Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

50 copies of wuauclt.exe process, and can't restart

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

50 copies of wuauclt.exe process, and can't restart

Unread postby keithgmccall » July 27th, 2010, 5:53 pm

My firefox freezes or crashes every few minutes, my computer runs up to 50 copies of
wuauclt.exe before freezing my computer, and when I try to restart, my computer freezes.
I have run multiple scans, and none of them find anything. Here are the hijack this logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:46:13 PM, on 7/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Gatorlink VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 2411600578
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)

--
End of file - 7768 bytes




2008 Gator Football Schedule
7-Zip 4.65
Ad-Aware
Ad-Aware
Adobe Download Manager
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
Adobe Shockwave Player 11.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Athlon 64 Processor Driver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
avast! Free Antivirus
Bonjour
Broadcom 802.11 Wireless LAN Adapter
Canon iP2600 series
Canon iP2600 series User Registration
Canon My Printer
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Solution Menu
Conexant AC-Link Audio
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
Data Fax SoftModem with SmartCP
DiskAid 3.1
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
Driver Detective
Flip Words 2
Full Tilt Poker
Gator Saver
Gatorlink VPN Client 5.0.06.0160
HijackThis 2.0.2
Hold'em Partner
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Help and Support
HP Software Update
HP User Guides 0002
HP Wireless Assistant 1.01 A2
InterVideo WinDVD
iTunes
Java(TM) 6 Update 14
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.8)
muvee autoProducer 4.0 - SE
OpenOffice.org 3.0
PowerISO
Quick Launch Buttons 5.10 B2
QuickTime
RealPlayer
REALTEK Gigabit and Fast Ethernet NIC Driver
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB982135)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB982381)
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
Total Commander (Remove or Repair)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (kb983486)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
VC80CRTRedist - 8.0.50727.762
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Zone Deluxe Games

Thanks for your help.
keithgmccall
Regular Member
 
Posts: 19
Joined: July 27th, 2010, 5:49 pm
Advertisement
Register to Remove

Re: 50 copies of wuauclt.exe process, and can't restart

Unread postby jmw3 » July 30th, 2010, 4:40 am

Hello & Welcome to Malware Removal

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this ensure Notify me when a reply is posted is ticked on the POST A REPLY page.

In the meantime please note the following:
  • Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.
  • Any recommendations made are for your computer problems only and should NOT be used on any other computer.
  • Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
    1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
    2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
  • If you get stuck or are unsure of something please ask for a further explanation, do not guess.
  • It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.
Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Thanks

DDS
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
Link 1
Link 2
  • Double-Click on dds.scr and a command window will appear. This is normal
  • Shortly after two logs will appear, DDS.txt & Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply
Gmer
Download GMER Rootkit Scanner from here & save it to your desktop.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Do not run any programs while Gmer is running.

NOTE: If you cannot run GMER as indicated above, save a scan from the initial startup scan.
  • Before scanning, make sure all other running programs are closed & no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan
  • Double click the gmer.exe file
  • The program will begin to run & perform an initial scan. If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No
  • After the "initial scan" is complete, click on the Save button, save the log file to your desktop & post it in your reply
To post in next reply:
Contents of DDS log
Contents of Attach.txt
Contents of Gmer log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: 50 copies of wuauclt.exe process, and can't restart

Unread postby keithgmccall » July 30th, 2010, 10:28 am

Here are the first two logs. I will post the Gmer is a separate post due to character limits. The first one is the DDS, the second one is Attach.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Keith McCall at 10:05:48.93 on Fri 07/30/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.223 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k eapsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Keith McCall\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [Google Update] "c:\documents and settings\keith mccall\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\gatorl~1.lnk - c:\windows\installer\{21e247d4-5e27-4bea-aa4d-19a81203fe2a}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windows ... 2411600578
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\keithm~1\applic~1\mozilla\firefox\profiles\178tfl7i.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - plugin: c:\documents and settings\keith mccall\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\keith mccall\application data\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\keith mccall\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\keith mccall\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-19 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-2-24 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-2-24 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-24 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-24 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-24 40384]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2008-10-24 200192]
S1 tmsrrqp;tmsrrqp;c:\windows\system32\drivers\tmsrrqp.sys [2004-8-4 295968]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]

=============== Created Last 30 ================

2010-07-19 23:24:23 98816 ----a-w- c:\windows\sed.exe
2010-07-19 23:24:23 77312 ----a-w- c:\windows\MBR.exe
2010-07-19 23:24:23 256512 ----a-w- c:\windows\PEV.exe
2010-07-19 23:24:23 161792 ----a-w- c:\windows\SWREG.exe
2010-07-11 04:03:23 0 d-----w- c:\docume~1\keithm~1\applic~1\SUPERAntiSpyware.com
2010-07-11 04:03:23 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-07-10 23:29:56 0 d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
2010-07-10 23:29:30 0 dc----w- c:\docume~1\alluse~1\applic~1\{65893B95-F47B-4483-B883-86BA181E9B54}
2010-07-01 21:20:31 38848 ----a-w- c:\windows\avastSS.scr

==================== Find3M ====================

2010-06-01 03:03:28 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-13 00:36:49 84512 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 10:06:38.82 ===============









UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 10/24/2008 4:56:51 PM
System Uptime: 7/29/2010 9:25:06 PM (13 hours ago)

Motherboard: Quanta | | 3096
Processor: Mobile AMD Sempron(tm) Processor 3300+ | U23 | 1989/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 39 GiB total, 5.449 GiB free.
D: is FIXED (NTFS) - 29 GiB total, 1.109 GiB free.
F: is CDROM ()
G: is CDROM ()
H: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139/810x Family Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_3091103C&REV_10\4&13826118&0&00A4
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8139/810x Family Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_3091103C&REV_10\4&13826118&0&00A4
Service: RTL8023xp

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA

==== System Restore Points ===================

RP1: 7/9/2010 3:56:18 PM - System Checkpoint
RP2: 7/10/2010 6:59:36 PM - System Checkpoint
RP3: 7/12/2010 5:46:44 PM - System Checkpoint
RP4: 7/13/2010 6:42:33 PM - System Checkpoint
RP5: 7/14/2010 9:36:18 PM - System Checkpoint
RP6: 7/16/2010 11:36:51 AM - System Checkpoint
RP7: 7/17/2010 2:47:44 PM - System Checkpoint
RP8: 7/18/2010 8:11:43 PM - System Checkpoint
RP9: 7/21/2010 11:52:01 AM - System Checkpoint
RP10: 7/22/2010 2:22:01 PM - System Checkpoint
RP11: 7/23/2010 5:17:28 PM - System Checkpoint
RP12: 7/25/2010 10:12:15 AM - System Checkpoint
RP13: 7/26/2010 12:00:33 PM - System Checkpoint
RP14: 7/27/2010 3:21:40 PM - OTL Restore Point
RP15: 7/28/2010 5:40:18 PM - System Checkpoint
RP16: 7/29/2010 5:52:23 PM - System Checkpoint

==== Installed Programs ======================


2008 Gator Football Schedule
7-Zip 4.65
AAC Decoder
Ad-Aware
Adobe Download Manager
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
Adobe Shockwave Player 11.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Athlon 64 Processor Driver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AutoUpdate
avast! Free Antivirus
Bonjour
Broadcom 802.11 Wireless LAN Adapter
Canon iP2600 series
Canon iP2600 series User Registration
Canon My Printer
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Solution Menu
Conexant AC-Link Audio
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
Data Fax SoftModem with SmartCP
DiskAid 3.1
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
Driver Detective
Flip Words 2
Full Tilt Poker
Gator Saver
Gatorlink VPN Client 5.0.06.0160
Google Chrome
H.264 Decoder
HijackThis 2.0.2
Hold'em Partner
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Help and Support
HP Software Update
HP User Guides 0002
HP Wireless Assistant 1.01 A2
InterVideo WinDVD
iTunes
Java(TM) 6 Update 14
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MKV Splitter
Move Media Player
Mozilla Firefox (3.6.8)
muvee autoProducer 4.0 - SE
OpenOffice.org 3.0
PowerISO
Quick Launch Buttons 5.10 B2
QuickTime
RealPlayer
REALTEK Gigabit and Fast Ethernet NIC Driver
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB982135)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB982381)
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
TIxx21
Total Commander (Remove or Repair)
Unity Web Player
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (kb983486)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
VC80CRTRedist - 8.0.50727.762
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Zone Deluxe Games

==== Event Viewer Messages From Past Week ========

7/28/2010 8:51:24 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
7/28/2010 4:04:25 PM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
7/27/2010 8:11:07 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
7/26/2010 4:52:51 PM, error: Service Control Manager [7000] - The Print Spooler service failed to start due to the following error: The system cannot find the file specified.
7/25/2010 11:56:19 PM, error: PlugPlayManager [12] - The device 'TSSTcorp CD/DVDW TS-L532R' (IDE\CdRomTSSTcorp_CD/DVDW_TS-L532R_______________HA05____\3559373431323434363220202020202020202020) disappeared from the system without first being prepared for removal.
7/25/2010 11:54:46 PM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 0014A52DF579 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
7/25/2010 10:28:39 AM, error: Service Control Manager [7034] - The avast! Web Scanner service terminated unexpectedly. It has done this 1 time(s).
7/25/2010 10:28:39 AM, error: Service Control Manager [7034] - The avast! Mail Scanner service terminated unexpectedly. It has done this 1 time(s).
7/25/2010 10:28:39 AM, error: Service Control Manager [7034] - The avast! Antivirus service terminated unexpectedly. It has done this 1 time(s).
7/25/2010 1:45:19 PM, error: Service Control Manager [7022] - The Automatic Updates service hung on starting.

==== End Of File ===========================
keithgmccall
Regular Member
 
Posts: 19
Joined: July 27th, 2010, 5:49 pm

Re: 50 copies of wuauclt.exe process, and can't restart

Unread postby keithgmccall » July 30th, 2010, 10:31 am

Here is the first half of the gmer report.


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-30 10:23:32
Windows 5.1.2600 Service Pack 3
Running: hr2qw1m9.exe; Driver: C:\DOCUME~1\KEITHM~1\LOCALS~1\Temp\pwldraow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEE424CD2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEE424B8E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xEE425142]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEE42506C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xEE424764]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEE424C68]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xEE4246A4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xEE424708]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEE424D88]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xEE425210]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEE424D48]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEE424EC8]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xEE431B9C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xEE4319C0]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xEE431AFA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwLoadDriver 805795FA 7 Bytes JMP EE431AFE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection 805A075C 7 Bytes JMP EE4319C4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805B1CE0 5 Bytes JMP EE42D5B4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject 805B8B58 5 Bytes JMP EE42EF6C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73EA 7 Bytes JMP EE431BA0 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

---- User code sections - GMER 1.0.15 ----

.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP A3000025
.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] USER32.dll!PeekMessageW 7E41929B 8 Bytes JMP 9D000025
.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP A0000025
.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] USER32.dll!PeekMessageA 7E42A340 8 Bytes JMP 9A000025
.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP A6000025
.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP 37000025
.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP 3D000025
.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP 67000025
.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] WS2_32.dll!send 71AB4C27 8 Bytes JMP 64000025
.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP 94000025
.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP 3A000025
.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] WS2_32.dll!recv 71AB676F 8 Bytes JMP 97000025
.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP 61000025
.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A9B76F 6 Bytes [33, C0, 40, C2, 10, 00] {XOR EAX, EAX; INC EAX; RET 0x10}
.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP A9000025
.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] WININET.dll!HttpOpenRequestA 771C2B01 8 Bytes JMP 8B000025
.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] WININET.dll!InternetCloseHandle 771C4D94 8 Bytes JMP 76000025
.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] WININET.dll!HttpSendRequestA 771C60A9 8 Bytes JMP 6A000025
.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] WININET.dll!InternetReadFile 771C82F2 8 Bytes JMP 7C000025
.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] WININET.dll!HttpSendRequestExW 771CEA01 8 Bytes JMP 73000025
.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] WININET.dll!HttpOpenRequestW 771CF517 8 Bytes JMP 8E000025
.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] WININET.dll!CommitUrlCacheEntryA 771D1BC2 8 Bytes JMP 85000025
.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] WININET.dll!InternetQueryDataAvailable 771D8A67 8 Bytes JMP 79000025
.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] WININET.dll!InternetWriteFile 771F8E07 8 Bytes JMP 91000025
.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] WININET.dll!InternetReadFileExA 771F934E 8 Bytes JMP 7F000025
.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] WININET.dll!InternetReadFileExW 771F9D9E 2 Bytes [55, 90] {PUSH EBP; NOP }
.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] WININET.dll!InternetReadFileExW + 3 771F9DA1 5 Bytes [25, 00, 00, 82, 01] {AND EAX, 0x1820000}
.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] WININET.dll!HttpSendRequestW 77213224 8 Bytes JMP 6D000025
.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] WININET.dll!HttpSendRequestExA 77213329 8 Bytes JMP 70000025
.text C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe[400] WININET.dll!CommitUrlCacheEntryW 772212D7 8 Bytes JMP 88000025
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP 83000025
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] USER32.dll!PeekMessageW 7E41929B 8 Bytes JMP F1FFEEEE
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP 80000025
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] USER32.dll!PeekMessageA 7E42A340 8 Bytes JMP 7A000025
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP 86000025
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A9B76F 6 Bytes [33, C0, 40, C2, 10, 00] {XOR EAX, EAX; INC EAX; RET 0x10}
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP 89000025
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP 17000025
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP 1D000025
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP 47000025
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] WS2_32.dll!send 71AB4C27 8 Bytes JMP 44000025
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP 74000025
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP 1A000025
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] WS2_32.dll!recv 71AB676F 8 Bytes JMP 0C75FFD0
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP 41000025
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] WININET.dll!HttpOpenRequestA 771C2B01 8 Bytes JMP 6B000025
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] WININET.dll!InternetCloseHandle 771C4D94 8 Bytes JMP 56000025
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] WININET.dll!HttpSendRequestA 771C60A9 8 Bytes JMP 4A000025
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] WININET.dll!InternetReadFile 771C82F2 8 Bytes JMP 5C000025
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] WININET.dll!HttpSendRequestExW 771CEA01 8 Bytes JMP 53000025
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] WININET.dll!HttpOpenRequestW 771CF517 8 Bytes JMP 6E000025
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] WININET.dll!CommitUrlCacheEntryA 771D1BC2 8 Bytes JMP 65000025
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] WININET.dll!InternetQueryDataAvailable 771D8A67 8 Bytes JMP 59000025
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] WININET.dll!InternetWriteFile 771F8E07 8 Bytes JMP 71000025
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] WININET.dll!InternetReadFileExA 771F934E 8 Bytes JMP 5F000025
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] WININET.dll!InternetReadFileExW 771F9D9E 2 Bytes [55, 90] {PUSH EBP; NOP }
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] WININET.dll!InternetReadFileExW + 3 771F9DA1 5 Bytes [25, 00, 00, 62, 01] {AND EAX, 0x1620000}
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] WININET.dll!HttpSendRequestW 77213224 8 Bytes JMP 4D000025
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] WININET.dll!HttpSendRequestExA 77213329 8 Bytes JMP 50000025
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[820] WININET.dll!CommitUrlCacheEntryW 772212D7 8 Bytes JMP 68000025
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP AD000025
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] USER32.dll!PeekMessageW 7E41929B 8 Bytes JMP A7000025
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP AA000025
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] USER32.dll!PeekMessageA 7E42A340 8 Bytes JMP A4000025
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP B0000025
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A9B76F 6 Bytes [33, C0, 40, C2, 10, 00] {XOR EAX, EAX; INC EAX; RET 0x10}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP B3000025
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP 41000025
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP 47000025
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP 71000025
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] WS2_32.dll!send 71AB4C27 8 Bytes JMP 6E000025
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP 9E000025
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP 44000025
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] WS2_32.dll!recv 71AB676F 8 Bytes JMP A1000025
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP 6B000025
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] WININET.dll!HttpOpenRequestA 771C2B01 8 Bytes JMP 95000025
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] WININET.dll!InternetCloseHandle 771C4D94 8 Bytes JMP 80000025
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] WININET.dll!HttpSendRequestA 771C60A9 8 Bytes JMP 74000025
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] WININET.dll!InternetReadFile 771C82F2 8 Bytes JMP 86000025
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] WININET.dll!HttpSendRequestExW 771CEA01 8 Bytes JMP F1FFEEEE
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] WININET.dll!HttpOpenRequestW 771CF517 8 Bytes JMP 98000025
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] WININET.dll!CommitUrlCacheEntryA 771D1BC2 8 Bytes JMP 8F000025
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] WININET.dll!InternetQueryDataAvailable 771D8A67 8 Bytes JMP 83000025
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] WININET.dll!InternetWriteFile 771F8E07 8 Bytes JMP 9B000025
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] WININET.dll!InternetReadFileExA 771F934E 8 Bytes JMP 89000025
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] WININET.dll!InternetReadFileExW 771F9D9E 2 Bytes [55, 90] {PUSH EBP; NOP }
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] WININET.dll!InternetReadFileExW + 3 771F9DA1 5 Bytes [25, 00, 00, 8C, 01] {AND EAX, 0x18c0000}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] WININET.dll!HttpSendRequestW 77213224 8 Bytes JMP 0C75FFD0
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] WININET.dll!HttpSendRequestExA 77213329 8 Bytes JMP 7A000025
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[840] WININET.dll!CommitUrlCacheEntryW 772212D7 8 Bytes JMP 92000025
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP 31000025
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] USER32.dll!PeekMessageW 7E41929B 8 Bytes JMP 2B000025
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP 2E000025
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] USER32.dll!PeekMessageA 7E42A340 8 Bytes JMP 28000025
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP 34000025
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A9B76F 6 Bytes [33, C0, 40, C2, 10, 00] {XOR EAX, EAX; INC EAX; RET 0x10}
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP 37000025
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP C4000025
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP CA000025
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP F4000025
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] WS2_32.dll!send 71AB4C27 8 Bytes JMP F1000025
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP 22000025
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP C7000025
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] WS2_32.dll!recv 71AB676F 8 Bytes JMP 25000025
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP EE000025
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] WININET.dll!HttpOpenRequestA 771C2B01 8 Bytes JMP 19000025
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] WININET.dll!InternetCloseHandle 771C4D94 8 Bytes JMP 03000025
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] WININET.dll!HttpSendRequestA 771C60A9 8 Bytes JMP F7000025
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] WININET.dll!InternetReadFile 771C82F2 8 Bytes JMP 09000025
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] WININET.dll!HttpSendRequestExW 771CEA01 8 Bytes JMP 00000025
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] WININET.dll!HttpOpenRequestW 771CF517 8 Bytes JMP 1C000025
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] WININET.dll!CommitUrlCacheEntryA 771D1BC2 8 Bytes JMP 13000025
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] WININET.dll!InternetQueryDataAvailable 771D8A67 8 Bytes JMP 06000025
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] WININET.dll!InternetWriteFile 771F8E07 8 Bytes JMP 1F000025
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] WININET.dll!InternetReadFileExA 771F934E 8 Bytes JMP 0C000025
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] WININET.dll!InternetReadFileExW 771F9D9E 2 Bytes [55, 90] {PUSH EBP; NOP }
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] WININET.dll!InternetReadFileExW + 3 771F9DA1 5 Bytes [25, 00, 00, 10, 01] {AND EAX, 0x1100000}
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] WININET.dll!HttpSendRequestW 77213224 8 Bytes JMP FA000025
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] WININET.dll!HttpSendRequestExA 77213329 8 Bytes JMP FD000025
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[920] WININET.dll!CommitUrlCacheEntryW 772212D7 8 Bytes JMP 16000025
keithgmccall
Regular Member
 
Posts: 19
Joined: July 27th, 2010, 5:49 pm

Re: 50 copies of wuauclt.exe process, and can't restart

Unread postby keithgmccall » July 30th, 2010, 10:35 am

Sorry about the triple post. Here is the rest of the Gmer log.


.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP A3000025
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] USER32.dll!PeekMessageW 7E41929B 8 Bytes JMP 9D000025
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP A0000025
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] USER32.dll!PeekMessageA 7E42A340 8 Bytes JMP 9A000025
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP A6000025
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP 37000025
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP 3D000025
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP 67000025
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] WS2_32.dll!send 71AB4C27 8 Bytes JMP 64000025
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP 94000025
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP 3A000025
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] WS2_32.dll!recv 71AB676F 8 Bytes JMP 97000025
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP 61000025
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A9B76F 6 Bytes [33, C0, 40, C2, 10, 00] {XOR EAX, EAX; INC EAX; RET 0x10}
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP A9000025
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] WININET.dll!HttpOpenRequestA 771C2B01 8 Bytes JMP 8B000025
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] WININET.dll!InternetCloseHandle 771C4D94 8 Bytes JMP 76000025
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] WININET.dll!HttpSendRequestA 771C60A9 8 Bytes JMP 6A000025
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] WININET.dll!InternetReadFile 771C82F2 8 Bytes JMP 7C000025
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] WININET.dll!HttpSendRequestExW 771CEA01 8 Bytes JMP 73000025
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] WININET.dll!HttpOpenRequestW 771CF517 8 Bytes JMP 8E000025
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] WININET.dll!CommitUrlCacheEntryA 771D1BC2 8 Bytes JMP 85000025
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] WININET.dll!InternetQueryDataAvailable 771D8A67 8 Bytes JMP 79000025
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] WININET.dll!InternetWriteFile 771F8E07 8 Bytes JMP 91000025
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] WININET.dll!InternetReadFileExA 771F934E 8 Bytes JMP 7F000025
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] WININET.dll!InternetReadFileExW 771F9D9E 2 Bytes [55, 90] {PUSH EBP; NOP }
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] WININET.dll!InternetReadFileExW + 3 771F9DA1 5 Bytes [25, 00, 00, 82, 01] {AND EAX, 0x1820000}
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] WININET.dll!HttpSendRequestW 77213224 8 Bytes JMP 6D000025
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] WININET.dll!HttpSendRequestExA 77213329 8 Bytes JMP 70000025
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1064] WININET.dll!CommitUrlCacheEntryW 772212D7 8 Bytes JMP 88000025
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP 0E000025
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] USER32.dll!PeekMessageW 7E41929B 8 Bytes JMP 08000025
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP 0B000025
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] USER32.dll!PeekMessageA 7E42A340 8 Bytes JMP 05000025
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP 11000025
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A9B76F 6 Bytes [33, C0, 40, C2, 10, 00] {XOR EAX, EAX; INC EAX; RET 0x10}
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP 14000025
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP C2000025
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP C8000025
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP D2000025
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] WS2_32.dll!send 71AB4C27 8 Bytes JMP CF000025
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP FF000025
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP C5000025
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] WS2_32.dll!recv 71AB676F 8 Bytes JMP 02000025
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP CC000025
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] WININET.dll!HttpOpenRequestA 771C2B01 8 Bytes JMP F6000025
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] WININET.dll!InternetCloseHandle 771C4D94 8 Bytes JMP E1000025
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] WININET.dll!HttpSendRequestA 771C60A9 8 Bytes JMP D5000025
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] WININET.dll!InternetReadFile 771C82F2 8 Bytes JMP E7000025
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] WININET.dll!HttpSendRequestExW 771CEA01 8 Bytes JMP DE000025
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] WININET.dll!HttpOpenRequestW 771CF517 8 Bytes JMP F9000025
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] WININET.dll!CommitUrlCacheEntryA 771D1BC2 8 Bytes JMP F0000025
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] WININET.dll!InternetQueryDataAvailable 771D8A67 8 Bytes JMP E4000025
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] WININET.dll!InternetWriteFile 771F8E07 8 Bytes JMP FC000025
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] WININET.dll!InternetReadFileExA 771F934E 8 Bytes JMP EA000025
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] WININET.dll!InternetReadFileExW 771F9D9E 2 Bytes [55, 90] {PUSH EBP; NOP }
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] WININET.dll!InternetReadFileExW + 3 771F9DA1 5 Bytes [25, 00, 00, ED, 00] {AND EAX, 0xed0000}
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] WININET.dll!HttpSendRequestW 77213224 8 Bytes JMP D8000025
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] WININET.dll!HttpSendRequestExA 77213329 8 Bytes JMP DB000025
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[1108] WININET.dll!CommitUrlCacheEntryW 772212D7 8 Bytes JMP F3000025
.text C:\WINDOWS\system32\notepad.exe[1168] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP 34000025
.text C:\WINDOWS\system32\notepad.exe[1168] USER32.dll!PeekMessageW 7E41929B 8 Bytes JMP 2E000025
.text C:\WINDOWS\system32\notepad.exe[1168] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP 31000025
.text C:\WINDOWS\system32\notepad.exe[1168] USER32.dll!PeekMessageA 7E42A340 8 Bytes JMP 2B000025
.text C:\WINDOWS\system32\notepad.exe[1168] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP 37000025
.text C:\WINDOWS\system32\notepad.exe[1168] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A9B76F 6 Bytes [33, C0, 40, C2, 10, 00] {XOR EAX, EAX; INC EAX; RET 0x10}
.text C:\WINDOWS\system32\notepad.exe[1168] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP 3A000025
.text C:\WINDOWS\system32\notepad.exe[1168] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP E6000025
.text C:\WINDOWS\system32\notepad.exe[1168] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP ED000025
.text C:\WINDOWS\system32\notepad.exe[1168] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP F6000025
.text C:\WINDOWS\system32\notepad.exe[1168] WS2_32.dll!send 71AB4C27 8 Bytes JMP F3000025
.text C:\WINDOWS\system32\notepad.exe[1168] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP 25000025
.text C:\WINDOWS\system32\notepad.exe[1168] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP EA000025
.text C:\WINDOWS\system32\notepad.exe[1168] WS2_32.dll!recv 71AB676F 8 Bytes JMP 28000025
.text C:\WINDOWS\system32\notepad.exe[1168] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP F0000025
.text C:\WINDOWS\system32\notepad.exe[1168] WININET.dll!HttpOpenRequestA 771C2B01 8 Bytes JMP 1C000025
.text C:\WINDOWS\system32\notepad.exe[1168] WININET.dll!InternetCloseHandle 771C4D94 8 Bytes JMP 07000025
.text C:\WINDOWS\system32\notepad.exe[1168] WININET.dll!HttpSendRequestA 771C60A9 8 Bytes JMP F9000025
.text C:\WINDOWS\system32\notepad.exe[1168] WININET.dll!InternetReadFile 771C82F2 8 Bytes JMP 0D000025
.text C:\WINDOWS\system32\notepad.exe[1168] WININET.dll!HttpSendRequestExW 771CEA01 8 Bytes JMP 04000025
.text C:\WINDOWS\system32\notepad.exe[1168] WININET.dll!HttpOpenRequestW 771CF517 8 Bytes JMP 1F000025
.text C:\WINDOWS\system32\notepad.exe[1168] WININET.dll!CommitUrlCacheEntryA 771D1BC2 8 Bytes JMP 16000025
.text C:\WINDOWS\system32\notepad.exe[1168] WININET.dll!InternetQueryDataAvailable 771D8A67 8 Bytes JMP 0A000025
.text C:\WINDOWS\system32\notepad.exe[1168] WININET.dll!InternetWriteFile 771F8E07 8 Bytes JMP 22000025
.text C:\WINDOWS\system32\notepad.exe[1168] WININET.dll!InternetReadFileExA 771F934E 8 Bytes JMP 10000025
.text C:\WINDOWS\system32\notepad.exe[1168] WININET.dll!InternetReadFileExW 771F9D9E 2 Bytes [55, 90] {PUSH EBP; NOP }
.text C:\WINDOWS\system32\notepad.exe[1168] WININET.dll!InternetReadFileExW + 3 771F9DA1 5 Bytes [25, 00, 00, 13, 01] {AND EAX, 0x1130000}
.text C:\WINDOWS\system32\notepad.exe[1168] WININET.dll!HttpSendRequestW 77213224 8 Bytes JMP FC000025
.text C:\WINDOWS\system32\notepad.exe[1168] WININET.dll!HttpSendRequestExA 77213329 8 Bytes JMP FF000025
.text C:\WINDOWS\system32\notepad.exe[1168] WININET.dll!CommitUrlCacheEntryW 772212D7 8 Bytes JMP 19000025
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP 2C000025
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] USER32.dll!PeekMessageW 7E41929B 8 Bytes JMP 26000025
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP 29000025
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] USER32.dll!PeekMessageA 7E42A340 8 Bytes JMP 23000025
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP 2F000025
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A9B76F 6 Bytes [33, C0, 40, C2, 10, 00] {XOR EAX, EAX; INC EAX; RET 0x10}
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP 32000025
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP BF000025
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP C5000025
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP EF000025
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] WS2_32.dll!send 71AB4C27 6 Bytes JMP EC000025
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] WS2_32.dll!send + 7 71AB4C2E 1 Byte [00]
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP 1D000025
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP C2000025
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] WS2_32.dll!recv 71AB676F 8 Bytes JMP 20000025
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP E9000025
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] WININET.dll!HttpOpenRequestA 771C2B01 8 Bytes JMP 14000025
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] WININET.dll!InternetCloseHandle 771C4D94 8 Bytes JMP FE000025
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] WININET.dll!HttpSendRequestA 771C60A9 8 Bytes JMP F2000025
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] WININET.dll!InternetReadFile 771C82F2 8 Bytes JMP 04000025
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] WININET.dll!HttpSendRequestExW 771CEA01 8 Bytes JMP FB000025
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] WININET.dll!HttpOpenRequestW 771CF517 8 Bytes JMP 17000025
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] WININET.dll!CommitUrlCacheEntryA 771D1BC2 8 Bytes JMP 0E000025
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] WININET.dll!InternetQueryDataAvailable 771D8A67 8 Bytes [55, 90, FF, 25, 00, 00, 01, ...] {PUSH EBP; NOP ; JMP [0x1010000]}
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] WININET.dll!InternetWriteFile 771F8E07 8 Bytes JMP 1A000025
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] WININET.dll!InternetReadFileExA 771F934E 8 Bytes JMP 07000025
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] WININET.dll!InternetReadFileExW 771F9D9E 2 Bytes [55, 90] {PUSH EBP; NOP }
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] WININET.dll!InternetReadFileExW + 3 771F9DA1 5 Bytes [25, 00, 00, 0B, 01] {AND EAX, 0x10b0000}
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] WININET.dll!HttpSendRequestW 77213224 8 Bytes JMP F5000025
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] WININET.dll!HttpSendRequestExA 77213329 8 Bytes JMP F8000025
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1244] WININET.dll!CommitUrlCacheEntryW 772212D7 8 Bytes JMP 11000025
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP 9A000025
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP A0000025
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP BA000025
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] WS2_32.dll!send 71AB4C27 8 Bytes JMP B7000025
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP E5000025
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP 9D000025
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] WS2_32.dll!recv 71AB676F 8 Bytes JMP E8000025
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP B4000025
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP F4000025
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] USER32.dll!PeekMessageW 7E41929B 8 Bytes JMP EE000025
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP F1000025
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] USER32.dll!PeekMessageA 7E42A340 8 Bytes JMP EB000025
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP F7000025
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] WININET.dll!HttpOpenRequestA 771C2B01 8 Bytes JMP DC000025
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] WININET.dll!InternetCloseHandle 771C4D94 8 Bytes JMP C7000025
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] WININET.dll!HttpSendRequestA 771C60A9 8 Bytes JMP BB000025
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] WININET.dll!InternetReadFile 771C82F2 8 Bytes JMP CD000025
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] WININET.dll!HttpSendRequestExW 771CEA01 8 Bytes JMP C4000025
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] WININET.dll!HttpOpenRequestW 771CF517 8 Bytes JMP DF000025
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] WININET.dll!CommitUrlCacheEntryA 771D1BC2 8 Bytes JMP D6000025
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] WININET.dll!InternetQueryDataAvailable 771D8A67 8 Bytes JMP CA000025
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] WININET.dll!InternetWriteFile 771F8E07 8 Bytes JMP E2000025
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] WININET.dll!InternetReadFileExA 771F934E 8 Bytes JMP D0000025
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] WININET.dll!InternetReadFileExW 771F9D9E 2 Bytes [55, 90] {PUSH EBP; NOP }
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] WININET.dll!InternetReadFileExW + 3 771F9DA1 5 Bytes [25, 00, 00, D3, 01] {AND EAX, 0x1d30000}
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] WININET.dll!HttpSendRequestW 77213224 8 Bytes JMP BE000025
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] WININET.dll!HttpSendRequestExA 77213329 8 Bytes JMP C1000025
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] WININET.dll!CommitUrlCacheEntryW 772212D7 8 Bytes JMP D9000025
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A9B76F 6 Bytes [33, C0, 40, C2, 10, 00] {XOR EAX, EAX; INC EAX; RET 0x10}
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1824] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP FA000025
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP 49000025
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] USER32.dll!PeekMessageW 7E41929B 8 Bytes JMP 43000025
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP 46000025
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] USER32.dll!PeekMessageA 7E42A340 8 Bytes JMP 40000025
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP 4C000025
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] WININET.dll!HttpOpenRequestA 771C2B01 8 Bytes JMP 31000025
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] WININET.dll!InternetCloseHandle 771C4D94 8 Bytes JMP 1C000025
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] WININET.dll!HttpSendRequestA 771C60A9 8 Bytes JMP 10000025
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] WININET.dll!InternetReadFile 771C82F2 8 Bytes JMP 22000025
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] WININET.dll!HttpSendRequestExW 771CEA01 8 Bytes JMP 19000025
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] WININET.dll!HttpOpenRequestW 771CF517 8 Bytes JMP 34000025
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] WININET.dll!CommitUrlCacheEntryA 771D1BC2 8 Bytes JMP 2B000025
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] WININET.dll!InternetQueryDataAvailable 771D8A67 8 Bytes JMP 1F000025
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] WININET.dll!InternetWriteFile 771F8E07 8 Bytes JMP 37000025
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] WININET.dll!InternetReadFileExA 771F934E 8 Bytes JMP 25000025
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] WININET.dll!InternetReadFileExW 771F9D9E 2 Bytes [55, 90] {PUSH EBP; NOP }
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] WININET.dll!InternetReadFileExW + 3 771F9DA1 5 Bytes [25, 00, 00, 28, 01] {AND EAX, 0x1280000}
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] WININET.dll!HttpSendRequestW 77213224 8 Bytes JMP 13000025
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] WININET.dll!HttpSendRequestExA 77213329 8 Bytes JMP 16000025
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] WININET.dll!CommitUrlCacheEntryW 772212D7 8 Bytes JMP 2E000025
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A9B76F 6 Bytes [33, C0, 40, C2, 10, 00] {XOR EAX, EAX; INC EAX; RET 0x10}
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP 4F000025
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP DD000025
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP E3000025
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP 0D000025
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] WS2_32.dll!send 71AB4C27 8 Bytes JMP 0A000025
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP 3A000025
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP E0000025
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] WS2_32.dll!recv 71AB676F 8 Bytes JMP 3D000025
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1884] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP E6000025
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP 75000025
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] USER32.dll!PeekMessageW 7E41929B 8 Bytes JMP 6F000025
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP 72000025
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] USER32.dll!PeekMessageA 7E42A340 8 Bytes JMP 6C000025
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP 78000025
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP 06000025
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP 0E000025
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP 38000025
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] WS2_32.dll!send 71AB4C27 8 Bytes JMP 35000025
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP 66000025
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP 0B000025
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] WS2_32.dll!recv 71AB676F 8 Bytes JMP 69000025
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP 11000025
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A9B76F 6 Bytes [33, C0, 40, C2, 10, 00] {XOR EAX, EAX; INC EAX; RET 0x10}
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP 7B000025
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] WININET.dll!HttpOpenRequestA 771C2B01 8 Bytes JMP 5C000025
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] WININET.dll!InternetCloseHandle 771C4D94 8 Bytes JMP 47000025
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] WININET.dll!HttpSendRequestA 771C60A9 8 Bytes JMP 3B000025
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] WININET.dll!InternetReadFile 771C82F2 8 Bytes JMP 4D000025
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] WININET.dll!HttpSendRequestExW 771CEA01 8 Bytes JMP 44000025
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] WININET.dll!HttpOpenRequestW 771CF517 8 Bytes JMP 60000025
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] WININET.dll!CommitUrlCacheEntryA 771D1BC2 8 Bytes JMP 56000025
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] WININET.dll!InternetQueryDataAvailable 771D8A67 8 Bytes JMP 4A000025
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] WININET.dll!InternetWriteFile 771F8E07 8 Bytes [55, 90, FF, 25, 00, 00, 63, ...] {PUSH EBP; NOP ; JMP [0x1630000]}
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] WININET.dll!InternetReadFileExA 771F934E 8 Bytes JMP 50000025
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] WININET.dll!InternetReadFileExW 771F9D9E 2 Bytes [55, 90] {PUSH EBP; NOP }
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] WININET.dll!InternetReadFileExW + 3 771F9DA1 5 Bytes [25, 00, 00, 53, 01] {AND EAX, 0x1530000}
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] WININET.dll!HttpSendRequestW 77213224 8 Bytes JMP 3E000025
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] WININET.dll!HttpSendRequestExA 77213329 8 Bytes JMP 41000025
.text C:\Program Files\iTunes\iTunesHelper.exe[1904] WININET.dll!CommitUrlCacheEntryW 772212D7 8 Bytes JMP 59000025
.text C:\WINDOWS\system32\ctfmon.exe[1988] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP 2F000025
.text C:\WINDOWS\system32\ctfmon.exe[1988] USER32.dll!PeekMessageW 7E41929B 8 Bytes JMP 29000025
.text C:\WINDOWS\system32\ctfmon.exe[1988] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP 2C000025
.text C:\WINDOWS\system32\ctfmon.exe[1988] USER32.dll!PeekMessageA 7E42A340 8 Bytes JMP 26000025
.text C:\WINDOWS\system32\ctfmon.exe[1988] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP 32000025
.text C:\WINDOWS\system32\ctfmon.exe[1988] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A9B76F 6 Bytes [33, C0, 40, C2, 10, 00] {XOR EAX, EAX; INC EAX; RET 0x10}
.text C:\WINDOWS\system32\ctfmon.exe[1988] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP 35000025
.text C:\WINDOWS\system32\ctfmon.exe[1988] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP E3000025
.text C:\WINDOWS\system32\ctfmon.exe[1988] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP EA000025
.text C:\WINDOWS\system32\ctfmon.exe[1988] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP F3000025
.text C:\WINDOWS\system32\ctfmon.exe[1988] WS2_32.dll!send 71AB4C27 8 Bytes JMP F0000025
.text C:\WINDOWS\system32\ctfmon.exe[1988] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP 20000025
.text C:\WINDOWS\system32\ctfmon.exe[1988] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP E7000025
.text C:\WINDOWS\system32\ctfmon.exe[1988] WS2_32.dll!recv 71AB676F 8 Bytes JMP 23000025
.text C:\WINDOWS\system32\ctfmon.exe[1988] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP ED000025
.text C:\WINDOWS\system32\ctfmon.exe[1988] WININET.dll!HttpOpenRequestA 771C2B01 8 Bytes JMP 17000025
.text C:\WINDOWS\system32\ctfmon.exe[1988] WININET.dll!InternetCloseHandle 771C4D94 8 Bytes JMP 02000025
.text C:\WINDOWS\system32\ctfmon.exe[1988] WININET.dll!HttpSendRequestA 771C60A9 8 Bytes JMP F6000025
.text C:\WINDOWS\system32\ctfmon.exe[1988] WININET.dll!InternetReadFile 771C82F2 8 Bytes JMP 08000025
.text C:\WINDOWS\system32\ctfmon.exe[1988] WININET.dll!HttpSendRequestExW 771CEA01 8 Bytes JMP FF000025
.text C:\WINDOWS\system32\ctfmon.exe[1988] WININET.dll!HttpOpenRequestW 771CF517 8 Bytes JMP 1A000025
.text C:\WINDOWS\system32\ctfmon.exe[1988] WININET.dll!CommitUrlCacheEntryA 771D1BC2 8 Bytes JMP 11000025
.text C:\WINDOWS\system32\ctfmon.exe[1988] WININET.dll!InternetQueryDataAvailable 771D8A67 8 Bytes JMP 05000025
.text C:\WINDOWS\system32\ctfmon.exe[1988] WININET.dll!InternetWriteFile 771F8E07 8 Bytes JMP 1D000025
.text C:\WINDOWS\system32\ctfmon.exe[1988] WININET.dll!InternetReadFileExA 771F934E 8 Bytes JMP 0B000025
.text C:\WINDOWS\system32\ctfmon.exe[1988] WININET.dll!InternetReadFileExW 771F9D9E 2 Bytes [55, 90] {PUSH EBP; NOP }
.text C:\WINDOWS\system32\ctfmon.exe[1988] WININET.dll!InternetReadFileExW + 3 771F9DA1 5 Bytes [25, 00, 00, 0E, 01] {AND EAX, 0x10e0000}
.text C:\WINDOWS\system32\ctfmon.exe[1988] WININET.dll!HttpSendRequestW 77213224 8 Bytes JMP F9000025
.text C:\WINDOWS\system32\ctfmon.exe[1988] WININET.dll!HttpSendRequestExA 77213329 8 Bytes JMP FC000025
.text C:\WINDOWS\system32\ctfmon.exe[1988] WININET.dll!CommitUrlCacheEntryW 772212D7 8 Bytes JMP 14000025
.text C:\Program Files\Mozilla Firefox\firefox.exe[3908] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3908] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP C5000025
.text C:\Program Files\Mozilla Firefox\firefox.exe[3908] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP CB000025
.text C:\Program Files\Mozilla Firefox\firefox.exe[3908] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP 2B000025
.text C:\Program Files\Mozilla Firefox\firefox.exe[3908] WS2_32.dll!send 71AB4C27 8 Bytes JMP 28000025
.text C:\Program Files\Mozilla Firefox\firefox.exe[3908] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP 34000025
.text C:\Program Files\Mozilla Firefox\firefox.exe[3908] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP C8000025
.text C:\Program Files\Mozilla Firefox\firefox.exe[3908] WS2_32.dll!recv 71AB676F 8 Bytes JMP 37000025
.text C:\Program Files\Mozilla Firefox\firefox.exe[3908] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP CF000025
.text C:\Program Files\Mozilla Firefox\firefox.exe[3908] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP 46000025
.text C:\Program Files\Mozilla Firefox\firefox.exe[3908] USER32.dll!PeekMessageW 7E41929B 8 Bytes JMP 40000025
.text C:\Program Files\Mozilla Firefox\firefox.exe[3908] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP 43000025
.text C:\Program Files\Mozilla Firefox\firefox.exe[3908] USER32.dll!PeekMessageA 7E42A340 8 Bytes JMP 3D000025
.text C:\Program Files\Mozilla Firefox\firefox.exe[3908] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP 49000025
.text C:\Program Files\Mozilla Firefox\firefox.exe[3908] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP 4C000025
.text C:\WINDOWS\explorer.exe[4504] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP E2000025
.text C:\WINDOWS\explorer.exe[4504] USER32.dll!PeekMessageW 7E41929B 8 Bytes JMP D6000025
.text C:\WINDOWS\explorer.exe[4504] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP D9000025
.text C:\WINDOWS\explorer.exe[4504] USER32.dll!PeekMessageA 7E42A340 8 Bytes JMP D3000025
.text C:\WINDOWS\explorer.exe[4504] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP E5000025
.text C:\WINDOWS\explorer.exe[4504] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A9B76F 6 Bytes [33, C0, 40, C2, 10, 00] {XOR EAX, EAX; INC EAX; RET 0x10}
.text C:\WINDOWS\explorer.exe[4504] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP E8000025
.text C:\WINDOWS\explorer.exe[4504] WININET.dll!HttpOpenRequestA 771C2B01 8 Bytes JMP C4000025
.text C:\WINDOWS\explorer.exe[4504] WININET.dll!InternetCloseHandle 771C4D94 8 Bytes JMP AF000025
.text C:\WINDOWS\explorer.exe[4504] WININET.dll!HttpSendRequestA 771C60A9 8 Bytes JMP 47000025
.text C:\WINDOWS\explorer.exe[4504] WININET.dll!InternetReadFile 771C82F2 8 Bytes JMP B5000025
.text C:\WINDOWS\explorer.exe[4504] WININET.dll!HttpSendRequestExW 771CEA01 8 Bytes JMP AC000025
.text C:\WINDOWS\explorer.exe[4504] WININET.dll!HttpOpenRequestW 771CF517 8 Bytes JMP C7000025
.text C:\WINDOWS\explorer.exe[4504] WININET.dll!CommitUrlCacheEntryA 771D1BC2 8 Bytes JMP BE000025
.text C:\WINDOWS\explorer.exe[4504] WININET.dll!InternetQueryDataAvailable 771D8A67 8 Bytes JMP B2000025
.text C:\WINDOWS\explorer.exe[4504] WININET.dll!InternetWriteFile 771F8E07 8 Bytes JMP CA000025
.text C:\WINDOWS\explorer.exe[4504] WININET.dll!InternetReadFileExA 771F934E 8 Bytes JMP B8000025
.text C:\WINDOWS\explorer.exe[4504] WININET.dll!InternetReadFileExW 771F9D9E 2 Bytes [55, 90] {PUSH EBP; NOP }
.text C:\WINDOWS\explorer.exe[4504] WININET.dll!InternetReadFileExW + 3 771F9DA1 5 Bytes [25, 00, 00, BB, 01] {AND EAX, 0x1bb0000}
.text C:\WINDOWS\explorer.exe[4504] WININET.dll!HttpSendRequestW 77213224 8 Bytes JMP 4A000025
.text C:\WINDOWS\explorer.exe[4504] WININET.dll!HttpSendRequestExA 77213329 8 Bytes JMP 4D000025
.text C:\WINDOWS\explorer.exe[4504] WININET.dll!CommitUrlCacheEntryW 772212D7 8 Bytes JMP C1000025
.text C:\WINDOWS\explorer.exe[4504] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP 34000025
.text C:\WINDOWS\explorer.exe[4504] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP 3B000025
.text C:\WINDOWS\explorer.exe[4504] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP 44000025
.text C:\WINDOWS\explorer.exe[4504] WS2_32.dll!send 71AB4C27 8 Bytes JMP 41000025
.text C:\WINDOWS\explorer.exe[4504] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP CD000025
.text C:\WINDOWS\explorer.exe[4504] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP 38000025
.text C:\WINDOWS\explorer.exe[4504] WS2_32.dll!recv 71AB676F 8 Bytes JMP D0000025
.text C:\WINDOWS\explorer.exe[4504] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP 3E000025
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP A5000025
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] USER32.dll!PeekMessageW 7E41929B 8 Bytes JMP 9F000025
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP A2000025
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] USER32.dll!PeekMessageA 7E42A340 8 Bytes JMP 9C000025
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP A8000025
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A9B76F 6 Bytes [33, C0, 40, C2, 10, 00] {XOR EAX, EAX; INC EAX; RET 0x10}
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP AB000025
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP 39000025
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP 3F000025
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP 69000025
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] WS2_32.dll!send 71AB4C27 8 Bytes JMP 66000025
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP 96000025
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP 3C000025
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] WS2_32.dll!recv 71AB676F 8 Bytes JMP 99000025
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] WS2_32.dll!WSASend 71AB68FA 8 Bytes [55, 90, FF, 25, 00, 00, 63, ...] {PUSH EBP; NOP ; JMP [0x1630000]}
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] WININET.dll!HttpOpenRequestA 771C2B01 8 Bytes JMP 8D000025
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] WININET.dll!InternetCloseHandle 771C4D94 8 Bytes JMP 78000025
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] WININET.dll!HttpSendRequestA 771C60A9 8 Bytes JMP 6C000025
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] WININET.dll!InternetReadFile 771C82F2 8 Bytes JMP 7E000025
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] WININET.dll!HttpSendRequestExW 771CEA01 8 Bytes JMP 75000025
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] WININET.dll!HttpOpenRequestW 771CF517 8 Bytes JMP 90000025
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] WININET.dll!CommitUrlCacheEntryA 771D1BC2 8 Bytes JMP 87000025
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] WININET.dll!InternetQueryDataAvailable 771D8A67 8 Bytes JMP 7B000025
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] WININET.dll!InternetWriteFile 771F8E07 8 Bytes JMP 93000025
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] WININET.dll!InternetReadFileExA 771F934E 8 Bytes JMP 81000025
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] WININET.dll!InternetReadFileExW 771F9D9E 2 Bytes [55, 90] {PUSH EBP; NOP }
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] WININET.dll!InternetReadFileExW + 3 771F9DA1 5 Bytes [25, 00, 00, 84, 01] {AND EAX, 0x1840000}
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] WININET.dll!HttpSendRequestW 77213224 8 Bytes JMP 6F000025
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] WININET.dll!HttpSendRequestExA 77213329 8 Bytes JMP 72000025
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5428] WININET.dll!CommitUrlCacheEntryW 772212D7 8 Bytes JMP 8A000025
.text C:\WINDOWS\system32\notepad.exe[5628] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP 34000025
.text C:\WINDOWS\system32\notepad.exe[5628] USER32.dll!PeekMessageW 7E41929B 8 Bytes JMP 2E000025
.text C:\WINDOWS\system32\notepad.exe[5628] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP 31000025
.text C:\WINDOWS\system32\notepad.exe[5628] USER32.dll!PeekMessageA 7E42A340 8 Bytes JMP 2B000025
.text C:\WINDOWS\system32\notepad.exe[5628] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP 37000025
.text C:\WINDOWS\system32\notepad.exe[5628] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A9B76F 6 Bytes [33, C0, 40, C2, 10, 00] {XOR EAX, EAX; INC EAX; RET 0x10}
.text C:\WINDOWS\system32\notepad.exe[5628] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP 3A000025
.text C:\WINDOWS\system32\notepad.exe[5628] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP E6000025
.text C:\WINDOWS\system32\notepad.exe[5628] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP ED000025
.text C:\WINDOWS\system32\notepad.exe[5628] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP F6000025
.text C:\WINDOWS\system32\notepad.exe[5628] WS2_32.dll!send 71AB4C27 8 Bytes JMP F3000025
.text C:\WINDOWS\system32\notepad.exe[5628] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP 25000025
.text C:\WINDOWS\system32\notepad.exe[5628] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP EA000025
.text C:\WINDOWS\system32\notepad.exe[5628] WS2_32.dll!recv 71AB676F 8 Bytes JMP 28000025
.text C:\WINDOWS\system32\notepad.exe[5628] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP F0000025
.text C:\WINDOWS\system32\notepad.exe[5628] WININET.dll!HttpOpenRequestA 771C2B01 8 Bytes JMP 1C000025
.text C:\WINDOWS\system32\notepad.exe[5628] WININET.dll!InternetCloseHandle 771C4D94 8 Bytes JMP 07000025
.text C:\WINDOWS\system32\notepad.exe[5628] WININET.dll!HttpSendRequestA 771C60A9 8 Bytes JMP F9000025
.text C:\WINDOWS\system32\notepad.exe[5628] WININET.dll!InternetReadFile 771C82F2 8 Bytes JMP 0D000025
.text C:\WINDOWS\system32\notepad.exe[5628] WININET.dll!HttpSendRequestExW 771CEA01 8 Bytes JMP 04000025
.text C:\WINDOWS\system32\notepad.exe[5628] WININET.dll!HttpOpenRequestW 771CF517 8 Bytes JMP 1F000025
.text C:\WINDOWS\system32\notepad.exe[5628] WININET.dll!CommitUrlCacheEntryA 771D1BC2 8 Bytes JMP 16000025
.text C:\WINDOWS\system32\notepad.exe[5628] WININET.dll!InternetQueryDataAvailable 771D8A67 8 Bytes JMP 0A000025
.text C:\WINDOWS\system32\notepad.exe[5628] WININET.dll!InternetWriteFile 771F8E07 8 Bytes JMP 22000025
.text C:\WINDOWS\system32\notepad.exe[5628] WININET.dll!InternetReadFileExA 771F934E 8 Bytes JMP 10000025
.text C:\WINDOWS\system32\notepad.exe[5628] WININET.dll!InternetReadFileExW 771F9D9E 2 Bytes [55, 90] {PUSH EBP; NOP }
.text C:\WINDOWS\system32\notepad.exe[5628] WININET.dll!InternetReadFileExW + 3 771F9DA1 5 Bytes [25, 00, 00, 13, 01] {AND EAX, 0x1130000}
.text C:\WINDOWS\system32\notepad.exe[5628] WININET.dll!HttpSendRequestW 77213224 8 Bytes JMP FC000025
.text C:\WINDOWS\system32\notepad.exe[5628] WININET.dll!HttpSendRequestExA 77213329 8 Bytes JMP FF000025
.text C:\WINDOWS\system32\notepad.exe[5628] WININET.dll!CommitUrlCacheEntryW 772212D7 8 Bytes JMP 19000025
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP 50000025
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] USER32.dll!PeekMessageW 7E41929B 8 Bytes JMP 4A000025
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP 4D000025
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] USER32.dll!PeekMessageA 7E42A340 8 Bytes JMP 47000025
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP 53000025
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A9B76F 6 Bytes [33, C0, 40, C2, 10, 00] {XOR EAX, EAX; INC EAX; RET 0x10}
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP 56000025
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP E3000025
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP E9000025
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP 13000025
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] WS2_32.dll!send 71AB4C27 8 Bytes JMP 10000025
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP 41000025
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP E6000025
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] WS2_32.dll!recv 71AB676F 8 Bytes JMP 44000025
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP 0D000025
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] WININET.dll!HttpOpenRequestA 771C2B01 8 Bytes JMP 38000025
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] WININET.dll!InternetCloseHandle 771C4D94 8 Bytes JMP 22000025
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] WININET.dll!HttpSendRequestA 771C60A9 8 Bytes JMP 16000025
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] WININET.dll!InternetReadFile 771C82F2 8 Bytes JMP 28000025
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] WININET.dll!HttpSendRequestExW 771CEA01 8 Bytes JMP 1F000025
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] WININET.dll!HttpOpenRequestW 771CF517 8 Bytes JMP 3B000025
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] WININET.dll!CommitUrlCacheEntryA 771D1BC2 8 Bytes JMP 31000025
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] WININET.dll!InternetQueryDataAvailable 771D8A67 8 Bytes JMP 25000025
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] WININET.dll!InternetWriteFile 771F8E07 8 Bytes JMP 3E000025
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] WININET.dll!InternetReadFileExA 771F934E 8 Bytes JMP 2B000025
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] WININET.dll!InternetReadFileExW 771F9D9E 2 Bytes [55, 90] {PUSH EBP; NOP }
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] WININET.dll!InternetReadFileExW + 3 771F9DA1 5 Bytes [25, 00, 00, 2E, 01] {AND EAX, 0x12e0000}
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] WININET.dll!HttpSendRequestW 77213224 8 Bytes JMP 19000025
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] WININET.dll!HttpSendRequestExA 77213329 8 Bytes JMP 1C000025
.text C:\Documents and Settings\Keith McCall\Desktop\hr2qw1m9.exe[5972] WININET.dll!CommitUrlCacheEntryW 772212D7 8 Bytes JMP 34000025

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)
Device \FileSystem\Ntfs \Ntfs 84D8DFC5

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Threads - GMER 1.0.15 ----

Thread System [4:144] 84D8D7CA
Thread System [4:160] 84D8D57C
Thread System [4:164] 84D8E57D

---- EOF - GMER 1.0.15 ----
keithgmccall
Regular Member
 
Posts: 19
Joined: July 27th, 2010, 5:49 pm

Re: 50 copies of wuauclt.exe process, and can't restart

Unread postby jmw3 » July 30th, 2010, 10:49 am

Hi

Thanks for those.

View Hidden Files & Folders Windows XP
To view Hidden Files & Folders do the following:
Click Start
Open My Computer
Select the Tools menu and click Folder Options
Select the View Tab
Under the Hidden files and folders heading select Show hidden files and folders
Uncheck the Hide protected operating system files (recommended) option
Click Yes to confirm
Click OK

Upload Files for Scanning
Go to VirusTotal & upload the following File/s for scanning.
  • Click Browse
  • Copy & paste the following File & Path in the text box next to File name: then click Open
    Code: Select all
    c:\windows\system32\drivers\tmsrrqp.sys
  • Click Send File
  • If confronted with two options, choose Reanalyse file now
  • Wait for scans to finish then copy & paste the URL from your browser address bar in your next reply
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: 50 copies of wuauclt.exe process, and can't restart

Unread postby keithgmccall » July 30th, 2010, 11:08 am

keithgmccall
Regular Member
 
Posts: 19
Joined: July 27th, 2010, 5:49 pm

Re: 50 copies of wuauclt.exe process, and can't restart

Unread postby jmw3 » July 30th, 2010, 11:13 am

Hi

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

TFC (Temp File Cleaner)
Download TFC (Temp File Cleaner) by Old Timer Here & save it to your desktop.
  • Save any unsaved work. TFC Cleaner will close all open application windows
  • Double-click TFC.exe to run the program, your desktop will temporarily disappear
  • If prompted, click Yes to reboot
Note: Save your work.. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take any longer than a couple of minutes & may only take a few seconds. Only if needed will you be prompted to reboot.

ComboFix
Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):
Link 1
Link 2

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


To post in next reply:
ComboFix log
Update on how the computer is running

OK, I'm off to bed as it's getting late here. I'll check back in the morning.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: 50 copies of wuauclt.exe process, and can't restart

Unread postby keithgmccall » July 30th, 2010, 12:27 pm

I ran both programs. TFC did have to restart my computer. It got stuck on "windows is shutting down" for about 45 minutes. It did finally restart though. Usually I don't wait that long. There was no change in my computer. There are still multiple copies of wuauclt.exe, and firefox still crashes every few minutes. Here is the combofix log.

ComboFix 10-07-29.04 - Keith McCall 07/30/2010 11:54:57.11.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.533 [GMT -4:00]
Running from: c:\documents and settings\Keith McCall\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-30 )))))))))))))))))))))))))))))))
.

2010-07-18 15:59 . 2010-07-18 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-18 15:59 . 2010-07-18 15:59 -------- d-----w- c:\program files\NOS
2010-07-18 15:59 . 2010-03-29 12:53 32576 ----a-w- c:\documents and settings\Keith McCall\Application Data\Mozilla\Firefox\Profiles\178tfl7i.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-07-18 15:59 . 2010-03-29 12:53 29984 ----a-w- c:\documents and settings\Keith McCall\Application Data\Mozilla\Firefox\Profiles\178tfl7i.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-07-11 04:04 . 2010-07-11 04:08 63488 ----a-w- c:\documents and settings\Keith McCall\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-11 04:03 . 2010-07-11 04:03 52224 ----a-w- c:\documents and settings\Keith McCall\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-11 04:03 . 2010-07-11 04:08 117760 ----a-w- c:\documents and settings\Keith McCall\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-11 04:03 . 2010-07-11 04:03 -------- d-----w- c:\documents and settings\Keith McCall\Application Data\SUPERAntiSpyware.com
2010-07-11 04:03 . 2010-07-11 04:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-10 23:29 . 2010-07-10 23:29 -------- dc----w- c:\documents and settings\All Users\Application Data\{65893B95-F47B-4483-B883-86BA181E9B54}
2010-07-01 21:20 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-24 00:16 . 2010-04-03 19:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-10 23:25 . 2009-01-20 00:36 -------- d-----w- c:\program files\Lavasoft
2010-07-02 14:30 . 2009-07-22 19:11 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-28 20:57 . 2010-02-25 00:04 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2010-02-25 00:04 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-02-25 00:04 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-02-25 00:04 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-02-25 00:04 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2010-02-25 00:04 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-02-25 00:04 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2010-02-25 00:04 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-10 17:16 . 2010-06-10 17:16 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2010-06-10 17:16 . 2010-06-10 17:16 -------- d-----w- c:\program files\Cisco Systems
2010-06-09 03:12 . 2010-06-09 03:12 -------- d-----w- c:\program files\Coupons
2010-06-01 03:03 . 2010-06-01 03:03 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-31 21:55 . 2010-05-31 21:54 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-13 00:36 . 2009-10-26 21:58 84512 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-03 21:07 . 2010-05-03 21:07 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-02 05:22 . 2004-08-04 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-07-14_22.18.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-30 15:46 . 2010-07-30 15:46 16384 c:\windows\Temp\Perflib_Perfdata_cd0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Keith McCall\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-24 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 339968]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-02 198160]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Gatorlink VPN Client.lnk - c:\windows\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico [2010-6-10 6144]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"=
"c:\\Program Files\\HPQ\\shared\\hpqwmi.exe"=
"c:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/19/2010 6:01 PM 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/24/2010 8:04 PM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/24/2010 8:04 PM 17744]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [10/24/2008 5:13 PM 200192]
S1 tmsrrqp;tmsrrqp;c:\windows\system32\drivers\tmsrrqp.sys [8/4/2004 8:00 AM 295968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-07-29 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:04]

2010-07-30 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:04]

2010-07-20 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:04]

2010-07-30 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:04]

2010-07-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:04]

2010-07-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-07-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1592454029-682003330-1004Core.job
- c:\documents and settings\Keith McCall\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-24 21:01]

2010-07-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1592454029-682003330-1004UA.job
- c:\documents and settings\Keith McCall\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-24 21:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Keith McCall\Application Data\Mozilla\Firefox\Profiles\178tfl7i.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - plugin: c:\documents and settings\Keith McCall\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\Keith McCall\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\Keith McCall\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-30 12:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????4?5?4?0??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3032)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-30 12:20:25
ComboFix-quarantined-files.txt 2010-07-30 16:20
ComboFix2.txt 2010-07-25 18:30
ComboFix3.txt 2010-07-20 00:09
ComboFix4.txt 2010-07-14 23:11
ComboFix5.txt 2010-07-30 15:52

Pre-Run: 6,014,943,232 bytes free
Post-Run: 5,999,652,864 bytes free

- - End Of File - - A89CA51A6520C26E4827D95909EBB2FC
keithgmccall
Regular Member
 
Posts: 19
Joined: July 27th, 2010, 5:49 pm

Re: 50 copies of wuauclt.exe process, and can't restart

Unread postby jmw3 » July 30th, 2010, 11:19 pm

Hi

ComboFix has been run 11 times on this machine??? Have you had problems before?

CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all
Folder::
c:\program files\Coupons
File::
c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll

Save this as CFScript.txt, in the same location as ComboFix.exe

Image

Refering to the picture above, drag CFScript into ComboFix.exe
If prompted by ComboFix to update, please do so
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


I'd also like to see a list of files quarantined by ComboFix so please do this:
I would also like to see a list of installed programs, so please do this:
Click Start > Run then copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A text file should open. Post the contents of that file in your next reply.

Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 21.
  • Download the latest version of Java Runtime Environment (JRE) 6 Here
  • Scroll down to where it says "JDK 6 Update 21 (JDK or JRE)"
  • Click the orange Download JRE button to the right
  • Select the Windows platform from the dropdown menu
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
  • Click on the link to download Windows Offline Installation & save the file to your desktop
  • Close any programs you may have running - especially your web browser
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions
  • Reboot your computer once all Java components are removed
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel
Kaspersky Online Scan
Do an online scan with >Kaspersky Online Scanner<
  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan
  • Once the scan is complete, it will display the results. Click on View Scan Report
  • You will see a list of infected items there. Click on Save Report As...
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
  • Please post this log in your next reply
Pictured tutorial if required.
This scan will take quite some time to update & scan, so be patient with it.

To post in next reply:
ComboFix log
ComboFix-quarantined-files log
Kaspersky Online Scan log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: 50 copies of wuauclt.exe process, and can't restart

Unread postby keithgmccall » July 31st, 2010, 7:50 pm

I have had problems in the past. I have run combofix under supervision most of the time. A little while ago I got something, so I ran combofix after all of my other scanners and it worked. I have gotten help at another forum, but this time my computer would not let me post on their site. Here are the logs. By the way, the online scanner took about five hours to update, and another six to actually scan. That is why it took me so long to post.

ComboFix 10-07-30.04 - Keith McCall 07/31/2010 10:01:21.12.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.250 [GMT -4:00]
Running from: c:\documents and settings\Keith McCall\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Keith McCall\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point

FILE ::
"c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll"
"c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Coupons
c:\program files\Coupons\Coupons.ico
c:\program files\Coupons\CouponsDotCom.url
c:\program files\Coupons\uninstall.exe
c:\program files\Coupons\Uninstall\IRIMG1.JPG
c:\program files\Coupons\Uninstall\IRIMG2.JPG
c:\program files\Coupons\Uninstall\IRIMG3.JPG
c:\program files\Coupons\Uninstall\IRIMG4.JPG
c:\program files\Coupons\Uninstall\IRIMG5.JPG
c:\program files\Coupons\Uninstall\IRIMG6.JPG
c:\program files\Coupons\Uninstall\IRIMG7.JPG
c:\program files\Coupons\Uninstall\IRIMG8.JPG
c:\program files\Coupons\Uninstall\uninstall.dat
c:\program files\Coupons\Uninstall\uninstall.xml
c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-31 )))))))))))))))))))))))))))))))
.

2010-07-18 15:59 . 2010-07-18 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-18 15:59 . 2010-07-18 15:59 -------- d-----w- c:\program files\NOS
2010-07-18 15:59 . 2010-03-29 12:53 32576 ----a-w- c:\documents and settings\Keith McCall\Application Data\Mozilla\Firefox\Profiles\178tfl7i.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-07-18 15:59 . 2010-03-29 12:53 29984 ----a-w- c:\documents and settings\Keith McCall\Application Data\Mozilla\Firefox\Profiles\178tfl7i.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-07-11 04:04 . 2010-07-11 04:08 63488 ----a-w- c:\documents and settings\Keith McCall\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-11 04:03 . 2010-07-11 04:03 52224 ----a-w- c:\documents and settings\Keith McCall\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-11 04:03 . 2010-07-11 04:08 117760 ----a-w- c:\documents and settings\Keith McCall\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-11 04:03 . 2010-07-11 04:03 -------- d-----w- c:\documents and settings\Keith McCall\Application Data\SUPERAntiSpyware.com
2010-07-11 04:03 . 2010-07-11 04:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-10 23:29 . 2010-07-10 23:29 -------- dc----w- c:\documents and settings\All Users\Application Data\{65893B95-F47B-4483-B883-86BA181E9B54}
2010-07-01 21:20 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-24 00:16 . 2010-04-03 19:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-10 23:25 . 2009-01-20 00:36 -------- d-----w- c:\program files\Lavasoft
2010-07-02 14:30 . 2009-07-22 19:11 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-28 20:57 . 2010-02-25 00:04 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2010-02-25 00:04 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-02-25 00:04 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-02-25 00:04 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-02-25 00:04 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2010-02-25 00:04 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-02-25 00:04 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2010-02-25 00:04 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-10 17:16 . 2010-06-10 17:16 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2010-06-10 17:16 . 2010-06-10 17:16 -------- d-----w- c:\program files\Cisco Systems
2010-06-01 03:03 . 2010-06-01 03:03 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-13 00:36 . 2009-10-26 21:58 84512 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-03 21:07 . 2010-05-03 21:07 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

Cryptography Services Error !!

c:\windows\System32\spoolsv.exe ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot_2010-07-14_22.18.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-30 15:46 . 2010-07-30 15:46 16384 c:\windows\Temp\Perflib_Perfdata_cd0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Keith McCall\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-24 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 339968]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-02 198160]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Gatorlink VPN Client.lnk - c:\windows\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico [2010-6-10 6144]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"=
"c:\\Program Files\\HPQ\\shared\\hpqwmi.exe"=
"c:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/19/2010 6:01 PM 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/24/2010 8:04 PM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/24/2010 8:04 PM 17744]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [10/24/2008 5:13 PM 200192]
S1 tmsrrqp;tmsrrqp;c:\windows\system32\drivers\tmsrrqp.sys [8/4/2004 8:00 AM 295968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-07-30 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:04]

2010-07-30 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:04]

2010-07-20 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:04]

2010-07-30 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:04]

2010-07-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:04]

2010-07-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-07-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1592454029-682003330-1004Core.job
- c:\documents and settings\Keith McCall\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-24 21:01]

2010-07-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1592454029-682003330-1004UA.job
- c:\documents and settings\Keith McCall\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-24 21:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Keith McCall\Application Data\Mozilla\Firefox\Profiles\178tfl7i.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - plugin: c:\documents and settings\Keith McCall\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\Keith McCall\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\Keith McCall\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Coupon Printer for Windows5.0.0.0 - c:\program files\Coupons\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-31 10:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????4?5?4?0??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-07-31 10:43:38
ComboFix-quarantined-files.txt 2010-07-31 14:43
ComboFix2.txt 2010-07-30 16:20
ComboFix3.txt 2010-07-25 18:30
ComboFix4.txt 2010-07-20 00:09
ComboFix5.txt 2010-07-31 13:57

Pre-Run: 5,818,658,816 bytes free
Post-Run: 5,805,506,560 bytes free

- - End Of File - - C9F741C038E50F57FFB4EF0B1D0F68A7









2010-07-31 14:43:11 . 2010-07-31 14:43:11 1,380 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Coupon Printer for Windows5.0.0.0.reg.dat
2010-07-31 14:01:18 . 2010-07-31 14:01:18 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2010-07-14 22:21:17 . 2010-07-14 22:21:17 656 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-ISW.reg.dat
2010-07-14 22:21:16 . 2010-07-14 22:21:16 614 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-Lavasoft Ad-Aware Service.reg.dat
2010-07-14 22:21:16 . 2010-07-14 22:21:16 538 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-tmsrrqp.reg.dat
2010-07-14 22:21:13 . 2010-07-14 22:21:13 146 ----a-w- C:\Qoobox\Quarantine\Registry_backups\ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}.reg.dat
2010-06-09 03:12:36 . 2010-06-09 03:11:55 11,005 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Coupons\Uninstall\IRIMG7.JPG.vir
2010-06-09 03:12:36 . 2010-06-09 03:11:55 17,831 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Coupons\Uninstall\IRIMG8.JPG.vir
2010-06-09 03:12:36 . 2010-06-09 03:11:55 26,791 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Coupons\Uninstall\IRIMG5.JPG.vir
2010-06-09 03:12:36 . 2010-06-09 03:11:55 4,301 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Coupons\Uninstall\IRIMG6.JPG.vir
2010-06-09 03:12:36 . 2010-06-09 03:11:55 19,374 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Coupons\Uninstall\IRIMG2.JPG.vir
2010-06-09 03:12:36 . 2010-06-09 03:11:55 17,831 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Coupons\Uninstall\IRIMG3.JPG.vir
2010-06-09 03:12:36 . 2010-06-09 03:11:55 3,350 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Coupons\Uninstall\IRIMG4.JPG.vir
2010-06-09 03:12:36 . 2010-06-09 03:11:55 18,195 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Coupons\Uninstall\IRIMG1.JPG.vir
2010-06-09 03:12:35 . 2010-06-09 03:12:36 10,159 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Coupons\Uninstall\uninstall.xml.vir
2010-06-09 03:12:35 . 2010-06-09 03:12:35 580,096 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Coupons\uninstall.exe.vir
2010-06-09 03:12:35 . 2010-06-09 03:12:35 510,904 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Coupons\Uninstall\uninstall.dat.vir
2010-01-19 17:05:20 . 2010-01-19 17:05:20 846 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-HijackThis.reg.dat
2010-01-19 17:05:12 . 2010-01-19 17:05:12 614 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-mopuwifade.reg.dat
2010-01-19 17:05:12 . 2010-01-19 17:05:12 610 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-d81961b8.reg.dat
2010-01-19 17:05:12 . 2010-01-19 17:05:12 616 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-CPMdb2a5224.reg.dat
2010-01-19 17:03:11 . 2010-07-31 14:05:14 7,920 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-01-19 16:57:17 . 2010-07-31 13:56:54 663 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-01-19 16:26:23 . 2010-01-19 16:26:23 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\10341.exe.vir
2010-01-19 06:08:34 . 2010-01-19 06:08:34 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\21350.exe.vir
2010-01-19 05:48:33 . 2010-01-19 05:48:33 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\28759.exe.vir
2010-01-19 05:28:31 . 2010-01-19 05:28:31 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\32675.exe.vir
2010-01-19 05:08:30 . 2010-01-19 05:08:30 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\3429.exe.vir
2010-01-19 04:48:29 . 2010-01-19 04:48:29 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\2575.exe.vir
2010-01-19 04:28:28 . 2010-01-19 04:28:28 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\26990.exe.vir
2010-01-19 04:08:27 . 2010-01-19 04:08:27 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\3336.exe.vir
2010-01-19 03:48:25 . 2010-01-19 03:48:25 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\20703.exe.vir
2010-01-19 03:02:51 . 2010-01-19 03:02:51 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\3758.exe.vir
2010-01-19 02:42:50 . 2010-01-19 02:42:50 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\12130.exe.vir
2010-01-19 02:22:45 . 2010-01-19 02:22:45 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\17818.exe.vir
2010-01-19 02:02:41 . 2010-01-19 02:02:41 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\5062.exe.vir
2010-01-19 01:42:39 . 2010-01-19 01:42:39 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\29569.exe.vir
2009-11-10 03:21:04 . 2009-09-17 16:17:34 894 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Coupons\Coupons.ico.vir
2009-11-10 03:21:04 . 2009-09-17 16:32:32 220 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Coupons\CouponsDotCom.url.vir
2009-11-10 03:21:04 . 2009-11-19 21:16:28 91,552 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll.vir
2009-11-10 03:21:04 . 2009-11-19 21:16:29 91,552 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll.vir
2008-10-24 21:35:59 . 2008-10-24 21:36:35 1,121 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\xpsp1hfm.log.vir
2004-08-04 12:00:00 . 2008-04-14 00:12:08 578,560 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\agwewjt.vir










KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, July 31, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, July 31, 2010 12:14:23
Records in database: 4184415
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
C:\
D:\
E:\
H:\
Scan statistics
Objects scanned 92920
Threats found 1
Infected objects found 1
Suspicious objects found 0
Scan duration 06:22:01

File name Threat Threats count
C:\Documents and Settings\Keith McCall\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{804F69A4-301D-4470-AC18-838AB6B6B32E} Infected: Trojan.Win32.Qhost.lsc 1
Selected area has been scanned.
keithgmccall
Regular Member
 
Posts: 19
Joined: July 27th, 2010, 5:49 pm

Re: 50 copies of wuauclt.exe process, and can't restart

Unread postby jmw3 » July 31st, 2010, 8:17 pm

Hi

SystemLook
Download SystemLook by jpshortstuff from one of the links below & save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it
  • Copy the contents of the Codebox below into the main textfield
    Code: Select all
    :filefind
    spoolsv.*
  • Click the Look button to start the scan
  • When finished, a notepad window will open with the results of the scan. Post the contents of the log in your next reply
Note: The log can also be found on your Desktop entitled SystemLook.txt

The last ComboFix log is showing that there is Cryptography Services Error. This may very well have something to do with Windows updates problem. Let's try the obvious first:
Make sure the Cryptographic Services is set to Automatic
  • Click Start>>Control Panel>> the Administrative Tools
  • Double-click Services
  • Scroll down to Cryptographic Services, right-click on it then click Properties
  • Click Automatic for Startup type then click Start
  • OK your way out
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: 50 copies of wuauclt.exe process, and can't restart

Unread postby keithgmccall » July 31st, 2010, 8:30 pm

The cryptographic services was set to automatic. Here is the system look file.



SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 20:26 on 31/07/2010 by Keith McCall (Administrator - Elevation successful)

========== filefind ==========

Searching for "spoolsv.*"
C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe -----c 57856 bytes [19:52 01/04/2009] [12:00 04/08/2004] 7435B108B935E42EA92CA94F59C8E717
C:\WINDOWS\ERDNT\cache\spoolsv.exe --a--- 57856 bytes [17:04 19/01/2010] [00:12 14/04/2008] D8E14A61ACC1D4A6CD0D38AEBAC7FA3B
C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe ------ 57856 bytes [22:21 24/10/2008] [00:12 14/04/2008] D8E14A61ACC1D4A6CD0D38AEBAC7FA3B

-=End Of File=-



The
keithgmccall
Regular Member
 
Posts: 19
Joined: July 27th, 2010, 5:49 pm

Re: 50 copies of wuauclt.exe process, and can't restart

Unread postby jmw3 » July 31st, 2010, 8:47 pm

Hi

CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all
FCopy::
C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe | c:\windows\System32\spoolsv.exe

Save this as CFScript.txt, in the same location as ComboFix.exe

Image

Referring to the picture above, drag CFScript into ComboFix.exe
If prompted by ComboFix to update, please do so
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: 50 copies of wuauclt.exe process, and can't restart

Unread postby keithgmccall » July 31st, 2010, 9:50 pm

If it matters, my windows explorer was down after running combofix, so I had to restart my computer.

ComboFix 10-07-31.02 - Keith McCall 07/31/2010 21:14:49.13.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.521 [GMT -4:00]
Running from: c:\documents and settings\Keith McCall\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Keith McCall\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\spoolsv.exe --> c:\windows\System32\spoolsv.exe
.
((((((((((((((((((((((((( Files Created from 2010-07-01 to 2010-08-01 )))))))))))))))))))))))))))))))
.

2010-08-01 01:14 . 2008-04-14 00:12 57856 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-31 15:56 . 2010-07-31 15:56 503808 ----a-w- c:\documents and settings\Keith McCall\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-10e02576-n\msvcp71.dll
2010-07-31 15:56 . 2010-07-31 15:56 499712 ----a-w- c:\documents and settings\Keith McCall\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-10e02576-n\jmc.dll
2010-07-31 15:56 . 2010-07-31 15:56 348160 ----a-w- c:\documents and settings\Keith McCall\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-10e02576-n\msvcr71.dll
2010-07-31 15:56 . 2010-07-31 15:56 61440 ----a-w- c:\documents and settings\Keith McCall\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5b9336da-n\decora-sse.dll
2010-07-31 15:56 . 2010-07-31 15:56 12800 ----a-w- c:\documents and settings\Keith McCall\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5b9336da-n\decora-d3d.dll
2010-07-31 15:56 . 2010-07-31 15:55 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-18 15:59 . 2010-07-18 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-18 15:59 . 2010-07-18 15:59 -------- d-----w- c:\program files\NOS
2010-07-18 15:59 . 2010-03-29 12:53 32576 ----a-w- c:\documents and settings\Keith McCall\Application Data\Mozilla\Firefox\Profiles\178tfl7i.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-07-18 15:59 . 2010-03-29 12:53 29984 ----a-w- c:\documents and settings\Keith McCall\Application Data\Mozilla\Firefox\Profiles\178tfl7i.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-07-11 04:04 . 2010-07-11 04:08 63488 ----a-w- c:\documents and settings\Keith McCall\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-11 04:03 . 2010-07-11 04:03 52224 ----a-w- c:\documents and settings\Keith McCall\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-11 04:03 . 2010-07-11 04:08 117760 ----a-w- c:\documents and settings\Keith McCall\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-11 04:03 . 2010-07-11 04:03 -------- d-----w- c:\documents and settings\Keith McCall\Application Data\SUPERAntiSpyware.com
2010-07-11 04:03 . 2010-07-11 04:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-10 23:29 . 2010-07-10 23:29 -------- dc----w- c:\documents and settings\All Users\Application Data\{65893B95-F47B-4483-B883-86BA181E9B54}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-31 15:56 . 2008-10-24 21:38 -------- d-----w- c:\program files\Common Files\Java
2010-07-24 00:16 . 2010-04-03 19:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-10 23:25 . 2009-01-20 00:36 -------- d-----w- c:\program files\Lavasoft
2010-07-02 14:30 . 2009-07-22 19:11 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-28 20:57 . 2010-07-01 21:20 38848 ----a-w- c:\windows\avastSS.scr
2010-06-28 20:57 . 2010-02-25 00:04 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2010-02-25 00:04 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-02-25 00:04 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-02-25 00:04 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-02-25 00:04 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2010-02-25 00:04 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-02-25 00:04 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2010-02-25 00:04 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-10 17:16 . 2010-06-10 17:16 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2010-06-10 17:16 . 2010-06-10 17:16 -------- d-----w- c:\program files\Cisco Systems
2010-06-01 03:03 . 2010-06-01 03:03 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-13 00:36 . 2009-10-26 21:58 84512 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-03 21:07 . 2010-05-03 21:07 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-07-14_22.18.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-31 15:56 . 2010-07-31 15:56 16384 c:\windows\Temp\Perflib_Perfdata_f4.dat
+ 2010-07-31 15:56 . 2010-07-31 15:55 153376 c:\windows\system32\javaws.exe
+ 2010-07-31 15:56 . 2010-07-31 15:55 145184 c:\windows\system32\javaw.exe
+ 2010-07-31 15:56 . 2010-07-31 15:55 145184 c:\windows\system32\java.exe
+ 2010-07-31 15:56 . 2010-07-31 15:56 180224 c:\windows\Installer\609b1.msi
+ 2010-07-31 15:55 . 2010-07-31 15:55 677376 c:\windows\Installer\609aa.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Keith McCall\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-24 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 339968]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-02 198160]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Gatorlink VPN Client.lnk - c:\windows\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico [2010-6-10 6144]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"=
"c:\\Program Files\\HPQ\\shared\\hpqwmi.exe"=
"c:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/19/2010 6:01 PM 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/24/2010 8:04 PM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/24/2010 8:04 PM 17744]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [10/24/2008 5:13 PM 200192]
S1 tmsrrqp;tmsrrqp;c:\windows\system32\drivers\tmsrrqp.sys [8/4/2004 8:00 AM 295968]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-07-31 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:04]

2010-07-30 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:04]

2010-07-20 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:04]

2010-07-31 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:04]

2010-07-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:04]

2010-07-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-07-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1592454029-682003330-1004Core.job
- c:\documents and settings\Keith McCall\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-24 21:01]

2010-08-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1592454029-682003330-1004UA.job
- c:\documents and settings\Keith McCall\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-24 21:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Keith McCall\Application Data\Mozilla\Firefox\Profiles\178tfl7i.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - plugin: c:\documents and settings\Keith McCall\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\Keith McCall\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\Keith McCall\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\Keith McCall\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-31 21:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????4?5?4?0??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'Explorer.EXE'(132)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
c:\program files\Microsoft Office\Office12\1033\GrooveIntlResource.dll
c:\program files\Common Files\Microsoft Shared\office12\lbghost.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
Completion time: 2010-07-31 21:37:37
ComboFix-quarantined-files.txt 2010-08-01 01:37
ComboFix2.txt 2010-07-31 14:43
ComboFix3.txt 2010-07-30 16:20
ComboFix4.txt 2010-07-25 18:30
ComboFix5.txt 2010-08-01 01:13

Pre-Run: 5,532,073,984 bytes free
Post-Run: 5,631,922,176 bytes free

- - End Of File - - 48747A7A48BDD6633DEC4F099CA41F85
keithgmccall
Regular Member
 
Posts: 19
Joined: July 27th, 2010, 5:49 pm
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 341 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware