFTWARE\Microsoft\Office\Word\Addins\OfficeAddIn.OfficeAddIn
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [TouchFreeze] C:\Program Files\TouchFreeze\TouchFreeze.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\James\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Magellan CmTray] C:\Program Files\Content Manager\CmTray.exe
O4 - HKCU\..\Run: [chkdTSON] rundll32 "C:\Users\James\AppData\Local\Temp\Dfrgdwm.dll",DllGetVersion
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - Global Startup: ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
O4 - Global Startup: ApproveIt StartUp.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O15 - Trusted Zone: http://*.pecinc.com
O15 - Trusted Zone: http://*.softsonline.org
O16 - DPF: {395E58B9-090C-461A-8F27-087D1C727945} (Web Conferencing) - http://www10.pecinc.com/joinie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: ActivIdentity Shared Store Service (ac.sharedstore) - ActivIdentity - C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxduCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxduserv.exe
O23 - Service: lxdu_device - - C:\Windows\system32\lxducoms.exe
O23 - Service: lxeaCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxeaserv.exe
O23 - Service: lxea_device - - C:\Windows\system32\lxeacoms.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: RosettaStoneDaemon - Rosetta Stone Ltd. - C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe

--
End of file - 10750 bytes

======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-634840858-3727576072-3247237167-1000Core.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-634840858-3727576072-3247237167-1000UA.job
C:\Windows\tasks\McDefragTask.job
C:\Windows\tasks\McQcTask.job
C:\Windows\tasks\User_Feed_Synchronization-{F89EA8EF-C303-4358-8110-B80B3C7C6717}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0941C58F-E461-4E03-BD7D-44C27392ADE1}]
PE_IE_Helper Class - C:\Program Files\IBM\Lotus Forms\Viewer\3.5\PEhelper.dll [2010-02-01 69632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0BD5874F-D219-48F3-A5E4-536234382B43}]
C:\Windows\system32\AudioSes32.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-09-22 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}]
Search Helper - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll [2010-09-22 191792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll [2009-11-04 62784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live ID Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21 439168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]
McAfee SiteAdvisor BHO - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2010-08-04 228256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D2C5E510-BE6D-42CC-9F61-E4F939078474}]
Lexmark Printable Web - C:\Program Files\Lexmark Printable Web\bho.dll [2008-05-21 180224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-02-20 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2010-08-04 228256]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2009-10-29 1218008]
"ApproveItForOfficeSetup"=C:\Program Files\ApproveIt\Support\Tools\ApproveItForOfficeSetup.exe [2010-01-26 155648]
"lxdumon.exe"=C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe [2008-11-03 684712]
"EzPrint"=C:\Program Files\Lexmark S300-S400 Series\ezprint.exe [2010-01-18 139944]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-01-11 246504]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2006-12-12 98304]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2006-12-12 106496]
"Persistence"=C:\Windows\system32\igfxpers.exe [2006-12-12 81920]
"lxeamon.exe"=C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe [2010-01-18 770728]
"PAP7501_Monitor"=C:\Windows\Pixart\PAP7501\GUCI_AVS.exe [2007-12-10 323584]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-09-23 35760]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-09-20 932288]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2010-09-08 421888]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2010-09-24 421160]
"acevents"=C:\Program Files\ActivIdentity\ActivClient\acevents.exe [2009-06-03 153640]
""= []
"accrdsub"=C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe [2009-06-03 400936]
"AprvRemoveLegacyExcelKeys"=C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe [2010-01-26 73728]
"AprvRemoveLegacyWordKeys"=C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe [2010-01-26 73728]
"Malwarebytes' Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2010-11-29 963976]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-04-11 1233920]
"TouchFreeze"=C:\Program Files\TouchFreeze\TouchFreeze.exe [2005-04-29 45056]
"Google Update"=C:\Users\James\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-27 136176]
"Magellan CmTray"=C:\Program Files\Content Manager\CmTray.exe []
"chkdTSON"=rundll32 C:\Users\James\AppData\Local\Temp\Dfrgdwm.dll,DllGetVersion []

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
ActivClient Agent.lnk - C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
ApproveIt StartUp.lnk - C:\Windows\Installer\{4E01B649-0023-4EB5-9263-57DE317C3418}\Icon9557F1BC1.ico

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2006-12-12 212992]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=0
"NoRun"=0
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2010-12-10 21:23:02 ----D---- C:\rsit
2010-12-10 21:23:02 ----D---- C:\Program Files\trend micro
2010-12-10 20:57:41 ----D---- C:\Users\James\AppData\Roaming\Malwarebytes
2010-12-10 20:57:31 ----A---- C:\Windows\system32\drivers\mbamswissarmy.sys
2010-12-10 20:57:30 ----D---- C:\ProgramData\Malwarebytes
2010-12-10 20:57:26 ----A---- C:\Windows\system32\drivers\mbam.sys
2010-12-10 20:57:25 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-11-21 10:42:54 ----A---- C:\Windows\system32\igfxres.dll
2010-11-17 20:54:28 ----A---- C:\Windows\SigPlus.ini
2010-11-17 20:54:16 ----D---- C:\Program Files\ApproveIt
2010-11-17 20:52:12 ----D---- C:\AGMLogs
2010-11-17 20:49:18 ----D---- C:\Program Files\Viewer_armyifx
2010-11-17 20:48:23 ----D---- C:\Program Files\IBM
2010-11-17 20:38:08 ----D---- C:\support
2010-11-17 20:19:39 ----D---- C:\Program Files\Common Files\ActivIdentity
2010-11-17 20:19:39 ----D---- C:\Program Files\ActivIdentity
2010-11-17 18:14:08 ----D---- C:\Users\James\AppData\Roaming\WinRAR
2010-11-16 21:06:51 ----D---- C:\Windows\Sun
2010-11-15 19:27:07 ----D---- C:\ProgramData\WindowsSearch
2010-11-14 09:39:19 ----D---- C:\ProgramData\MFAData
2010-11-13 23:20:54 ----A---- C:\Windows\system32\drivers\SBREDrv.sys
2010-11-13 23:15:45 ----D---- C:\ProgramData\Lavasoft
2010-11-13 19:50:58 ----A---- C:\ProgramData\GnuHashes.ini
2010-11-13 18:42:07 ----SHD---- C:\ProgramData\SysWoW32
2010-11-13 18:41:35 ----SHD---- C:\ProgramData\39C631B92EC927BAA351D8629360E741
2010-11-13 18:41:30 ----SH---- C:\ProgramData\unrar.exe

======List of files/folders modified in the last 1 months======

2010-12-10 21:23:17 ----D---- C:\Windows\Prefetch
2010-12-10 21:23:08 ----D---- C:\Windows\Temp
2010-12-10 21:23:02 ----RD---- C:\Program Files
2010-12-10 21:19:33 ----SHD---- C:\Windows
2010-12-10 21:17:59 ----HD---- C:\ProgramData
2010-12-10 21:17:59 ----D---- C:\Windows\system32\drivers
2010-12-10 21:17:59 ----D---- C:\Windows\System32
2010-12-10 21:17:59 ----D---- C:\Windows\Microsoft.NET
2010-12-10 21:15:40 ----D---- C:\Users\James\AppData\Roaming\FrostWire
2010-12-10 20:52:15 ----D---- C:\Program Files\FrostWire
2010-12-10 19:49:44 ----SHD---- C:\System Volume Information
2010-12-05 18:29:09 ----SHD---- C:\Windows\Installer
2010-12-04 23:32:17 ----D---- C:\Windows\inf
2010-12-04 23:32:17 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-12-03 03:01:05 ----D---- C:\Windows\winsxs
2010-12-03 03:01:03 ----D---- C:\Program Files\Internet Explorer
2010-12-02 18:21:45 ----D---- C:\Windows\system32\catroot
2010-11-21 11:11:53 ----SD---- C:\ProgramData\Microsoft
2010-11-20 14:25:05 ----DC---- C:\Windows\system32\DRVSTORE
2010-11-17 20:48:57 ----D---- C:\Users\James\AppData\Roaming\PureEdge
2010-11-17 20:48:23 ----D---- C:\ProgramData\PureEdge
2010-11-17 20:38:17 ----HD---- C:\Program Files\InstallShield Installation Information
2010-11-17 20:25:59 ----D---- C:\Windows\system32\Tasks
2010-11-17 20:19:39 ----D---- C:\Program Files\Common Files
2010-11-14 11:54:42 ----D---- C:\Windows\system32\WDI
2010-11-13 21:44:21 ----D---- C:\Users\James\AppData\Roaming\Adobe
2010-11-13 19:35:37 ----D---- C:\Windows\system32\catroot2

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 mfehidk;McAfee Inc. mfehidk; C:\Windows\system32\drivers\mfehidk.sys [2009-11-04 214664]
R1 MPFP;MPFP; C:\Windows\System32\Drivers\Mpfp.sys [2010-07-15 130424]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdptsk.sys [2006-11-14 37376]
R3 Afc;PPdus ASPI Shell; C:\Windows\system32\drivers\Afc.sys [2006-11-10 18688]
R3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver; C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-02 464384]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\Windows\system32\DRIVERS\bcm4sbxp.sys [2006-11-02 45056]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 GemCCID;GemCCID; C:\Windows\System32\Drivers\GemCCID.sys [2009-08-10 89600]
R3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2009-04-10 236544]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
R3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2006-11-02 200704]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-12-12 1476608]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\Windows\system32\drivers\mfeavfk.sys [2009-11-04 79816]
R3 mfebopk;McAfee Inc. mfebopk; C:\Windows\system32\drivers\mfebopk.sys [2009-11-04 35272]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\Windows\system32\drivers\mfesmfk.sys [2009-11-04 40552]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2009-04-10 89088]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\VSTCNXT3.SYS [2006-11-02 654336]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 FTDIBUS;Suunto Sports Instrument Driver; C:\Windows\system32\drivers\ftdibus.sys [2007-06-27 53184]
S3 FTSER2K;Suunto USB Serial Port Driver; C:\Windows\system32\drivers\ftser2k.sys [2007-06-27 71488]
S3 GUCI_AVS;USB2.0 UVC VGA; C:\Windows\system32\DRIVERS\GUCI_AVS.sys [2008-03-31 533888]
S3 ialm;ialm; C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-12-12 1476608]
S3 mferkdk;McAfee Inc. mferkdk; C:\Windows\system32\drivers\mferkdk.sys [2009-11-04 34248]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 RimUsb;BlackBerry Smartphone; C:\Windows\System32\Drivers\RimUsb.sys [2008-04-16 22784]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2010-04-19 41984]
S3 usbaudio;USB Audio Driver (WDM); C:\Windows\system32\drivers\usbaudio.sys [2009-04-10 73216]
S3 USBCCID;USB Smart Card reader; C:\Windows\system32\DRIVERS\usbccid.sys [2006-11-02 30208]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2009-09-30 40448]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ac.sharedstore;ActivIdentity Shared Store Service; C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-06-03 207400]
R2 ACDaemon;ArcSoft Connect Daemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [2010-03-18 113152]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2010-08-13 144672]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2010-07-27 345376]
R2 lxdu_device;lxdu_device; C:\Windows\system32\lxducoms.exe [2009-10-16 589824]
R2 lxea_device;lxea_device; C:\Windows\system32\lxeacoms.exe [2010-01-07 598696]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2010-05-20 88176]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2010-06-10 865832]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2009-07-07 2482848]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2009-07-08 359952]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2009-11-04 144704]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2009-10-27 895696]
R2 RosettaStoneDaemon;RosettaStoneDaemon; C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe [2009-09-03 444224]
R2 SeaPort;SeaPort; C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2010-09-22 249136]
R2 wlidsvc;Windows Live ID Sign-in Assistant; C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2010-09-21 1710464]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2010-09-24 820008]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2009-11-04 606736]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2010-02-10 135664]
S2 lxduCATSCustConnectService;lxduCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxduserv.exe [2009-10-16 94208]
S2 lxeaCATSCustConnectService;lxeaCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxeaserv.exe [2010-04-14 193192]
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2009-10-28 365072]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 WPFFontCache_v0400;@C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe,-100; C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

-----------------EOF-----------------

RSIT Info.txt log:

info.txt logfile of random's system information tool 1.08 2010-12-10 21:23:37

======Uninstall list======

Acrobat.com-->msiexec /qb /x {6421F085-1FAA-DE13-D02A-CFB412C522A4}
Acrobat.com-->MsiExec.exe /I{6421F085-1FAA-DE13-D02A-CFB412C522A4}
ActivClient CAC x86-->MsiExec.exe /I{1BE8806A-84F8-4655-A381-0D5524430944}
Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe -maintain activex
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.4.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A94000000001}
Apple Application Support-->MsiExec.exe /I{DAEAFD68-BB4A-4507-A241-C8804D2EA66D}
Apple Mobile Device Support-->MsiExec.exe /I{CCA1EEA3-555E-4D05-AC46-4B49C6C5D887}
Apple Software Update-->MsiExec.exe /I{C41300B9-185D-475E-BFEC-39EF732F19B1}
ApproveIt Desktop-->MsiExec.exe /I{4E01B649-0023-4EB5-9263-57DE317C3418}
ArcSoft MediaImpression-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{18472E28-FCA0-421F-BDAC-AC65012E29F2}\Setup.exe" -l0x9
Bonjour-->MsiExec.exe /X{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}
D3DX10-->MsiExec.exe /X{E09C4DB7-630C-4F06-A631-8EA7239923AF}
Dell Resource CD-->MsiExec.exe /X{2764CA82-DFB9-4498-AF85-719340BF5305}
Google Chrome-->"C:\Program Files\Google\Chrome\Application\8.0.552.215\Installer\setup.exe" --uninstall --system-level
Google Earth-->MsiExec.exe /X{4286E640-B5FB-11DF-AC4B-005056C00008}
Google Talk Plugin-->MsiExec.exe /I{58F58158-8DFE-31DA-AC1F-7E5D89A0F74F}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
IBM Lotus Forms Viewer 3.5.1-->MsiExec.exe /X{A0BBF7AB-2F47-47DC-BB02-4C826F2BC73C}
InstallRoot 3.13-->MsiExec.exe /I{A6F57B66-21BA-4065-9096-D6D6B5F395AB}
Intel(R) Graphics Media Accelerator Driver-->C:\Windows\system32\igxpun.exe -uninstall
iTunes-->MsiExec.exe /I{2CE5A2E7-3437-4CE7-BCF4-85ED6EEFF9E4}
Java 2 Runtime Environment Standard Edition v1.3.1_18-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{68249B78-B714-11D7-88E8-0050DA21757E}\Setup.exe" -uninst
Java(TM) 6 Update 18-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216018FF}
Junk Mail filter update-->MsiExec.exe /I{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}
Lexmark 5600-6600 Series-->C:\Program Files\Lexmark 5600-6600 Series\Install\x86\Uninst.exe
Lexmark Printable Web-->regsvr32.exe /s /u "C:\Program Files\Lexmark Printable Web\bho.dll"
Lexmark S300-S400 Series-->C:\Program Files\Lexmark S300-S400 Series\Install\x86\instgui.exe /u
Lexmark Tools for Office-->regsvr32.exe /s /u "C:\Program Files\Lexmark Tools for Office\CustomOfficeRibbon.dll"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MapSymbs-->C:\Program Files\MapSymbs\uninstall.exe
McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft .NET Framework 4 Client Profile-->C:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\Setup.exe /repair /x86 /parameterfolder Client
Microsoft .NET Framework 4 Client Profile-->MsiExec.exe /X{3C3901C5-3455-3E0A-A214-0B093A5070A6}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Live Add-in 1.5-->MsiExec.exe /I{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}
Microsoft Office Outlook Connector-->MsiExec.exe /X{95140000-007A-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-EBB76BB86787}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-D290383A10D9}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Standard 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall STANDARDR /dll OSETUP.DLL
Microsoft Office Standard 2007-->MsiExec.exe /X{91120000-0012-0000-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Outlook Web Access S/MIME-->MsiExec.exe /X{6CF08AD2-00C5-4A63-B74B-2EFFFAFEBE1A}
Microsoft Search Enhancement Pack-->MsiExec.exe /X{CFF8B8E8-E086-4DE0-935F-FE22CAB54F80}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MSVCRT-->MsiExec.exe /I{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}
MyLife Webcam Kit-->C:\Program Files\InstallShield Installation Information\{0B249F88-ADF9-488A-834A-839DA93A55C9}\setup.exe -runfromtemp -l0x0009 -removeonly
OGA Notifier 2.0.0048.0-->MsiExec.exe /I{B2544A03-10D0-4E5E-BA69-0362FFC20D18}
QuickTime-->MsiExec.exe /I{E7004147-2CCA-431C-AA05-2AB166B9785D}
Rosetta Stone Ltd Services-->MsiExec.exe /X{326057C5-6185-4C85-A630-9C2FC2DB3F93}
Security Update for 2007 Microsoft Office System (KB2288621)-->msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {5C497F0B-2061-4CC9-A61C-6B45B867354D}
Security Update for 2007 Microsoft Office System (KB2289158)-->msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {210B16C0-CEBD-4DE9-B474-04A7E8735E16}
Security Update for 2007 Microsoft Office System (KB2344875)-->msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {6FC5C4C1-D7AE-44C3-94B7-6424FC3E752F}
Security Update for 2007 Microsoft Office System (KB2345043)-->msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {536FB502-775F-4494-BACE-C02CC90B7A5B}
Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Security Update for 2007 Microsoft Office System (KB976321)-->msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {7F207DCA-3399-40CB-A968-6E5991B1421A}
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A8894F19-59C8-38D2-8A75-36C0CCE56A5B} /qb+ REBOOTPROMPT=""
Security Update for Microsoft Office Excel 2007 (KB2345035)-->msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {B23002DD-34EC-4988-B810-A5E2A0BF04F1}
Security Update for Microsoft Office InfoPath 2007 (KB979441)-->msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {8CCB781A-CF6B-4FCB-B6D8-59C64DF5C6DB}
Security Update for Microsoft Office Outlook 2007 (KB2288953)-->msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {8B772E1C-7C05-42D2-839D-3EC2D39EFF22}
Security Update for Microsoft Office PowerPoint 2007 (KB982158)-->msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {F5B70033-E79C-4569-90BF-BC9B4E4F3F46}
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)-->msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {3DED0A62-44C8-4E00-A785-5212F297A9D9}
Security Update for Microsoft Office system 2007 (972581)-->msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {3D019598-7B59-447A-80AE-815B703B84FF}
Security Update for Microsoft Office system 2007 (KB974234)-->msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {FCD742B9-7A55-44BC-A776-F795F21FEDDC}
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)-->msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {71127777-8B2C-4F97-AF7A-6CF8CAC8224D}
Security Update for Microsoft Office Word 2007 (KB2344993)-->msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {7A5B74FA-7A92-4FC9-821A-2DD5D4E73E48}
Segoe UI-->MsiExec.exe /I{5DD4FCBD-A3C1-4155-9E17-4161C70AAABA}
TouchFreeze-->MsiExec.exe /I{D031E017-2434-40A7-A352-4DDD0199170D}
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Microsoft Office 2007 Help for Common Features (KB963673)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {AB365889-0395-4FAD-B702-CA5985D53D42}
Update for Microsoft Office Excel 2007 Help (KB963678)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {199DF7B6-169C-448C-B511-1054101BE9C9}
Update for Microsoft Office Outlook 2007 Help (KB963677)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {0451F231-E3E3-4943-AB9F-58EB96171784}
Update for Microsoft Office Powerpoint 2007 Help (KB963669)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {397B1D4F-ED7B-4ACA-A637-43B670843876}
Update for Microsoft Office Script Editor Help (KB963671)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {CD11C6A2-FFC6-4271-8EAB-79C3582F505C}
Update for Microsoft Office Word 2007 Help (KB963665)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {80E762AA-C921-4839-9D7D-DB62A72C0726}
Update for Outlook 2007 Junk Email Filter (KB2443839)-->msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {E8CFA21A-2D44-446D-8324-ADFA3C9FCAD2}
Viewer_armyifx-->C:\Program Files\Viewer_armyifx\uninstall.exe
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\Windows\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
Windows Live Communications Platform-->MsiExec.exe /I{D45240D3-B6B3-4FF9-B243-54ECE3E10066}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}
Windows Live ID Sign-in Assistant-->MsiExec.exe /I{61AD15B2-50DB-4686-A739-14FE180D4429}
Windows Live Installer-->MsiExec.exe /I{0B0F231F-CE6A-483D-AA23-77B364F75917}
Windows Live Mail-->MsiExec.exe /I{9D56775A-93F3-44A3-8092-840E3826DE30}
Windows Live Mail-->MsiExec.exe /I{C66824E4-CBB3-4851-BB3F-E8CFD6350923}
Windows Live MIME IFilter-->MsiExec.exe /I{AF844339-2F8A-4593-81B3-9F4C54038C4E}
Windows Live Movie Maker-->MsiExec.exe /X{19BA08F7-C728-469C-8A35-BFBD3633BE08}
Windows Live Movie Maker-->MsiExec.exe /X{92EA4134-10D1-418A-91E1-5A0453131A38}
Windows Live Photo Common-->MsiExec.exe /X{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}
Windows Live Photo Common-->MsiExec.exe /X{D436F577-1695-4D2F-8B44-AC76C99E0002}
Windows Live Photo Gallery-->MsiExec.exe /X{3336F667-9049-4D46-98B6-4C743EEBC5B1}
Windows Live Photo Gallery-->MsiExec.exe /X{34F4D9A4-42C2-4348-BEF4-E553C84549E7}
Windows Live PIMT Platform-->MsiExec.exe /I{4CBABDFD-49F8-47FD-BE7D-ECDE7270525A}
Windows Live SOXE Definitions-->MsiExec.exe /I{200FEC62-3C34-4D60-9CE8-EC372E01C08F}
Windows Live SOXE-->MsiExec.exe /I{682B3E4F-696A-42DE-A41C-4C07EA1678B4}
Windows Live Sync-->MsiExec.exe /X{B10914FD-8812-47A4-85A1-50FCDE7F1F33}
Windows Live UX Platform Language Pack-->MsiExec.exe /I{6A05FEDF-662E-46BF-8A25-010E3F1C9C69}
Windows Live UX Platform-->MsiExec.exe /I{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}
Windows Live Writer Resources-->MsiExec.exe /X{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}
Windows Live Writer-->MsiExec.exe /X{A726AE06-AAA3-43D1-87E3-70F510314F04}
Windows Live Writer-->MsiExec.exe /X{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}
Windows Live Writer-->MsiExec.exe /X{AAF454FC-82CA-4F29-AB31-6A109485E76E}

======Security center information======

AS: Windows Defender (disabled)

======System event log======

Computer Name: James-PC
Event Code: 4376
Message: Servicing has required reboot to complete the operation of setting package KB979306(Update) into Install Requested(Install Requested) state
Record Number: 47291
Source Name: Microsoft-Windows-Servicing
Time Written: 20100226013107.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: James-PC
Event Code: 4376
Message: Servicing has required reboot to complete the operation of setting package KB979306(Update) into Install Requested(Install Requested) state
Record Number: 47289
Source Name: Microsoft-Windows-Servicing
Time Written: 20100226013107.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: James-PC
Event Code: 4376
Message: Servicing has required reboot to complete the operation of setting package KB979306(Update) into Install Requested(Install Requested) state
Record Number: 47251
Source Name: Microsoft-Windows-Servicing
Time Written: 20100226013107.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: James-PC
Event Code: 4376
Message: Servicing has required reboot to complete the operation of setting package KB979306(Update) into Install Requested(Install Requested) state
Record Number: 47247
Source Name: Microsoft-Windows-Servicing
Time Written: 20100226013107.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: James-PC
Event Code: 4376
Message: Servicing has required reboot to complete the operation of setting package KB979306(Update) into Install Requested(Install Requested) state
Record Number: 47241
Source Name: Microsoft-Windows-Servicing
Time Written: 20100226013107.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

=====Application event log=====

Computer Name: James-PC
Event Code: 33
Message: Activation context generation failed for "C:\DELL\drivers\R151522\wltrysvc.exe". Dependent Assembly Microsoft.VC80.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762" could not be found. Please use sxstrace.exe for detailed diagnosis.
Record Number: 58
Source Name: SideBySide
Time Written: 20100131204226.000000-000
Event Type: Error
User:

Computer Name: James-PC
Event Code: 33
Message: Activation context generation failed for "C:\DELL\drivers\R151522\wltray.exe". Dependent Assembly Microsoft.VC80.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762" could not be found. Please use sxstrace.exe for detailed diagnosis.
Record Number: 57
Source Name: SideBySide
Time Written: 20100131204226.000000-000
Event Type: Error
User:

Computer Name: James-PC
Event Code: 33
Message: Activation context generation failed for "C:\DELL\drivers\R151522\bcmwltry.exe". Dependent Assembly Microsoft.VC80.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762" could not be found. Please use sxstrace.exe for detailed diagnosis.
Record Number: 56
Source Name: SideBySide
Time Written: 20100131204222.000000-000
Event Type: Error
User:

Computer Name: James-PC
Event Code: 1008
Message: The Windows Search Service is attempting to remove the old catalog.

Record Number: 26
Source Name: Microsoft-Windows-Search
Time Written: 20100131223346.000000-000
Event Type: Warning
User:

Computer Name: 26L2233B2-12
Event Code: 1036
Message: InitializePrintProvider failed for provider inetpp.dll. This can occur because of system instability or a lack of system resources.
Record Number: 13
Source Name: Microsoft-Windows-SpoolerSpoolss
Time Written: 20100131222435.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

=====Security event log=====

Computer Name: 26L2233B2-12
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-18
Account Name: 26L2233B2-12$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: localhost
Additional Information: localhost

Process Information:
Process ID: 0x258
Process Name: C:\Windows\System32\services.exe

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 5
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100131222241.386167-000
Event Type: Audit Success
User:

Computer Name: 26L2233B2-12
Event Code: 4902
Message: The Per-user audit policy table was created.

Number of Elements: 0
Policy ID: 0xcc18e
Record Number: 4
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100131222231.932506-000
Event Type: Audit Success
User:

Computer Name: 26L2233B2-12
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 0

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x4
Process Name:

Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: -
Authentication Package: -
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 3
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100131222229.077688-000
Event Type: Audit Success
User:

Computer Name: 26L2233B2-12
Event Code: 4608
Message: Windows is starting up.

This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Record Number: 2
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100131222229.077688-000
Event Type: Audit Success
User:

Computer Name: 26L2233B2-12
Event Code: 4647
Message: User initiated logoff:

Subject:
Security ID: S-1-5-21-2365545147-1999384947-2466353664-500
Account Name: Administrator
Account Domain: 26L2233B2-12
Logon ID: 0x836ab

This event is generated when a logoff is initiated but the token reference count is not zero and the logon session cannot be destroyed. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Record Number: 1
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20061102130829.896800-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=C:\Program Files\Common Files\Microsoft Shared\Windows Live;C:\Program Files\Common Files\ArcSoft\Bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files\Windows Live\Shared;C:\Program Files\ActivIdentity\ActivClient\;C:\Program Files\ApproveIt\ThirdParty\Bin\;C:\Program Files\ApproveIt\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=0f06
"NUMBER_OF_PROCESSORS"=2
"asl.log"=Destination=file;OnFirstLog=command,environment
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"PSModulePath"=%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\

-----------------EOF-----------------

Thanks for the help!
Jim
jaspatton
Active Member
 
Posts: 7
Joined: December 5th, 2010, 8:26 pm

Re: Search Redirect Infection

Unread postby Cypher » December 11th, 2010, 6:49 am

Hi jaspatton.
Thanks for the help

You're welcome.

Back Up registry with ERUNT

  • Please use the following link and download ERUNT to your desktop. HERE
  • Right Click on the erunt-setup.exe and select " Run as administrator " to run it.
  • Follow the prompts to install ERUNT
  • Choose language
  • A set up window will pop up. It will ask: Create ERUNT entry in to the Start up folder, answer NO

    Image
  • Backup your registry to the default location

Note: To restore your registry (if needed), go to the folder and start ERDNT.exe

Next.

Download and run OTM

Download OTM.exe by Old Timer and save it to your Desktop.
  • Right-click OTM.exe and select " Run as administrator " to run it.
  • Right-click then copy the following code, Do not include the word Code.
    Code: Select all
    :Reg
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
    "Start Page"="http://www.msn.com"
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0BD5874F-D219-48F3-A5E4-536234382B43}]
    [-HKEY_CLASSES_ROOT\CLSID\{0BD5874F-D219-48F3-A5E4-536234382B43}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"=-
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "chkdTSON"=-
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\http://*.pecinc.com]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\http://*.softsonline.org]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{395E58B9-090C-461A-8F27-087D1C727945}]
    [-HKEY_CLASSES_ROOT\CLSID\{395E58B9-090C-461A-8F27-087D1C727945}]
    
    :Files
    C:\Users\James\AppData\Local\Temp\Dfrgdwm.dll
    C:\ProgramData\SysWoW32
    C:\Users\James\AppData\Roaming\FrostWire
    C:\Program Files\FrostWire
    
    :Commands
    [EmptyFlash]
    [emptytemp]
    [start explorer]
    [Reboot]
    

    • Return to OTM, right-click then paste the code into the blank box below Image
    • Next click on the large Image button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Next.

Re-run - RSIT (Random's System Information Tool)

You should still have this program on your desktop.
  • Right click on RSIT.exe and select "Run As Administrator" to run it. If Windows UAC prompts you, please allow it.
  • Please read the disclaimer... click on Continue.
  • RSIT will start running. When done... ONLY the "C:\RSIT\log.txt"...will be reproduced. ( it will be maximized )
  • Please post ONLY the "log.txt", file contents in your next reply.
    (This log can be lengthy, so a separate post may be needed.)

Next.

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now right-click on RKUnhookerLE.exe and select "Run As Administrator" to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • * This can take a while. Please be patient *.
  • Save the report somewhere where you can find it. Click Close.
  • Copy the entire contents of this log in you're next reply.
  • This log can be lengthy you may have to post it in separate replies.
  • Note: You may get the following warning - it is ok - just ignore it:
    "Rootkit Unhooker has detected a parasite inside itself!
    It is recommended to remove parasite, okay?"



Logs/Information to Post in your Next Reply

  • OTM log.
  • RSIT log.txt.
  • RKUnHooker log.
  • Please give me an update on your computers performance.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Search Redirect Infection

Unread postby jaspatton » December 11th, 2010, 2:21 pm

Cypher,

Ran as per instructions, OMT locked me up and had to hard-power down to reboot/restart. Other than that, everything went fine and my laptop is running faster (programs are much more responsive) as well the redirect problem is gone.

Here are the logs:

OTM -


Files moved on Reboot...
C:\Windows\temp\mcafee_rJuafORqh5eKGzv moved successfully.
C:\Windows\temp\mcmsc_4NiaYvOeoeQZZra moved successfully.

Registry entries deleted on Reboot...


RSIT -
Logfile of random's system information tool 1.08 (written by random/random)
Run by James at 2010-12-11 11:24:37
Microsoft® Windows Vista™ Home Basic Service Pack 2
System drive C: has 12 GB (19%) free of 64 GB
Total RAM: 2038 MB (58% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:24:52 AM, on 12/11/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe
C:\Program Files\Lexmark S300-S400 Series\ezprint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe
C:\Windows\Pixart\PAP7501\GUCI_AVS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TouchFreeze\TouchFreeze.exe
C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Windows\System32\notepad.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\James\Desktop\RSIT.exe
C:\Program Files\trend micro\James.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O1 - Hosts: ::1 localhost
O2 - BHO: PE_IE_Helper Class - {0941C58F-E461-4E03-BD7D-44C27392ADE1} - C:\Program Files\IBM\Lotus Forms\Viewer\3.5\PEhelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [ApproveItForOfficeSetup] "C:\Program Files\ApproveIt\Support\Tools\ApproveItForOfficeSetup.exe " /1 /p "C:\Program Files\ApproveIt\"
O4 - HKLM\..\Run: [lxdumon.exe] "C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark S300-S400 Series\ezprint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [lxeamon.exe] "C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe"
O4 - HKLM\..\Run: [PAP7501_Monitor] C:\Windows\Pixart\PAP7501\GUCI_AVS.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [acevents] "C:\Program Files\ActivIdentity\ActivClient\acevents.exe"
O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"
O4 - HKLM\..\Run: [AprvRemoveLegacyExcelKeys] "C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe" -k HKCU SOFTWARE\Microsoft\Office\Excel\Addins\OfficeAddIn.OfficeAddIn
O4 - HKLM\..\Run: [AprvRemoveLegacyWordKeys] "C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe" -k HKCU SOFTWARE\Microsoft\Office\Word\Addins\OfficeAddIn.OfficeAddIn
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [TouchFreeze] C:\Program Files\TouchFreeze\TouchFreeze.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\James\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Magellan CmTray] C:\Program Files\Content Manager\CmTray.exe
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - Global Startup: ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
O4 - Global Startup: ApproveIt StartUp.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O15 - Trusted Zone: http://*.pecinc.com
O15 - Trusted Zone: http://*.softsonline.org
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: ActivIdentity Shared Store Service (ac.sharedstore) - ActivIdentity - C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxduCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxduserv.exe
O23 - Service: lxdu_device - - C:\Windows\system32\lxducoms.exe
O23 - Service: lxeaCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxeaserv.exe
O23 - Service: lxea_device - - C:\Windows\system32\lxeacoms.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: RosettaStoneDaemon - Rosetta Stone Ltd. - C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe

--
End of file - 9852 bytes

======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-634840858-3727576072-3247237167-1000Core.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-634840858-3727576072-3247237167-1000UA.job
C:\Windows\tasks\McDefragTask.job
C:\Windows\tasks\McQcTask.job
C:\Windows\tasks\User_Feed_Synchronization-{F89EA8EF-C303-4358-8110-B80B3C7C6717}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0941C58F-E461-4E03-BD7D-44C27392ADE1}]
PE_IE_Helper Class - C:\Program Files\IBM\Lotus Forms\Viewer\3.5\PEhelper.dll [2010-02-01 69632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-09-22 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}]
Search Helper - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll [2010-09-22 191792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll [2009-11-04 62784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live ID Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21 439168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]
McAfee SiteAdvisor BHO - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2010-08-04 228256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D2C5E510-BE6D-42CC-9F61-E4F939078474}]
Lexmark Printable Web - C:\Program Files\Lexmark Printable Web\bho.dll [2008-05-21 180224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-02-20 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2010-08-04 228256]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2009-10-29 1218008]
"ApproveItForOfficeSetup"=C:\Program Files\ApproveIt\Support\Tools\ApproveItForOfficeSetup.exe [2010-01-26 155648]
"lxdumon.exe"=C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe [2008-11-03 684712]
"EzPrint"=C:\Program Files\Lexmark S300-S400 Series\ezprint.exe [2010-01-18 139944]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-01-11 246504]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2006-12-12 98304]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2006-12-12 106496]
"Persistence"=C:\Windows\system32\igfxpers.exe [2006-12-12 81920]
"lxeamon.exe"=C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe [2010-01-18 770728]
"PAP7501_Monitor"=C:\Windows\Pixart\PAP7501\GUCI_AVS.exe [2007-12-10 323584]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-09-20 932288]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2010-09-08 421888]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2010-09-24 421160]
"acevents"=C:\Program Files\ActivIdentity\ActivClient\acevents.exe [2009-06-03 153640]
""= []
"accrdsub"=C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe [2009-06-03 400936]
"AprvRemoveLegacyExcelKeys"=C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe [2010-01-26 73728]
"AprvRemoveLegacyWordKeys"=C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe [2010-01-26 73728]
"Malwarebytes' Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2010-11-29 963976]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-04-11 1233920]
"TouchFreeze"=C:\Program Files\TouchFreeze\TouchFreeze.exe [2005-04-29 45056]
"Google Update"=C:\Users\James\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-27 136176]
"Magellan CmTray"=C:\Program Files\Content Manager\CmTray.exe []

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
ActivClient Agent.lnk - C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
ApproveIt StartUp.lnk - C:\Windows\Installer\{4E01B649-0023-4EB5-9263-57DE317C3418}\Icon9557F1BC1.ico

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2006-12-12 212992]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=0
"NoRun"=0
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2010-12-11 11:12:24 ----D---- C:\_OTM
2010-12-11 11:11:26 ----D---- C:\Windows\ERDNT
2010-12-11 11:11:09 ----D---- C:\Program Files\ERUNT
2010-12-10 22:41:29 ----D---- C:\Users\James\AppData\Roaming\Mozilla
2010-12-10 21:23:02 ----D---- C:\rsit
2010-12-10 21:23:02 ----D---- C:\Program Files\trend micro
2010-12-10 20:57:41 ----D---- C:\Users\James\AppData\Roaming\Malwarebytes
2010-12-10 20:57:31 ----A---- C:\Windows\system32\drivers\mbamswissarmy.sys
2010-12-10 20:57:30 ----D---- C:\ProgramData\Malwarebytes
2010-12-10 20:57:26 ----A---- C:\Windows\system32\drivers\mbam.sys
2010-12-10 20:57:25 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-11-21 10:42:54 ----A---- C:\Windows\system32\igfxres.dll
2010-11-17 20:54:28 ----A---- C:\Windows\SigPlus.ini
2010-11-17 20:54:16 ----D---- C:\Program Files\ApproveIt
2010-11-17 20:52:12 ----D---- C:\AGMLogs
2010-11-17 20:49:18 ----D---- C:\Program Files\Viewer_armyifx
2010-11-17 20:48:23 ----D---- C:\Program Files\IBM
2010-11-17 20:38:08 ----D---- C:\support
2010-11-17 20:19:39 ----D---- C:\Program Files\Common Files\ActivIdentity
2010-11-17 20:19:39 ----D---- C:\Program Files\ActivIdentity
2010-11-17 18:14:08 ----D---- C:\Users\James\AppData\Roaming\WinRAR
2010-11-16 21:06:51 ----D---- C:\Windows\Sun
2010-11-15 19:27:07 ----D---- C:\ProgramData\WindowsSearch
2010-11-14 09:39:19 ----D---- C:\ProgramData\MFAData
2010-11-13 23:20:54 ----A---- C:\Windows\system32\drivers\SBREDrv.sys
2010-11-13 23:15:45 ----D---- C:\ProgramData\Lavasoft
2010-11-13 19:50:58 ----A---- C:\ProgramData\GnuHashes.ini
2010-11-13 18:41:35 ----SHD---- C:\ProgramData\39C631B92EC927BAA351D8629360E741
2010-11-13 18:41:30 ----SH---- C:\ProgramData\unrar.exe

======List of files/folders modified in the last 1 months======

2010-12-11 11:24:43 ----D---- C:\Windows\Temp
2010-12-11 11:21:10 ----D---- C:\Windows\Prefetch
2010-12-11 11:12:51 ----RD---- C:\Program Files
2010-12-11 11:12:50 ----HD---- C:\ProgramData
2010-12-11 11:11:26 ----SHD---- C:\Windows
2010-12-11 09:12:10 ----SHD---- C:\System Volume Information
2010-12-10 22:41:31 ----SHD---- C:\Windows\Installer
2010-12-10 21:17:59 ----D---- C:\Windows\system32\drivers
2010-12-10 21:17:59 ----D---- C:\Windows\System32
2010-12-10 21:17:59 ----D---- C:\Windows\Microsoft.NET
2010-12-04 23:32:17 ----D---- C:\Windows\inf
2010-12-04 23:32:17 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-12-03 03:01:05 ----D---- C:\Windows\winsxs
2010-12-03 03:01:03 ----D---- C:\Program Files\Internet Explorer
2010-12-02 18:21:45 ----D---- C:\Windows\system32\catroot
2010-11-21 11:11:53 ----SD---- C:\ProgramData\Microsoft
2010-11-20 14:25:05 ----DC---- C:\Windows\system32\DRVSTORE
2010-11-17 20:48:57 ----D---- C:\Users\James\AppData\Roaming\PureEdge
2010-11-17 20:48:23 ----D---- C:\ProgramData\PureEdge
2010-11-17 20:38:17 ----HD---- C:\Program Files\InstallShield Installation Information
2010-11-17 20:25:59 ----D---- C:\Windows\system32\Tasks
2010-11-17 20:19:39 ----D---- C:\Program Files\Common Files
2010-11-14 11:54:42 ----D---- C:\Windows\system32\WDI
2010-11-13 21:44:21 ----D---- C:\Users\James\AppData\Roaming\Adobe
2010-11-13 19:35:37 ----D---- C:\Windows\system32\catroot2

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 mfehidk;McAfee Inc. mfehidk; C:\Windows\system32\drivers\mfehidk.sys [2009-11-04 214664]
R1 MPFP;MPFP; C:\Windows\System32\Drivers\Mpfp.sys [2010-07-15 130424]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdptsk.sys [2006-11-14 37376]
R3 Afc;PPdus ASPI Shell; C:\Windows\system32\drivers\Afc.sys [2006-11-10 18688]
R3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver; C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-02 464384]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\Windows\system32\DRIVERS\bcm4sbxp.sys [2006-11-02 45056]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 GemCCID;GemCCID; C:\Windows\System32\Drivers\GemCCID.sys [2009-08-10 89600]
R3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2009-04-10 236544]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
R3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2006-11-02 200704]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-12-12 1476608]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\Windows\system32\drivers\mfeavfk.sys [2009-11-04 79816]
R3 mfebopk;McAfee Inc. mfebopk; C:\Windows\system32\drivers\mfebopk.sys [2009-11-04 35272]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\Windows\system32\drivers\mfesmfk.sys [2009-11-04 40552]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2009-04-10 89088]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\VSTCNXT3.SYS [2006-11-02 654336]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 FTDIBUS;Suunto Sports Instrument Driver; C:\Windows\system32\drivers\ftdibus.sys [2007-06-27 53184]
S3 FTSER2K;Suunto USB Serial Port Driver; C:\Windows\system32\drivers\ftser2k.sys [2007-06-27 71488]
S3 GUCI_AVS;USB2.0 UVC VGA; C:\Windows\system32\DRIVERS\GUCI_AVS.sys [2008-03-31 533888]
S3 ialm;ialm; C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-12-12 1476608]
S3 mferkdk;McAfee Inc. mferkdk; C:\Windows\system32\drivers\mferkdk.sys [2009-11-04 34248]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 RimUsb;BlackBerry Smartphone; C:\Windows\System32\Drivers\RimUsb.sys [2008-04-16 22784]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2010-04-19 41984]
S3 usbaudio;USB Audio Driver (WDM); C:\Windows\system32\drivers\usbaudio.sys [2009-04-10 73216]
S3 USBCCID;USB Smart Card reader; C:\Windows\system32\DRIVERS\usbccid.sys [2006-11-02 30208]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2009-09-30 40448]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ac.sharedstore;ActivIdentity Shared Store Service; C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-06-03 207400]
R2 ACDaemon;ArcSoft Connect Daemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [2010-03-18 113152]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2010-08-13 144672]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2010-07-27 345376]
R2 lxdu_device;lxdu_device; C:\Windows\system32\lxducoms.exe [2009-10-16 589824]
R2 lxea_device;lxea_device; C:\Windows\system32\lxeacoms.exe [2010-01-07 598696]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2010-05-20 88176]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2010-06-10 865832]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2009-07-07 2482848]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2009-07-08 359952]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2009-11-04 144704]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2009-10-27 895696]
R2 RosettaStoneDaemon;RosettaStoneDaemon; C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe [2009-09-03 444224]
R2 SeaPort;SeaPort; C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2010-09-22 249136]
R2 wlidsvc;Windows Live ID Sign-in Assistant; C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2010-09-21 1710464]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2010-09-24 820008]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2009-11-04 606736]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2010-02-10 135664]
S2 lxduCATSCustConnectService;lxduCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxduserv.exe [2009-10-16 94208]
S2 lxeaCATSCustConnectService;lxeaCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxeaserv.exe [2010-04-14 193192]
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2009-10-28 365072]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 WPFFontCache_v0400;@C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe,-100; C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

-----------------EOF-----------------

RkU is in the next post, it made this entry too long.


I'd buy you a keg if you were around, believe me - you are a lifesaver.
jaspatton
Active Member
 
Posts: 7
Joined: December 5th, 2010, 8:26 pm

Re: Search Redirect Infection

Unread postby jaspatton » December 11th, 2010, 2:21 pm

RkU Log from last go 'round:


RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows Vista
Version 6.0.6002 (Service Pack 2)
Number of processors #2
==============================================
>Drivers
==============================================
0x8BA0B000 C:\Windows\system32\DRIVERS\igdkmd32.sys 7008256 bytes (Intel Corporation, Intel Graphics Kernel Mode Driver)
0x81C35000 C:\Windows\system32\ntkrnlpa.exe 3903488 bytes (Microsoft Corporation, NT Kernel & System)
0x81C35000 PnpManager 3903488 bytes
0x81C35000 RAW 3903488 bytes
0x81C35000 WMIxWDM 3903488 bytes
0x94450000 Win32k 2109440 bytes
0x94450000 C:\Windows\System32\win32k.sys 2109440 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x87801000 C:\Windows\System32\Drivers\Ntfs.sys 1114112 bytes (Microsoft Corporation, NT File System Driver)
0x8227F000 C:\Windows\system32\drivers\ndis.sys 1093632 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver)
0x8C83D000 C:\Windows\system32\DRIVERS\VSTDPV3.SYS 1064960 bytes (Conexant Systems, Inc., HSF_DP driver)
0x8CA5A000 C:\Windows\System32\drivers\tcpip.sys 958464 bytes (Microsoft Corporation, TCP/IP Driver)
0x804DA000 C:\Windows\system32\CI.dll 917504 bytes (Microsoft Corporation, Code Integrity Module)
0xA847E000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x8C941000 C:\Windows\system32\DRIVERS\VSTCNXT3.SYS 733184 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xA7604000 C:\Windows\system32\drivers\spsys.sys 720896 bytes (Microsoft Corporation, security processor)
0x8C0BA000 C:\Windows\System32\drivers\dxgkrnl.sys 659456 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x8C167000 C:\Windows\system32\DRIVERS\HDAudBus.sys 577536 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x8060A000 C:\Windows\system32\drivers\Wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)
0x8B609000 C:\Windows\system32\DRIVERS\bcmwl6.sys 479232 bytes (Broadcom Corporation, BCM 802.11g Network Adapter wireless driver)
0x8220E000 C:\Windows\System32\Drivers\ksecdd.sys 462848 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x80410000 C:\Windows\system32\mcupdate_GenuineIntel.dll 458752 bytes (Microsoft Corporation, Intel Microcode Update Library)
0xA770B000 C:\Windows\system32\drivers\HTTP.sys 446464 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x8B71F000 C:\Windows\system32\DRIVERS\rixdptsk.sys 331776 bytes (REDC, RICOH XD SM Driver)
0xA8430000 C:\Windows\System32\DRIVERS\srv.sys 319488 bytes (Microsoft Corporation, Server driver)
0x8073C000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x8CE06000 C:\Windows\system32\drivers\afd.sys 294912 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x80693000 C:\Windows\system32\drivers\acpi.sys 286720 bytes (Microsoft Corporation, ACPI Driver for NT)
0x80499000 C:\Windows\system32\CLFS.SYS 266240 bytes (Microsoft Corporation, Common Log File System Driver)
0x8C407000 C:\Windows\system32\DRIVERS\storport.sys 266240 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
0x8C569000 C:\Windows\system32\drivers\HdAudio.sys 258048 bytes (Microsoft Corporation, High Definition Audio Function Driver)
0x8B689000 C:\Windows\system32\DRIVERS\USBPORT.SYS 253952 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x8CEB7000 C:\Windows\system32\DRIVERS\rdbss.sys 245760 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x8C801000 C:\Windows\system32\DRIVERS\VSTAZL3.SYS 245760 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0x823B5000 C:\Windows\system32\drivers\NETIO.SYS 241664 bytes (Microsoft Corporation, Network I/O Subsystem)
0x8CBC4000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x87911000 C:\Windows\system32\drivers\volsnap.sys 233472 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x8C523000 C:\Windows\system32\DRIVERS\usbhub.sys 217088 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x81C02000 ACPI_HAL 208896 bytes
0x81C02000 C:\Windows\system32\hal.dll 208896 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x8CEFD000 C:\Windows\system32\drivers\mfehidk.sys 208896 bytes (McAfee, Inc., Host Intrusion Detection Link Driver)
0x805BA000 C:\Windows\system32\drivers\fltmgr.sys 204800 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x8CE4E000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x8B7BF000 C:\Windows\system32\DRIVERS\msiscsi.sys 192512 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)
0x8C5A8000 C:\Windows\system32\drivers\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x8238A000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x8C4E2000 C:\Windows\system32\DRIVERS\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)
0xA76C4000 C:\Windows\system32\DRIVERS\nwifi.sys 172032 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
0x8CB5F000 C:\Windows\System32\Drivers\Mpfp.sys 167936 bytes (McAfee, Inc., McAfee Personal Firewall Plus Driver)
0xA855C000 C:\Windows\System32\Drivers\fastfat.SYS 163840 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xA8408000 C:\Windows\System32\DRIVERS\srv2.sys 163840 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x87961000 C:\Windows\System32\drivers\ecache.sys 159744 bytes (Microsoft Corporation, Special Memory Device Cache)
0x806EA000 C:\Windows\system32\drivers\pci.sys 159744 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x8C5D5000 C:\Windows\system32\drivers\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0x8C475000 C:\Windows\system32\DRIVERS\ndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x87999000 C:\Windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)
0xA77C3000 C:\Windows\system32\drivers\mrxdav.sys 135168 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0x8CA07000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x8CFC6000 C:\Windows\system32\DRIVERS\mrxsmb.sys 126976 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x807B3000 C:\Windows\system32\drivers\ataport.SYS 122880 bytes (Microsoft Corporation, ATAPI Driver Extension)
0xA7778000 C:\Windows\System32\DRIVERS\srvnet.sys 118784 bytes (Microsoft Corporation, Server Network driver)
0x8CB44000 C:\Windows\System32\drivers\fwpkclnt.sys 110592 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x8CFA3000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x8B705000 C:\Windows\system32\DRIVERS\sdbus.sys 106496 bytes (Microsoft Corporation, SecureDigital Bus Driver)
0xA7795000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x8B7A1000 C:\Windows\system32\DRIVERS\cdrom.sys 98304 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xA77E4000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 98304 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x8CF30000 C:\Windows\System32\Drivers\dfsc.sys 94208 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x8C453000 C:\Windows\system32\DRIVERS\rasl2tp.sys 94208 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xA85B3000 C:\Windows\system32\DRIVERS\cdfs.sys 90112 bytes (Microsoft Corporation, CD-ROM File System Driver)
0x8CF47000 C:\Windows\System32\Drivers\GemCCID.sys 90112 bytes (Gemalto, USB Smart Card Reader Driver)
0x8CE80000 C:\Windows\system32\DRIVERS\pacer.sys 90112 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x8CB88000 C:\Windows\system32\DRIVERS\tdx.sys 90112 bytes (Microsoft Corporation, TDI Translation Driver)
0xA77AE000 C:\Windows\System32\drivers\mpsdrv.sys 86016 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x8C4BB000 C:\Windows\system32\DRIVERS\rassstp.sys 86016 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x8C4A7000 C:\Windows\system32\DRIVERS\raspptp.sys 81920 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x8CBB0000 C:\Windows\system32\DRIVERS\smb.sys 81920 bytes (Microsoft Corporation, SMB Transport driver)
0x8B770000 C:\Windows\system32\DRIVERS\i8042prt.sys 77824 bytes (Microsoft Corporation, i8042 Port Driver)
0xA76F8000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x8CEA4000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x8CB9E000 C:\Windows\system32\DRIVERS\ipfltdrv.sys 73728 bytes (Microsoft Corporation, IP FILTER DRIVER)
0xA85A1000 C:\Windows\system32\drivers\mfeavfk.sys 73728 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
0x8B6D6000 C:\Windows\system32\DRIVERS\bcm4sbxp.sys 69632 bytes (Broadcom Corporation, Broadcom Corporation NDIS 5.1 ethernet driver)
0x87988000 C:\Windows\system32\drivers\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x8C558000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x80480000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x807D1000 C:\Windows\system32\drivers\fileinfo.sys 65536 bytes (Microsoft Corporation, FileInfo Filter Driver)
0xA76B4000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x8079B000 C:\Windows\System32\drivers\mountmgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager)
0x8B6E7000 C:\Windows\system32\DRIVERS\ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0x8C4D0000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Terminal Server Driver)
0x823F0000 C:\Windows\system32\DRIVERS\intelppm.sys 61440 bytes (Microsoft Corporation, Processor Device Driver)
0x8CF94000 C:\Windows\system32\DRIVERS\monitor.sys 61440 bytes (Microsoft Corporation, Monitor Driver)
0x87952000 C:\Windows\System32\Drivers\mup.sys 61440 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x80711000 C:\Windows\System32\drivers\partmgr.sys 61440 bytes (Microsoft Corporation, Partition Management Driver)
0x8C498000 C:\Windows\system32\DRIVERS\raspppoe.sys 61440 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x8B6C7000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x8072D000 C:\Windows\system32\drivers\volmgr.sys 61440 bytes (Microsoft Corporation, Volume Manager Driver)
0x8B6F7000 C:\Windows\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0x94690000 C:\Windows\System32\cdd.dll 57344 bytes (Microsoft Corporation, Canonical Display Driver)
0x8CE96000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x8CA43000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x8078D000 C:\Windows\system32\drivers\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x8CF6A000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x8B7EE000 C:\Windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver)
0x8C516000 C:\Windows\system32\DRIVERS\umbus.sys 53248 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x80686000 C:\Windows\system32\drivers\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xA858E000 C:\Windows\System32\drivers\tcpipreg.sys 49152 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x8C1F4000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x8C15B000 C:\Windows\System32\drivers\watchdog.sys 49152 bytes (Microsoft Corporation, Watchdog Driver)
0x8CF77000 C:\Windows\System32\Drivers\dump_dumpata.sys 45056 bytes
0x8B78E000 C:\Windows\system32\DRIVERS\kbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class Driver)
0x8B783000 C:\Windows\system32\DRIVERS\mouclass.sys 45056 bytes (Microsoft Corporation, Mouse Class Driver)
0x8CA38000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x8C46A000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x8CF5D000 C:\Windows\System32\Drivers\SMCLIB.SYS 45056 bytes (Microsoft Corporation, Smard Card Driver Library)
0x8C448000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x879E3000 C:\Windows\system32\DRIVERS\tunnel.sys 45056 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x8B67E000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0x80723000 C:\Windows\system32\DRIVERS\BATTC.SYS 40960 bytes (Microsoft Corporation, Battery Class Driver)
0x8CF8A000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x8C50C000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA76EE000 C:\Windows\system32\DRIVERS\ndisuio.sys 40960 bytes (Microsoft Corporation, NDIS User mode I/O driver)
0x8CEF3000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0xA8584000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x879BA000 C:\Windows\system32\drivers\crcdisk.sys 36864 bytes (Microsoft Corporation, Disk Block Verification Filter Driver)
0x8C9F4000 C:\Windows\System32\Drivers\Fs_Rec.SYS 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0xA85C9000 C:\Windows\system32\drivers\mfesmfk.sys 36864 bytes (McAfee, Inc., System Monitor Filter Driver)
0xA85D2000 C:\Windows\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0x8CA51000 C:\Windows\System32\DRIVERS\rasacd.sys 36864 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0x94670000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x879EE000 C:\Windows\system32\DRIVERS\tunmp.sys 36864 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x879F7000 C:\Windows\system32\DRIVERS\wmiacpi.sys 36864 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0x806D9000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x8B799000 C:\Windows\system32\drivers\Afc.sys 32768 bytes (Arcsoft, Inc., Arcsoft(R) ASPI Shell)
0x807AB000 C:\Windows\system32\drivers\atapi.sys 32768 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x80491000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x8CF82000 C:\Windows\System32\Drivers\dump_atapi.sys 32768 bytes
0x806E2000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x8CA28000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8CA30000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8794A000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x8B600000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x80786000 C:\Windows\system32\drivers\intelide.sys 28672 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0x80409000 C:\Windows\system32\kdcom.dll 28672 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xA859A000 C:\Windows\system32\drivers\mfebopk.sys 28672 bytes (McAfee, Inc., Buffer Overflow Protection Driver)
0x8C400000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x8B7B9000 C:\Windows\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0x82200000 C:\Windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0x80720000 C:\Windows\system32\DRIVERS\compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0x8C4E0000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x8CF68000 C:\Windows\System32\Drivers\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
==============================================
>Stealth
==============================================
==============================================
>Files
==============================================
!-->[Hidden] C:\Users\James\AppData\Local\Temp\~DFAC5E.tmp::$DATA
!-->[Hidden] C:\Users\James\AppData\Local\Temp\~DFB8FF.tmp::$DATA
!-->[Hidden] C:\Windows\Prefetch\MCUPDMGR.EXE-2483B4A1.pf
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x000A87AA, Type: Inline - RelativeJump 0x81CDD7AA-->81CDD7B1 [ntkrnlpa.exe]
ntkrnlpa.exe-->NtCreateFile, Type: Inline - RelativeJump 0x81E76E5B-->8CF167A2 [mfehidk.sys]
ntkrnlpa.exe-->NtCreateProcess, Type: Inline - RelativeJump 0x81EC68BF-->8CF1673C [mfehidk.sys]
ntkrnlpa.exe-->NtCreateProcessEx, Type: Inline - RelativeJump 0x81EC690A-->8CF16750 [mfehidk.sys]
ntkrnlpa.exe-->NtCreateUserProcess, Type: Inline - RelativeJump 0x81DFEB82-->8CF16766 [mfehidk.sys]
ntkrnlpa.exe-->NtMapViewOfSection, Type: Inline - RelativeJump 0x81E454FA-->8CF167E0 [mfehidk.sys]
ntkrnlpa.exe-->NtNotifyChangeKey, Type: Inline - RelativeJump 0x81DF45B5-->8CF16823 [mfehidk.sys]
ntkrnlpa.exe-->NtOpenProcess, Type: Inline - RelativeJump 0x81E55C08-->8CF16714 [mfehidk.sys]
ntkrnlpa.exe-->NtOpenThread, Type: Inline - RelativeJump 0x81E5115A-->8CF16728 [mfehidk.sys]
ntkrnlpa.exe-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x81E4EF3D-->8CF167B6 [mfehidk.sys]
ntkrnlpa.exe-->NtReplaceKey, Type: Inline - RelativeJump 0x81E88AD6-->8CF1684B [mfehidk.sys]
ntkrnlpa.exe-->NtRestoreKey, Type: Inline - RelativeJump 0x81E878D2-->8CF16837 [mfehidk.sys]
ntkrnlpa.exe-->NtSetContextThread, Type: Inline - RelativeJump 0x81EC73C7-->8CF1678E [mfehidk.sys]
ntkrnlpa.exe-->NtSetInformationProcess, Type: Inline - RelativeJump 0x81E49528-->8CF1677A [mfehidk.sys]
ntkrnlpa.exe-->NtTerminateProcess, Type: Inline - RelativeJump 0x81E25DA3-->8CF1680F [mfehidk.sys]
ntkrnlpa.exe-->NtUnmapViewOfSection, Type: Inline - RelativeJump 0x81E457BD-->8CF167F6 [mfehidk.sys]
ntkrnlpa.exe-->NtYieldExecution, Type: Inline - RelativeJump 0x81C609D2-->8CF167CC [mfehidk.sys]
[1024]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77813BA9-->00000000 [unknown_code_page]
[1024]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x778139AB-->00000000 [unknown_code_page]
[1024]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x778241F1-->00000000 [unknown_code_page]
[1024]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x7782391E-->00000000 [unknown_code_page]
[1024]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x778189C7-->00000000 [unknown_code_page]
[1024]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77827C42-->00000000 [unknown_code_page]
[1024]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77837BA1-->00000000 [unknown_code_page]
[1024]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x7782E2B5-->00000000 [unknown_code_page]
[1024]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x76ABCE5F-->00000000 [unknown_code_page]
[1024]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x76ABAECB-->00000000 [unknown_code_page]
[1024]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x76A72EF5-->00000000 [unknown_code_page]
[1024]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x76A75C0C-->00000000 [unknown_code_page]
[1024]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x76A98E6E-->00000000 [unknown_code_page]
[1024]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x76A71C28-->00000000 [unknown_code_page]
[1024]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x76A71BF3-->00000000 [unknown_code_page]
[1024]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x76AB903B-->00000000 [unknown_code_page]
[1024]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x76A719C9-->00000000 [unknown_code_page]
[1024]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x76A71929-->00000000 [unknown_code_page]
[1024]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x76A994DC-->00000000 [unknown_code_page]
[1024]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x76A994B4-->00000000 [unknown_code_page]
[1024]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x76A99109-->00000000 [unknown_code_page]
[1024]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x76A99362-->00000000 [unknown_code_page]
[1024]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x76A71DC3-->00000000 [unknown_code_page]
[1024]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x76A9DBDA-->00000000 [unknown_code_page]
[1024]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x76B05CF7-->00000000 [unknown_code_page]
[1024]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761336D1-->00000000 [unknown_code_page]
[1064]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77813BA9-->00000000 [unknown_code_page]
[1064]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x778139AB-->00000000 [unknown_code_page]
[1064]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x778241F1-->00000000 [unknown_code_page]
[1064]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x7782391E-->00000000 [unknown_code_page]
[1064]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x778189C7-->00000000 [unknown_code_page]
[1064]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77827C42-->00000000 [unknown_code_page]
[1064]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77837BA1-->00000000 [unknown_code_page]
[1064]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x7782E2B5-->00000000 [unknown_code_page]
[1064]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x76ABCE5F-->00000000 [unknown_code_page]
[1064]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x76ABAECB-->00000000 [unknown_code_page]
[1064]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x76A72EF5-->00000000 [unknown_code_page]
[1064]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x76A75C0C-->00000000 [unknown_code_page]
[1064]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x76A98E6E-->00000000 [unknown_code_page]
[1064]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x76A71C28-->00000000 [unknown_code_page]
[1064]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x76A71BF3-->00000000 [unknown_code_page]
[1064]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x76AB903B-->00000000 [unknown_code_page]
[1064]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x76A719C9-->00000000 [unknown_code_page]
[1064]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x76A71929-->00000000 [unknown_code_page]
[1064]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x76A994DC-->00000000 [unknown_code_page]
[1064]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x76A994B4-->00000000 [unknown_code_page]
[1064]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x76A99109-->00000000 [unknown_code_page]
[1064]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x76A99362-->00000000 [unknown_code_page]
[1064]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x76A71DC3-->00000000 [unknown_code_page]
[1064]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x76A9DBDA-->00000000 [unknown_code_page]
[1064]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x76B05CF7-->00000000 [unknown_code_page]
[1064]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761336D1-->00000000 [unknown_code_page]
[1080]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77813BA9-->00000000 [unknown_code_page]
[1080]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x778139AB-->00000000 [unknown_code_page]
[1080]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x778241F1-->00000000 [unknown_code_page]
[1080]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x7782391E-->00000000 [unknown_code_page]
[1080]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x778189C7-->00000000 [unknown_code_page]
[1080]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77827C42-->00000000 [unknown_code_page]
[1080]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77837BA1-->00000000 [unknown_code_page]
[1080]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x7782E2B5-->00000000 [unknown_code_page]
[1080]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x76ABCE5F-->00000000 [unknown_code_page]
[1080]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x76ABAECB-->00000000 [unknown_code_page]
[1080]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x76A72EF5-->00000000 [unknown_code_page]
[1080]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x76A75C0C-->00000000 [unknown_code_page]
[1080]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x76A98E6E-->00000000 [unknown_code_page]
[1080]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x76A71C28-->00000000 [unknown_code_page]
[1080]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x76A71BF3-->00000000 [unknown_code_page]
[1080]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x76AB903B-->00000000 [unknown_code_page]
[1080]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x76A719C9-->00000000 [unknown_code_page]
[1080]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x76A71929-->00000000 [unknown_code_page]
[1080]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x76A994DC-->00000000 [unknown_code_page]
[1080]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x76A994B4-->00000000 [unknown_code_page]
[1080]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x76A99109-->00000000 [unknown_code_page]
[1080]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x76A99362-->00000000 [unknown_code_page]
[1080]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x76A71DC3-->00000000 [unknown_code_page]
[1080]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x76A9DBDA-->00000000 [unknown_code_page]
[1080]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x76B05CF7-->00000000 [unknown_code_page]
[1080]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761336D1-->00000000 [unknown_code_page]
[1184]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77813BA9-->00000000 [unknown_code_page]
[1184]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x778139AB-->00000000 [unknown_code_page]
[1184]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x778241F1-->00000000 [unknown_code_page]
[1184]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x7782391E-->00000000 [unknown_code_page]
[1184]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x778189C7-->00000000 [unknown_code_page]
[1184]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77827C42-->00000000 [unknown_code_page]
[1184]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77837BA1-->00000000 [unknown_code_page]
[1184]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x7782E2B5-->00000000 [unknown_code_page]
[1184]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x76ABCE5F-->00000000 [unknown_code_page]
[1184]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x76ABAECB-->00000000 [unknown_code_page]
[1184]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x76A72EF5-->00000000 [unknown_code_page]
[1184]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x76A75C0C-->00000000 [unknown_code_page]
[1184]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x76A98E6E-->00000000 [unknown_code_page]
[1184]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x76A71C28-->00000000 [unknown_code_page]
[1184]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x76A71BF3-->00000000 [unknown_code_page]
[1184]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x76AB903B-->00000000 [unknown_code_page]
[1184]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x76A719C9-->00000000 [unknown_code_page]
[1184]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x76A71929-->00000000 [unknown_code_page]
[1184]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x76A994DC-->00000000 [unknown_code_page]
[1184]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x76A994B4-->00000000 [unknown_code_page]
[1184]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x76A99109-->00000000 [unknown_code_page]
[1184]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x76A99362-->00000000 [unknown_code_page]
[1184]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x76A71DC3-->00000000 [unknown_code_page]
[1184]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x76A9DBDA-->00000000 [unknown_code_page]
[1184]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x76B05CF7-->00000000 [unknown_code_page]
[1184]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761336D1-->00000000 [unknown_code_page]
[1248]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77813BA9-->00000000 [unknown_code_page]
[1248]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x778139AB-->00000000 [unknown_code_page]
[1248]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x778241F1-->00000000 [unknown_code_page]
[1248]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x7782391E-->00000000 [unknown_code_page]
[1248]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x778189C7-->00000000 [unknown_code_page]
[1248]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77827C42-->00000000 [unknown_code_page]
[1248]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77837BA1-->00000000 [unknown_code_page]
[1248]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x7782E2B5-->00000000 [unknown_code_page]
[1248]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x76ABCE5F-->00000000 [unknown_code_page]
[1248]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x76ABAECB-->00000000 [unknown_code_page]
[1248]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x76A72EF5-->00000000 [unknown_code_page]
[1248]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x76A75C0C-->00000000 [unknown_code_page]
[1248]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x76A98E6E-->00000000 [unknown_code_page]
[1248]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x76A71C28-->00000000 [unknown_code_page]
[1248]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x76A71BF3-->00000000 [unknown_code_page]
[1248]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x76AB903B-->00000000 [unknown_code_page]
[1248]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x76A719C9-->00000000 [unknown_code_page]
[1248]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x76A71929-->00000000 [unknown_code_page]
[1248]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x76A994DC-->00000000 [unknown_code_page]
[1248]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x76A994B4-->00000000 [unknown_code_page]
[1248]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x76A99109-->00000000 [unknown_code_page]
[1248]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x76A99362-->00000000 [unknown_code_page]
[1248]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x76A71DC3-->00000000 [unknown_code_page]
[1248]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x76A9DBDA-->00000000 [unknown_code_page]
[1248]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x76B05CF7-->00000000 [unknown_code_page]
[1248]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x7652D690-->00000000 [unknown_code_page]
[1248]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x7652F3A4-->00000000 [unknown_code_page]
[1248]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x76576D5F-->00000000 [unknown_code_page]
[1248]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x7652DB09-->00000000 [unknown_code_page]
[1248]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761336D1-->00000000 [unknown_code_page]
[1448]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77813BA9-->00000000 [unknown_code_page]
[1448]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x778139AB-->00000000 [unknown_code_page]
[1448]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x778241F1-->00000000 [unknown_code_page]
[1448]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x7782391E-->00000000 [unknown_code_page]
[1448]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x778189C7-->00000000 [unknown_code_page]
[1448]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77827C42-->00000000 [unknown_code_page]
[1448]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77837BA1-->00000000 [unknown_code_page]
[1448]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x7782E2B5-->00000000 [unknown_code_page]
[1448]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x76ABCE5F-->00000000 [unknown_code_page]
[1448]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x76ABAECB-->00000000 [unknown_code_page]
[1448]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x76A72EF5-->00000000 [unknown_code_page]
[1448]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x76A75C0C-->00000000 [unknown_code_page]
[1448]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x76A98E6E-->00000000 [unknown_code_page]
[1448]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x76A71C28-->00000000 [unknown_code_page]
[1448]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x76A71BF3-->00000000 [unknown_code_page]
[1448]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x76AB903B-->00000000 [unknown_code_page]
[1448]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x76A719C9-->00000000 [unknown_code_page]
[1448]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x76A71929-->00000000 [unknown_code_page]
[1448]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x76A994DC-->00000000 [unknown_code_page]
[1448]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x76A994B4-->00000000 [unknown_code_page]
[1448]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x76A99109-->00000000 [unknown_code_page]
[1448]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x76A99362-->00000000 [unknown_code_page]
[1448]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x76A71DC3-->00000000 [unknown_code_page]
[1448]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x76A9DBDA-->00000000 [unknown_code_page]
[1448]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x76B05CF7-->00000000 [unknown_code_page]
[1448]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761336D1-->00000000 [unknown_code_page]
[1796]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77813BA9-->00000000 [unknown_code_page]
[1796]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x778139AB-->00000000 [unknown_code_page]
[1796]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x778241F1-->00000000 [unknown_code_page]
[1796]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x7782391E-->00000000 [unknown_code_page]
[1796]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x778189C7-->00000000 [unknown_code_page]
[1796]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77827C42-->00000000 [unknown_code_page]
[1796]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77837BA1-->00000000 [unknown_code_page]
[1796]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x7782E2B5-->00000000 [unknown_code_page]
[1796]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x76ABCE5F-->00000000 [unknown_code_page]
[1796]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x76ABAECB-->00000000 [unknown_code_page]
[1796]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x76A72EF5-->00000000 [unknown_code_page]
[1796]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x76A75C0C-->00000000 [unknown_code_page]
[1796]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x76A98E6E-->00000000 [unknown_code_page]
[1796]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x76A71C28-->00000000 [unknown_code_page]
[1796]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x76A71BF3-->00000000 [unknown_code_page]
[1796]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x76AB903B-->00000000 [unknown_code_page]
[1796]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x76A719C9-->00000000 [unknown_code_page]
[1796]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x76A71929-->00000000 [unknown_code_page]
[1796]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x76A994DC-->00000000 [unknown_code_page]
[1796]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x76A994B4-->00000000 [unknown_code_page]
[1796]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x76A99109-->00000000 [unknown_code_page]
[1796]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x76A99362-->00000000 [unknown_code_page]
[1796]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x76A71DC3-->00000000 [unknown_code_page]
[1796]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x76A9DBDA-->00000000 [unknown_code_page]
[1796]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x76B05CF7-->00000000 [unknown_code_page]
[1796]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761336D1-->00000000 [unknown_code_page]
[2200]McProxy.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x76A994DC-->00000000 [McProxy.exe]
[2200]McProxy.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x76A99362-->00000000 [McProxy.exe]
[2272]rundll32.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77C814BC-->00000000 [shimeng.dll]
[2272]rundll32.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77B61170-->00000000 [shimeng.dll]
[2272]rundll32.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x768E1414-->00000000 [shimeng.dll]
[2272]rundll32.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D51300-->00000000 [shimeng.dll]
[2388]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77813BA9-->00000000 [unknown_code_page]
[2388]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x778139AB-->00000000 [unknown_code_page]
[2388]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x778241F1-->00000000 [unknown_code_page]
[2388]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x7782391E-->00000000 [unknown_code_page]
[2388]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x778189C7-->00000000 [unknown_code_page]
[2388]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77827C42-->00000000 [unknown_code_page]
[2388]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77837BA1-->00000000 [unknown_code_page]
[2388]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x7782E2B5-->00000000 [unknown_code_page]
[2388]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x76ABCE5F-->00000000 [unknown_code_page]
[2388]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x76ABAECB-->00000000 [unknown_code_page]
[2388]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x76A72EF5-->00000000 [unknown_code_page]
[2388]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x76A75C0C-->00000000 [unknown_code_page]
[2388]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x76A98E6E-->00000000 [unknown_code_page]
[2388]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x76A71C28-->00000000 [unknown_code_page]
[2388]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x76A71BF3-->00000000 [unknown_code_page]
[2388]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x76AB903B-->00000000 [unknown_code_page]
[2388]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x76A719C9-->00000000 [unknown_code_page]
[2388]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x76A71929-->00000000 [unknown_code_page]
[2388]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x76A994DC-->00000000 [unknown_code_page]
[2388]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x76A994B4-->00000000 [unknown_code_page]
[2388]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x76A99109-->00000000 [unknown_code_page]
[2388]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x76A99362-->00000000 [unknown_code_page]
[2388]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x76A71DC3-->00000000 [unknown_code_page]
[2388]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x76A9DBDA-->00000000 [unknown_code_page]
[2388]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x76B05CF7-->00000000 [unknown_code_page]
[2388]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761336D1-->00000000 [unknown_code_page]
[2556]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77813BA9-->00000000 [unknown_code_page]
[2556]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x778139AB-->00000000 [unknown_code_page]
[2556]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x778241F1-->00000000 [unknown_code_page]
[2556]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x7782391E-->00000000 [unknown_code_page]
[2556]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x778189C7-->00000000 [unknown_code_page]
[2556]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77827C42-->00000000 [unknown_code_page]
[2556]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77837BA1-->00000000 [unknown_code_page]
[2556]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x7782E2B5-->00000000 [unknown_code_page]
[2556]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x76ABCE5F-->00000000 [unknown_code_page]
[2556]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x76ABAECB-->00000000 [unknown_code_page]
[2556]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x76A72EF5-->00000000 [unknown_code_page]
[2556]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x76A75C0C-->00000000 [unknown_code_page]
[2556]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x76A98E6E-->00000000 [unknown_code_page]
[2556]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x76A71C28-->00000000 [unknown_code_page]
[2556]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x76A71BF3-->00000000 [unknown_code_page]
[2556]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x76AB903B-->00000000 [unknown_code_page]
[2556]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x76A719C9-->00000000 [unknown_code_page]
[2556]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x76A71929-->00000000 [unknown_code_page]
[2556]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x76A994DC-->00000000 [unknown_code_page]
[2556]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x76A994B4-->00000000 [unknown_code_page]
[2556]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x76A99109-->00000000 [unknown_code_page]
[2556]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x76A99362-->00000000 [unknown_code_page]
[2556]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x76A71DC3-->00000000 [unknown_code_page]
[2556]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x76A9DBDA-->00000000 [unknown_code_page]
[2556]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x76B05CF7-->00000000 [unknown_code_page]
[2556]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761336D1-->00000000 [unknown_code_page]
[2612]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77813BA9-->00000000 [unknown_code_page]
[2612]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x778139AB-->00000000 [unknown_code_page]
[2612]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x778241F1-->00000000 [unknown_code_page]
[2612]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x7782391E-->00000000 [unknown_code_page]
[2612]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x778189C7-->00000000 [unknown_code_page]
[2612]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77827C42-->00000000 [unknown_code_page]
[2612]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77837BA1-->00000000 [unknown_code_page]
[2612]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x7782E2B5-->00000000 [unknown_code_page]
[2612]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x76ABCE5F-->00000000 [unknown_code_page]
[2612]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x76ABAECB-->00000000 [unknown_code_page]
[2612]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x76A72EF5-->00000000 [unknown_code_page]
[2612]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x76A75C0C-->00000000 [unknown_code_page]
[2612]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x76A98E6E-->00000000 [unknown_code_page]
[2612]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x76A71C28-->00000000 [unknown_code_page]
[2612]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x76A71BF3-->00000000 [unknown_code_page]
[2612]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x76AB903B-->00000000 [unknown_code_page]
[2612]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x76A719C9-->00000000 [unknown_code_page]
[2612]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x76A71929-->00000000 [unknown_code_page]
[2612]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x76A994DC-->00000000 [unknown_code_page]
[2612]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x76A994B4-->00000000 [unknown_code_page]
[2612]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x76A99109-->00000000 [unknown_code_page]
[2612]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x76A99362-->00000000 [unknown_code_page]
[2612]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x76A71DC3-->00000000 [unknown_code_page]
[2612]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x76A9DBDA-->00000000 [unknown_code_page]
[2612]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x76B05CF7-->00000000 [unknown_code_page]
[3260]iexplore.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77813BA9-->00000000 [unknown_code_page]
[3260]iexplore.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x778139AB-->00000000 [unknown_code_page]
[3260]iexplore.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x778241F1-->00000000 [unknown_code_page]
[3260]iexplore.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x7782391E-->00000000 [unknown_code_page]
[3260]iexplore.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x778189C7-->00000000 [unknown_code_page]
[3260]iexplore.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77827C42-->00000000 [unknown_code_page]
[3260]iexplore.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77837BA1-->00000000 [unknown_code_page]
[3260]iexplore.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x7782E2B5-->00000000 [unknown_code_page]
[3260]iexplore.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x76ABCE5F-->00000000 [unknown_code_page]
[3260]iexplore.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x76ABAECB-->00000000 [unknown_code_page]
[3260]iexplore.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x76A72EF5-->00000000 [unknown_code_page]
[3260]iexplore.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x76A75C0C-->00000000 [unknown_code_page]
[3260]iexplore.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x76A98E6E-->00000000 [unknown_code_page]
[3260]iexplore.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x76A71C28-->00000000 [unknown_code_page]
[3260]iexplore.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x76A71BF3-->00000000 [unknown_code_page]
[3260]iexplore.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x76AB903B-->00000000 [unknown_code_page]
[3260]iexplore.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x76A719C9-->00000000 [unknown_code_page]
[3260]iexplore.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x76A71929-->00000000 [unknown_code_page]
[3260]iexplore.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x76A994DC-->00000000 [unknown_code_page]
[3260]iexplore.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x76A994B4-->00000000 [unknown_code_page]
[3260]iexplore.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x76A99109-->00000000 [unknown_code_page]
[3260]iexplore.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x76A99362-->00000000 [unknown_code_page]
[3260]iexplore.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x76A71DC3-->00000000 [unknown_code_page]
[3260]iexplore.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x76A9DBDA-->00000000 [unknown_code_page]
[3260]iexplore.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x76B05CF7-->00000000 [unknown_code_page]
[3260]iexplore.exe-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump 0x75D21305-->00000000 [ieframe.dll]
[3260]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x75D5847D-->00000000 [ieframe.dll]
[3260]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x75D42EF5-->00000000 [ieframe.dll]
[3260]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x75D58152-->00000000 [ieframe.dll]
[3260]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x75D410B0-->00000000 [ieframe.dll]
[3260]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x75D6D639-->00000000 [ieframe.dll]
[3260]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x75D6D65D-->00000000 [ieframe.dll]
[3260]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x75D6D4D9-->00000000 [ieframe.dll]
[3260]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x75D6D5D3-->00000000 [ieframe.dll]
[3260]iexplore.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x7652D690-->00000000 [unknown_code_page]
[3260]iexplore.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x7652F3A4-->00000000 [unknown_code_page]
[3260]iexplore.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x76576D5F-->00000000 [unknown_code_page]
[3260]iexplore.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x7652DB09-->00000000 [unknown_code_page]
[3260]iexplore.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761336D1-->00000000 [unknown_code_page]
[536]explorer.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77813BA9-->00000000 [unknown_code_page]
[536]explorer.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x778139AB-->00000000 [unknown_code_page]
[536]explorer.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x778241F1-->00000000 [unknown_code_page]
[536]explorer.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x7782391E-->00000000 [unknown_code_page]
[536]explorer.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x778189C7-->00000000 [unknown_code_page]
[536]explorer.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77827C42-->00000000 [unknown_code_page]
[536]explorer.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77837BA1-->00000000 [unknown_code_page]
[536]explorer.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x7782E2B5-->00000000 [unknown_code_page]
[536]explorer.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x76ABCE5F-->00000000 [unknown_code_page]
[536]explorer.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x76ABAECB-->00000000 [unknown_code_page]
[536]explorer.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x76A72EF5-->00000000 [unknown_code_page]
[536]explorer.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x76A75C0C-->00000000 [unknown_code_page]
[536]explorer.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x76A98E6E-->00000000 [unknown_code_page]
[536]explorer.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x76A71C28-->00000000 [unknown_code_page]
[536]explorer.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x76A71BF3-->00000000 [unknown_code_page]
[536]explorer.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x76AB903B-->00000000 [unknown_code_page]
[536]explorer.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x76A719C9-->00000000 [unknown_code_page]
[536]explorer.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x76A71929-->00000000 [unknown_code_page]
[536]explorer.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x76A994DC-->00000000 [unknown_code_page]
[536]explorer.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x76A994B4-->00000000 [unknown_code_page]
[536]explorer.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x76A99109-->00000000 [unknown_code_page]
[536]explorer.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x76A99362-->00000000 [unknown_code_page]
[536]explorer.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x76A71DC3-->00000000 [unknown_code_page]
[536]explorer.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x76A9DBDA-->00000000 [unknown_code_page]
[536]explorer.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x76B05CF7-->00000000 [unknown_code_page]
[536]explorer.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x7652D690-->00000000 [unknown_code_page]
[536]explorer.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x7652F3A4-->00000000 [unknown_code_page]
[536]explorer.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x76576D5F-->00000000 [unknown_code_page]
[536]explorer.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x7652DB09-->00000000 [unknown_code_page]
[536]explorer.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761336D1-->00000000 [unknown_code_page]
[620]services.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77813BA9-->00000000 [unknown_code_page]
[620]services.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x778139AB-->00000000 [unknown_code_page]
[620]services.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x778241F1-->00000000 [unknown_code_page]
[620]services.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x7782391E-->00000000 [unknown_code_page]
[620]services.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x778189C7-->00000000 [unknown_code_page]
[620]services.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77827C42-->00000000 [unknown_code_page]
[620]services.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77837BA1-->00000000 [unknown_code_page]
[620]services.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x7782E2B5-->00000000 [unknown_code_page]
[620]services.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x76ABCE5F-->00000000 [unknown_code_page]
[620]services.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x76ABAECB-->00000000 [unknown_code_page]
[620]services.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x76A72EF5-->00000000 [unknown_code_page]
[620]services.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x76A75C0C-->00000000 [unknown_code_page]
[620]services.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x76A98E6E-->00000000 [unknown_code_page]
[620]services.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x76A71C28-->00000000 [unknown_code_page]
[620]services.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x76A71BF3-->00000000 [unknown_code_page]
[620]services.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x76AB903B-->00000000 [unknown_code_page]
[620]services.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x76A719C9-->00000000 [unknown_code_page]
[620]services.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x76A71929-->00000000 [unknown_code_page]
[620]services.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x76A994DC-->00000000 [unknown_code_page]
[620]services.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x76A994B4-->00000000 [unknown_code_page]
[620]services.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x76A99109-->00000000 [unknown_code_page]
[620]services.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x76A99362-->00000000 [unknown_code_page]
[620]services.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x76A71DC3-->00000000 [unknown_code_page]
[620]services.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x76A9DBDA-->00000000 [unknown_code_page]
[620]services.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x76B05CF7-->00000000 [unknown_code_page]
[620]services.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761336D1-->00000000 [unknown_code_page]
[636]lsass.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77813BA9-->00000000 [unknown_code_page]
[636]lsass.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x778139AB-->00000000 [unknown_code_page]
[636]lsass.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x778241F1-->00000000 [unknown_code_page]
[636]lsass.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x7782391E-->00000000 [unknown_code_page]
[636]lsass.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x778189C7-->00000000 [unknown_code_page]
[636]lsass.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77827C42-->00000000 [unknown_code_page]
[636]lsass.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77837BA1-->00000000 [unknown_code_page]
[636]lsass.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x7782E2B5-->00000000 [unknown_code_page]
[636]lsass.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x76ABCE5F-->00000000 [unknown_code_page]
[636]lsass.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x76ABAECB-->00000000 [unknown_code_page]
[636]lsass.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x76A72EF5-->00000000 [unknown_code_page]
[636]lsass.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x76A75C0C-->00000000 [unknown_code_page]
[636]lsass.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x76A98E6E-->00000000 [unknown_code_page]
[636]lsass.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x76A71C28-->00000000 [unknown_code_page]
[636]lsass.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x76A71BF3-->00000000 [unknown_code_page]
[636]lsass.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x76AB903B-->00000000 [unknown_code_page]
[636]lsass.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x76A719C9-->00000000 [unknown_code_page]
[636]lsass.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x76A71929-->00000000 [unknown_code_page]
[636]lsass.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x76A994DC-->00000000 [unknown_code_page]
[636]lsass.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x76A994B4-->00000000 [unknown_code_page]
[636]lsass.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x76A99109-->00000000 [unknown_code_page]
[636]lsass.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x76A99362-->00000000 [unknown_code_page]
[636]lsass.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x76A71DC3-->00000000 [unknown_code_page]
[636]lsass.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x76A9DBDA-->00000000 [unknown_code_page]
[636]lsass.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x76B05CF7-->00000000 [unknown_code_page]
[636]lsass.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761336D1-->00000000 [unknown_code_page]
[760]iexplore.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77813BA9-->00000000 [unknown_code_page]
[760]iexplore.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x778139AB-->00000000 [unknown_code_page]
[760]iexplore.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x778241F1-->00000000 [unknown_code_page]
[760]iexplore.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x7782391E-->00000000 [unknown_code_page]
[760]iexplore.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x778189C7-->00000000 [unknown_code_page]
[760]iexplore.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77827C42-->00000000 [unknown_code_page]
[760]iexplore.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77837BA1-->00000000 [unknown_code_page]
[760]iexplore.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x7782E2B5-->00000000 [unknown_code_page]
[760]iexplore.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x76ABCE5F-->00000000 [unknown_code_page]
[760]iexplore.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x76ABAECB-->00000000 [unknown_code_page]
[760]iexplore.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x76A72EF5-->00000000 [unknown_code_page]
[760]iexplore.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x76A75C0C-->00000000 [unknown_code_page]
[760]iexplore.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x76A98E6E-->00000000 [unknown_code_page]
[760]iexplore.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x76A71C28-->00000000 [unknown_code_page]
[760]iexplore.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x76A71BF3-->00000000 [unknown_code_page]
[760]iexplore.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x76AB903B-->00000000 [unknown_code_page]
[760]iexplore.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x76A719C9-->00000000 [unknown_code_page]
[760]iexplore.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x76A71929-->00000000 [unknown_code_page]
[760]iexplore.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x76A994DC-->00000000 [unknown_code_page]
[760]iexplore.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x76A994B4-->00000000 [unknown_code_page]
[760]iexplore.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x76A99109-->00000000 [unknown_code_page]
[760]iexplore.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x76A99362-->00000000 [unknown_code_page]
[760]iexplore.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x76A71DC3-->00000000 [unknown_code_page]
[760]iexplore.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x76A9DBDA-->00000000 [unknown_code_page]
[760]iexplore.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x76B05CF7-->00000000 [unknown_code_page]
[760]iexplore.exe-->user32.dll-->CallNextHookEx, Type: Inline - RelativeJump 0x75D18E3B-->00000000 [ieframe.dll]
[760]iexplore.exe-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump 0x75D21305-->00000000 [ieframe.dll]
[760]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x75D5847D-->00000000 [ieframe.dll]
[760]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x75D42EF5-->00000000 [ieframe.dll]
[760]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x75D58152-->00000000 [ieframe.dll]
[760]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x75D410B0-->00000000 [ieframe.dll]
[760]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x75D6D639-->00000000 [ieframe.dll]
[760]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x75D6D65D-->00000000 [ieframe.dll]
[760]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x75D6D4D9-->00000000 [ieframe.dll]
[760]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x75D6D5D3-->00000000 [ieframe.dll]
[760]iexplore.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x75D187AD-->00000000 [ieframe.dll]
[760]iexplore.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x75D198DB-->00000000 [ieframe.dll]
[760]iexplore.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x7652D690-->00000000 [unknown_code_page]
[760]iexplore.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x7652F3A4-->00000000 [unknown_code_page]
[760]iexplore.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x76576D5F-->00000000 [unknown_code_page]
[760]iexplore.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x7652DB09-->00000000 [unknown_code_page]
[760]iexplore.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x7613330C-->00000000 [SeaNote.dll]
[760]iexplore.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x761340D9-->00000000 [SeaNote.dll]
[760]iexplore.exe-->ws2_32.dll-->getaddrinfo, Type: Inline - RelativeJump 0x7613418A-->00000000 [SeaNote.dll]
[760]iexplore.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x7613343A-->00000000 [SeaNote.dll]
[760]iexplore.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x7613659B-->00000000 [SeaNote.dll]
[760]iexplore.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761336D1-->00000000 [SeaNote.dll]
[760]iexplore.exe-->wsock32.dll-->recv, Type: Inline - RelativeJump 0x73181858-->00000000 [SeaNote.dll]
[828]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77813BA9-->00000000 [unknown_code_page]
[828]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x778139AB-->00000000 [unknown_code_page]
[828]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x778241F1-->00000000 [unknown_code_page]
[828]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x7782391E-->00000000 [unknown_code_page]
[828]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x778189C7-->00000000 [unknown_code_page]
[828]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77827C42-->00000000 [unknown_code_page]
[828]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77837BA1-->00000000 [unknown_code_page]
[828]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x7782E2B5-->00000000 [unknown_code_page]
[828]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x76ABCE5F-->00000000 [unknown_code_page]
[828]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x76ABAECB-->00000000 [unknown_code_page]
[828]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x76A72EF5-->00000000 [unknown_code_page]
[828]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x76A75C0C-->00000000 [unknown_code_page]
[828]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x76A98E6E-->00000000 [unknown_code_page]
[828]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x76A71C28-->00000000 [unknown_code_page]
[828]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x76A71BF3-->00000000 [unknown_code_page]
[828]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x76AB903B-->00000000 [unknown_code_page]
[828]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x76A719C9-->00000000 [unknown_code_page]
[828]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x76A71929-->00000000 [unknown_code_page]
[828]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x76A994DC-->00000000 [unknown_code_page]
[828]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x76A994B4-->00000000 [unknown_code_page]
[828]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x76A99109-->00000000 [unknown_code_page]
[828]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x76A99362-->00000000 [unknown_code_page]
[828]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x76A71DC3-->00000000 [unknown_code_page]
[828]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x76A9DBDA-->00000000 [unknown_code_page]
[828]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x76B05CF7-->00000000 [unknown_code_page]
[828]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761336D1-->00000000 [unknown_code_page]
[888]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77813BA9-->00000000 [unknown_code_page]
[888]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x778139AB-->00000000 [unknown_code_page]
[888]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x778241F1-->00000000 [unknown_code_page]
[888]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x7782391E-->00000000 [unknown_code_page]
[888]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x778189C7-->00000000 [unknown_code_page]
[888]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77827C42-->00000000 [unknown_code_page]
[888]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77837BA1-->00000000 [unknown_code_page]
[888]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x7782E2B5-->00000000 [unknown_code_page]
[888]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x76ABCE5F-->00000000 [unknown_code_page]
[888]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x76ABAECB-->00000000 [unknown_code_page]
[888]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x76A72EF5-->00000000 [unknown_code_page]
[888]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x76A75C0C-->00000000 [unknown_code_page]
[888]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x76A98E6E-->00000000 [unknown_code_page]
[888]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x76A71C28-->00000000 [unknown_code_page]
[888]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x76A71BF3-->00000000 [unknown_code_page]
[888]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x76AB903B-->00000000 [unknown_code_page]
[888]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x76A719C9-->00000000 [unknown_code_page]
[888]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x76A71929-->00000000 [unknown_code_page]
[888]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x76A994DC-->00000000 [unknown_code_page]
[888]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x76A994B4-->00000000 [unknown_code_page]
[888]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x76A99109-->00000000 [unknown_code_page]
[888]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x76A99362-->00000000 [unknown_code_page]
[888]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x76A71DC3-->00000000 [unknown_code_page]
[888]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x76A9DBDA-->00000000 [unknown_code_page]
[888]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x76B05CF7-->00000000 [unknown_code_page]
[888]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761336D1-->00000000 [unknown_code_page]
[924]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77813BA9-->00000000 [unknown_code_page]
[924]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x778139AB-->00000000 [unknown_code_page]
[924]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x778241F1-->00000000 [unknown_code_page]
[924]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x7782391E-->00000000 [unknown_code_page]
[924]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x778189C7-->00000000 [unknown_code_page]
[924]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77827C42-->00000000 [unknown_code_page]
[924]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77837BA1-->00000000 [unknown_code_page]
[924]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x7782E2B5-->00000000 [unknown_code_page]
[924]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x76ABCE5F-->00000000 [unknown_code_page]
[924]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x76ABAECB-->00000000 [unknown_code_page]
[924]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x76A72EF5-->00000000 [unknown_code_page]
[924]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x76A75C0C-->00000000 [unknown_code_page]
[924]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x76A98E6E-->00000000 [unknown_code_page]
[924]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x76A71C28-->00000000 [unknown_code_page]
[924]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x76A71BF3-->00000000 [unknown_code_page]
[924]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x76AB903B-->00000000 [unknown_code_page]
[924]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x76A719C9-->00000000 [unknown_code_page]
[924]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x76A71929-->00000000 [unknown_code_page]
[924]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x76A994DC-->00000000 [unknown_code_page]
[924]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x76A994B4-->00000000 [unknown_code_page]
[924]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x76A99109-->00000000 [unknown_code_page]
[924]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x76A99362-->00000000 [unknown_code_page]
[924]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x76A71DC3-->00000000 [unknown_code_page]
[924]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x76A9DBDA-->00000000 [unknown_code_page]
[924]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x76B05CF7-->00000000 [unknown_code_page]
[924]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761336D1-->00000000 [unknown_code_page]


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)
jaspatton
Active Member
 
Posts: 7
Joined: December 5th, 2010, 8:26 pm

Re: Search Redirect Infection

Unread postby Cypher » December 11th, 2010, 2:37 pm

Hi jaspatton.
my laptop is running faster (programs are much more responsive) as well the redirect problem is gone.

Good news and good work well done :)
We still have a few things to do so please stay with me.

Fix HijackThis entries

Run HijackThis

If using Vista, you must right click (hijackthis.exe) and choose "Run As Administrator".
  • If you are on the Main Menu page... Click "Do a system scan only"
  • If you are on the "scan & fix stuff" page... Press the Scan...button.
  • When the scan finishes...Place a check mark next to the following entries (if they are still present)
  • Note: Only check those items listed below.
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O4 - Global Startup: ApproveIt StartUp.lnk = ?
    O15 - Trusted Zone: http://*.pecinc.com
    O15 - Trusted Zone: http://*.softsonline.org

  • After checking these items... CLOSE ALL open windows except HijackThis.
  • Click the Fix Checked ...button...to remove the entries you checked.
  • Choose YES...when prompted to fix the selected items.
  • Once it has fixed them, close HijackThis and reboot your computer normally.

Next.

Post a New HJT Log
  • Start HijackThis.
  • If you are on the "scan & fix stuff" page... Press the "Main Menu"...button.
  • From the Main Menu... Press the "Do System Scan and Save a Log File"...button.
  • When completed...Notepad will open with the new "hijackthis.log" file contents.
  • Copy/paste the entire (hijackthis.log) file contents in your next reply.

Next.

Java SE Runtime Environment (JRE).

Please download from HERE
  • Find Java SE Runtime Environment (JRE) 6 Update 23.
  • Click the Download JRE button to the right.
  • Choose the correct Platform and Multi-language. Next, check the box that says I agree to the Java SE Runtime Environment 6 License Agreement.
  • Click the Continue button.
  • Click on the filename under Windows Offline Installation and save it to your desktop.
  • Close all active windows.
  • Install the program.

Next.

Please download ATF Cleaner to your desktop.

  • Right-click ATF-Cleaner.exe and select " Run as administrator " to run it.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Next.

We need to disable McAfee Security Center and its components temporarily as it will interfere with the below scan.

  • Open McAfee Security Center.
  • Click on Home on the left pane.
  • Beside Computer & Files, click on the arrow button.
  • Next, click on the arrow button beside Configure at the middle right (NOT the bottom one).
  • You will come to a new page. Please check (click) Off for all the protections. Remember to scroll down.
  • You will be prompted, select Never and just click OK.
  • Note: Don't forget to re-enable it after the scan.

Here is an illustration to assist you:
Image

Next.

ESET online scannner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Hold down Control then click on the following link to open a new window to ESET online scannner
  • Then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.



Logs/Information to Post in your Next Reply

  • HijackThis log.
  • ESET log.
  • Please give me an update on your computers performance.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Search Redirect Infection

Unread postby jaspatton » December 11th, 2010, 7:01 pm

Cypher,
still running faster than before, and still not experiencing the pesky redirect - or any other issues for that matter.

Here are the latest HJT log & the ESET log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:29:14 PM, on 12/11/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe
C:\Program Files\Lexmark S300-S400 Series\ezprint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe
C:\Windows\Pixart\PAP7501\GUCI_AVS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TouchFreeze\TouchFreeze.exe
C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Users\James\Desktop\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O1 - Hosts: ::1 localhost
O2 - BHO: PE_IE_Helper Class - {0941C58F-E461-4E03-BD7D-44C27392ADE1} - C:\Program Files\IBM\Lotus Forms\Viewer\3.5\PEhelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [ApproveItForOfficeSetup] "C:\Program Files\ApproveIt\Support\Tools\ApproveItForOfficeSetup.exe " /1 /p "C:\Program Files\ApproveIt\"
O4 - HKLM\..\Run: [lxdumon.exe] "C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark S300-S400 Series\ezprint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [lxeamon.exe] "C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe"
O4 - HKLM\..\Run: [PAP7501_Monitor] C:\Windows\Pixart\PAP7501\GUCI_AVS.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [acevents] "C:\Program Files\ActivIdentity\ActivClient\acevents.exe"
O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"
O4 - HKLM\..\Run: [AprvRemoveLegacyExcelKeys] "C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe" -k HKCU SOFTWARE\Microsoft\Office\Excel\Addins\OfficeAddIn.OfficeAddIn
O4 - HKLM\..\Run: [AprvRemoveLegacyWordKeys] "C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe" -k HKCU SOFTWARE\Microsoft\Office\Word\Addins\OfficeAddIn.OfficeAddIn
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [TouchFreeze] C:\Program Files\TouchFreeze\TouchFreeze.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\James\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Magellan CmTray] C:\Program Files\Content Manager\CmTray.exe
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - Global Startup: ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: ActivIdentity Shared Store Service (ac.sharedstore) - ActivIdentity - C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxduCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxduserv.exe
O23 - Service: lxdu_device - - C:\Windows\system32\lxducoms.exe
O23 - Service: lxeaCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxeaserv.exe
O23 - Service: lxea_device - - C:\Windows\system32\lxeacoms.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: RosettaStoneDaemon - Rosetta Stone Ltd. - C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe

--
End of file - 9587 bytes

ESET Log:

C:\Users\James\AppData\Roaming\Adobe\plugs\623738.bat BAT/DelMe.A.Gen trojan


Looks like there is still one trojan...

Thanks,
Jim
jaspatton
Active Member
 
Posts: 7
Joined: December 5th, 2010, 8:26 pm

Re: Search Redirect Infection

Unread postby Cypher » December 12th, 2010, 6:30 am

Hi jaspatton.
still running faster than before, and still not experiencing the pesky redirect - or any other issues for that matter.

Excellent good work :)
Looks like there is still one trojan...

We can take care of that now then you're good to go.

Delete file/folder
Click on Start > All programs > Accessories > Run.
Copy/paste the following command into the box and press OK: Do not include the word quote:
cmd /c del /F C:\Users\James\AppData\Roaming\Adobe\plugs\623738.bat

A blank command window will open on your desktop, then close in a minute or two. This is normal.

your latest set of logs appear to be clean!
This is my general post for when your logs show no more signs of malware.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Clean up with OTM

  • Right-click OTM.exe And select " Run as administrator " to run it. If Windows UAC prompts you, please allow it.
  • This tool will remove all the tools we used to clean your pc.
  • Close all other programs apart from OTMoveIt3 as this step will require a reboot
  • On the OTM main screen, press the CleanUp! button
  • Say Yes to the prompt and then allow the program to reboot your computer.

You can now delete any tools we used if they remain on your Desktop.

Protection Programs
Don't forget to re-enable any protection programs we disabled during your fix.

Here are some free programs I recommend that could help you improve your computer's security.

I recommend you keep Malwarebytes' Anti-Malware, keep it updated and run it once a week.
I also recommend you keep ATF Cleaner to clean out temp files.

Install SpywareBlaster
Download and install Javacools SpywareBlaster from Here
SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.

Install SiteAdvisor
SiteAdvisor is a toolbar for Microsoft Internet Explorer and Mozilla Firefox which alerts you if you're about to enter a potentially dangerous website.
You can find more information and download it from Here

Install WinPatrol
As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
For more information, please visit HERE

MVPS Hosts

Install MVPS Hosts File From Here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
You can Find the Tutorial HERE

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to Start > All Programs > Windows Update > Check for updates.
To update Office
Open up any Office program.
Go to Help > Check for Updates

I would be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Safe surfing!
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Search Redirect Infection

Unread postby jaspatton » December 12th, 2010, 1:18 pm

Cypher,

Done deal! I cant tell you how much I appreciate you giving my computer back to me - the redirect was driving me insane.

You guys & gals are the best, bar none.

Best wishes to you, I hope you have a wonderful holiday season!

Thnanks,
Jim
jaspatton
Active Member
 
Posts: 7
Joined: December 5th, 2010, 8:26 pm

Re: Search Redirect Infection

Unread postby Cypher » December 12th, 2010, 1:31 pm

Hi Jim.
I cant tell you how much I appreciate you giving my computer back to me

You're most welcome.
Best wishes to you, I hope you have a wonderful holiday season!

And the same to your good self :)
Good luck and stay safe.
As your problems appear to have been resolved, this topic is now closed.
We are pleased we could help you resolve your computer's malware issues.

If you are satisfied with our assistance and wish to donate to help with the costs of this volunteer site, please read :
Donations For Malware Removal
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 306 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware