TechSpot

Blue screen, Artemis, and multiple iexplore.exe

By aero05
Jul 13, 2010
  1. My computer is running slow and I had a blue screen yesterday. McAfee today said that a trojan was removed: Artemis!D7A66DDA4489. Also, I noticed in Tasks that (2) iexplore.exe were running.

    Here's the first log:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4309

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    7/13/2010 3:15:24 PM
    mbam-log-2010-07-13 (15-15-24).txt

    Scan type: Quick scan
    Objects scanned: 129399
    Time elapsed: 14 minute(s), 8 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4309

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    7/13/2010 3:15:24 PM
    mbam-log-2010-07-13 (15-15-24).txt

    Scan type: Quick scan
    Objects scanned: 129399
    Time elapsed: 14 minute(s), 8 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4309

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    7/13/2010 3:15:24 PM
    mbam-log-2010-07-13 (15-15-24).txt

    Scan type: Quick scan
    Objects scanned: 129399
    Time elapsed: 14 minute(s), 8 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     

    Attached Files:

  2. aero05

    aero05 TS Rookie Topic Starter Posts: 41

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-07-13 15:55:05
    Windows 5.1.2600 Service Pack 3
    Running: ezd1j09u.exe; Driver: C:\DOCUME~1\Kent\LOCALS~1\Temp\ffqyrkow.sys


    ---- System - GMER 1.0.15 ----

    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF83B4DB0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF83B4DC4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF83B4DF0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF83B4E46]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF83B4D9C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF83B4D74]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF83B4D88]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF83B4DDA]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF83B4E1C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF83B4E06]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF83B4E70]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF83B4E5C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF83B4E30]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwYieldExecution 80502244 7 Bytes JMP F83B4E34 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtMapViewOfSection 805A74F0 7 Bytes JMP F83B4E4A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8306 5 Bytes JMP F83B4E60 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtSetSecurityObject 805B6040 5 Bytes JMP F83B4E20 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtOpenProcess 805C1316 5 Bytes JMP F83B4D78 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtOpenThread 805C15A2 5 Bytes JMP F83B4D8C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CAA 5 Bytes JMP F83B4E74 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwSetValueKey 806188B6 7 Bytes JMP F83B4E0A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwRenameKey 80619D66 7 Bytes JMP F83B4DDE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateKey 8061A344 5 Bytes JMP F83B4DB4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7E0 7 Bytes JMP F83B4DC8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A9B0 7 Bytes JMP F83B4DF4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwOpenKey 8061B722 5 Bytes JMP F83B4DA0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\svchost.exe[296] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 008D0000
    .text C:\WINDOWS\system32\svchost.exe[296] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 008D0FEF
    .text C:\WINDOWS\system32\svchost.exe[296] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 008D0025
    .text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008C0FE5
    .text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008C0F72
    .text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008C005D
    .text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008C004C
    .text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008C0F8D
    .text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008C001E
    .text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008C0F29
    .text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008C0F44
    .text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008C0F07
    .text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008C0096
    .text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008C0EEC
    .text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008C002F
    .text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008C0FCA
    .text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008C0F61
    .text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008C0FA8
    .text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008C0FB9
    .text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008C0F18
    .text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008B0FCA
    .text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008B0F79
    .text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008B001B
    .text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008B0FEF
    .text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008B0F8A
    .text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008B000A
    .text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 008B0FA5
    .text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [AB, 88]
    .text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5
     
  3. aero05

    aero05 TS Rookie Topic Starter Posts: 41

    ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008B002C
    .text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008A0042
    .text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!system 77C293C7 5 Bytes JMP 008A001D
    .text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008A0FD2
    .text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008A0FEF
    .text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008A0FAD
    .text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008A000C
    .text C:\WINDOWS\system32\svchost.exe[296] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00890000
    .text C:\WINDOWS\system32\svchost.exe[340] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01030000
    .text C:\WINDOWS\system32\svchost.exe[340] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0103002C
    .text C:\WINDOWS\system32\svchost.exe[340] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0103001B
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EF0000
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EF0F7A
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EF0F8B
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EF0FB2
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EF0FC3
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EF0051
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EF0F42
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EF0F5F
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EF00D1
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EF00C0
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EF0F1D
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EF0FD4
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EF0FEF
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EF008A
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EF0040
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EF002F
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EF00A5
    .text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EE0FC3
    .text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EE0F83
    .text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EE0FDE
    .text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EE0FEF
    .text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EE0F9E
    .text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EE0000
    .text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EE004A
    .text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EE0039
    .text C:\WINDOWS\system32\svchost.exe[340] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00ED0055
    .text C:\WINDOWS\system32\svchost.exe[340] msvcrt.dll!system 77C293C7 5 Bytes JMP 00ED003A
    .text C:\WINDOWS\system32\svchost.exe[340] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00ED0FD4
    .text C:\WINDOWS\system32\svchost.exe[340] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00ED0FEF
    .text C:\WINDOWS\system32\svchost.exe[340] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00ED0029
    .text C:\WINDOWS\system32\svchost.exe[340] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00ED000C
    .text C:\WINDOWS\system32\svchost.exe[340] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EC0FEF
    .text C:\WINDOWS\system32\svchost.exe[936] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B90FE5
    .text C:\WINDOWS\system32\svchost.exe[936] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B90000
    .text C:\WINDOWS\system32\svchost.exe[936] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B90FCA
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80FEF
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B80F72
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B8005D
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B80F83
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B80036
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B80FA8
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B80089
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B80F41
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B80EFA
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B80F0B
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes
     
  4. aero05

    aero05 TS Rookie Topic Starter Posts: 41

    .text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008C002F
    .text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008C0FCA
    .text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008C0F61
    .text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008C0FA8
    .text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008C0FB9
    .text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008C0F18
    .text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008B0FCA
    .text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008B0F79
    .text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008B001B
    .text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008B0FEF
    .text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008B0F8A
    .text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008B000A
    .text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 008B0FA5
    .text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [AB, 88]
    .text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008B002C
    .text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008A0042
    .text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!system 77C293C7 5 Bytes JMP 008A001D
    .text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008A0FD2
    .text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008A0FEF
    .text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008A0FAD
    .text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008A000C
    .text C:\WINDOWS\system32\svchost.exe[296] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00890000
    .text C:\WINDOWS\system32\svchost.exe[340] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01030000
    .text C:\WINDOWS\system32\svchost.exe[340] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0103002C
    .text C:\WINDOWS\system32\svchost.exe[340] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0103001B
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EF0000
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EF0F7A
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EF0F8B
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EF0FB2
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EF0FC3
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EF0051
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EF0F42
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EF0F5F
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EF00D1
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EF00C0
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EF0F1D
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EF0FD4
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EF0FEF
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EF008A
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EF0040
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EF002F
    .text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EF00A5
    .text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EE0FC3
    .text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EE0F83
    .text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EE0FDE
    .text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EE0FEF
    .text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EE0F9E
    .text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EE0000
    .text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EE004A
    .text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EE0039
    .text C:\WINDOWS\system32\svchost.exe[340] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00ED0055
    .text C:\WINDOWS\system32\svchost.exe[340] msvcrt.dll!system 77C293C7 5 Bytes JMP 00ED003A
    .text C:\WINDOWS\system32\svchost.exe[340] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00ED0FD4
    .text C:\WINDOWS\system32\svchost.exe[340] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00ED0FEF
    .text C:\WINDOWS\system32\svchost.exe[340] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00ED0029
    .text C:\WINDOWS\system32\svchost.exe[340] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00ED000C
    .text C:\WINDOWS\system32\svchost.exe[340] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EC0FEF
    .text C:\WINDOWS\system32\svchost.exe[936] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B90FE5
    .text C:\WINDOWS\system32\svchost.exe[936] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B90000
    .text C:\WINDOWS\system32\svchost.exe[936] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B90FCA
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80FEF
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B80F72
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B8005D
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B80F83
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B80036
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B80FA8
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B80089
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B80F41
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B80EFA
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B80F0B
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B80EE9
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B80025
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B8000A
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B80078
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B80FB9
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B80FD4
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B80F1C
    .text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930047
    .text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930F9E
    .text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0093002C
    .text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930011
    .text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930FAF
    .text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930000
    .text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00930FC0
     
  5. aero05

    aero05 TS Rookie Topic Starter Posts: 41

    .text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B3, 88] {MOV BL, 0x88}
    .text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930FDB
    .text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920040
    .text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920025
    .text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FAB
    .text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FEF
    .text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0092000A
    .text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920FC6
    .text C:\WINDOWS\system32\svchost.exe[936] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00900FEF
    .text C:\WINDOWS\system32\svchost.exe[936] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00900014
    .text C:\WINDOWS\system32\svchost.exe[936] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00900FDE
    .text C:\WINDOWS\system32\svchost.exe[936] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 0090002F
    .text C:\WINDOWS\system32\svchost.exe[936] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910000
    .text C:\WINDOWS\System32\svchost.exe[1012] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F40FEF
    .text C:\WINDOWS\System32\svchost.exe[1012] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F4001B
    .text C:\WINDOWS\System32\svchost.exe[1012] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F4000A
    .text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F30000
    .text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
    .text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F30F65
    .text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F30F80
    .text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F30F91
    .text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F3004E
    .text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F30FC0
    .text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F30F39
    .text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F30F4A
    .text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F300BE
    .text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F300AD
    .text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F30F0A
    .text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F3003D
    .text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F30011
    .text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F3006B
    .text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F30FD1
    .text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F30022
    .text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F30092
    .text C:\WINDOWS\System32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F2002C
    .text C:\WINDOWS\System32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F20F8D
    .text C:\WINDOWS\System32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F2001B
    .text C:\WINDOWS\System32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F20FE5
    .text C:\WINDOWS\System32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F20F9E
    .text C:\WINDOWS\System32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F2000A
    .text C:\WINDOWS\System32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F20FAF
    .text C:\WINDOWS\System32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [12, 89]
    .text C:\WINDOWS\System32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F20FCA
    .text C:\WINDOWS\System32\svchost.exe[1012] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F10F92
    .text C:\WINDOWS\System32\svchost.exe[1012] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F1001D
    .text C:\WINDOWS\System32\svchost.exe[1012] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F10FC8
    .text C:\WINDOWS\System32\svchost.exe[1012] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F1000C
    .text C:\WINDOWS\System32\svchost.exe[1012] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F10FAD
    .text C:\WINDOWS\System32\svchost.exe[1012] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F10FE3
    .text C:\WINDOWS\System32\svchost.exe[1012] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F00FE5
    .text C:\WINDOWS\system32\services.exe[1364] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00740000
    .text C:\WINDOWS\system32\services.exe[1364] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00740FC0
    .text C:\WINDOWS\system32\services.exe[1364] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00740FE5
    .text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006E0000
    .text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006E0078
    .text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006E0F83
    .text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006E0051
    .text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006E0F94
    .text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006E0FAF
    .text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006E00AE
    .text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006E0093
    .text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006E0F15
    .text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006E0F30
    .text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006E0F04
    .text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006E0036
    .text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006E001B
    .text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006E0F68
    .text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006E0FC0
    .text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006E0FDB
    .text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006E0F41
    .text C:\WINDOWS\system32\services.exe[1364] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006D0FCA
    .text C:\WINDOWS\system32\services.exe[1364] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006D0047
    .text C:\WINDOWS\system32\services.exe[1364] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006D001B
    .text C:\WINDOWS\system32\services.exe[1364] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006D0FE5
    .text C:\WINDOWS\system32\services.exe[1364] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006D0036
    .text C:\WINDOWS\system32\services.exe[1364] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006D0000
    .text C:\WINDOWS\system32\services.exe[1364] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 006D0F9E
    .text C:\WINDOWS\system32\services.exe[1364] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8D, 88]
    .text C:\WINDOWS\system32\services.exe[1364] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006D0FB9
    .text C:\WINDOWS\system32\services.exe[1364] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006C002C
    .text C:\WINDOWS\system32\services.exe[1364] msvcrt.dll!system 77C293C7 5 Bytes JMP 006C001B
    .text C:\WINDOWS\system32\services.exe[1364] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006C0FC6
    .text C:\WINDOWS\system32\services.exe[1364] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006C0000
    .text C:\WINDOWS\system32\services.exe[1364] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006C0FB5
    .text C:\WINDOWS\system32\services.exe[1364] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006C0FE3
    .text C:\WINDOWS\system32\services.exe[1364] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006B0000
    .text C:\WINDOWS\system32\lsass.exe[1376] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00CA0FEF
    .text C:\WINDOWS\system32\lsass.exe[1376] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CA0011
    .text C:\WINDOWS\system32\lsass.exe[1376] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CA0000
    .text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C90FEF
    .text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C90F48
    .text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C90F63
    .text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C9003D
    .text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C9002C
    .text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C90FA5
    .text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C90075
    .text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C90064
    .text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C90F08
    .text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C900A1
    .text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C900BC
    .text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C90F8A
    .text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C9000A
    .text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C90F37
    .text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C90FC0
    .text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C9001B
    .text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C90086
    .text C:\WINDOWS\system32\lsass.exe[1376] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C8000A
    .text C:\WINDOWS\system32\lsass.exe[1376] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C80F8D
    .text C:\WINDOWS\system32\lsass.exe[1376] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C80FB9
     
  6. aero05

    aero05 TS Rookie Topic Starter Posts: 41

    .text C:\WINDOWS\Explorer.EXE[1800] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01A30000
    .text C:\WINDOWS\Explorer.EXE[1800] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01A3003D
    .text C:\WINDOWS\Explorer.EXE[1800] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01A30FE5
    .text C:\WINDOWS\Explorer.EXE[1800] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01A30F91
    .text C:\WINDOWS\Explorer.EXE[1800] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C3, 89]
    .text C:\WINDOWS\Explorer.EXE[1800] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01A30022
    .text C:\WINDOWS\Explorer.EXE[1800] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01A20FB7
    .text C:\WINDOWS\Explorer.EXE[1800] msvcrt.dll!system 77C293C7 5 Bytes JMP 01A20038
    .text C:\WINDOWS\Explorer.EXE[1800] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01A20FE3
    .text C:\WINDOWS\Explorer.EXE[1800] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01A20000
    .text C:\WINDOWS\Explorer.EXE[1800] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01A20FC8
    .text C:\WINDOWS\Explorer.EXE[1800] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01A20011
    .text C:\WINDOWS\Explorer.EXE[1800] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 01A00FEF
    .text C:\WINDOWS\Explorer.EXE[1800] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 01A00FCA
    .text C:\WINDOWS\Explorer.EXE[1800] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 01A00FAF
    .text C:\WINDOWS\Explorer.EXE[1800] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 01A00F9E
    .text C:\WINDOWS\Explorer.EXE[1800] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01A10000
    .text C:\WINDOWS\System32\svchost.exe[1856] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 06120FEF
    .text C:\WINDOWS\System32\svchost.exe[1856] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0612001B
    .text C:\WINDOWS\System32\svchost.exe[1856] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0612000A
    .text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 06110000
    .text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 06110082
    .text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 06110071
    .text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 06110054
    .text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 06110F97
    .text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 06110FB9
    .text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 06110F5F
    .text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 061100A7
    .text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 061100E0
    .text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 06110F3D
    .text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 061100FB
    .text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 06110FA8
    .text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 06110FE5
    .text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 06110F7C
    .text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 06110FD4
    .text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0611001B
    .text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 06110F4E
    .text C:\WINDOWS\System32\svchost.exe[1856] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 06100FC0
    .text C:\WINDOWS\System32\svchost.exe[1856] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 06100058
    .text C:\WINDOWS\System32\svchost.exe[1856] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 06100011
    .text C:\WINDOWS\System32\svchost.exe[1856] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 06100FDB
    .text C:\WINDOWS\System32\svchost.exe[1856] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 06100047
    .text C:\WINDOWS\System32\svchost.exe[1856] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 06100000
    .text C:\WINDOWS\System32\svchost.exe[1856] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 06100036
    .text C:\WINDOWS\System32\svchost.exe[1856] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 06100FA5
    .text C:\WINDOWS\System32\svchost.exe[1856] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 060F0053
    .text C:\WINDOWS\System32\svchost.exe[1856] msvcrt.dll!system 77C293C7 5 Bytes JMP 060F0FC8
    .text C:\WINDOWS\System32\svchost.exe[1856] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 060F001D
    .text C:\WINDOWS\System32\svchost.exe[1856] msvcrt.dll!_open 77C2F566 5 Bytes JMP 060F0000
    .text C:\WINDOWS\System32\svchost.exe[1856] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 060F0038
    .text C:\WINDOWS\System32\svchost.exe[1856] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 060F0FE3
    .text C:\WINDOWS\System32\svchost.exe[1856] WS2_32.dll!socket 71AB4211 5 Bytes JMP 016B0000
    .text C:\WINDOWS\System32\svchost.exe[1856] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 009A0FEF
    .text C:\WINDOWS\System32\svchost.exe[1856] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 009A0000
    .text C:\WINDOWS\System32\svchost.exe[1856] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 009A0FD4
    .text C:\WINDOWS\System32\svchost.exe[1856] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 009A0FB9
    .text C:\WINDOWS\system32\svchost.exe[2060] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01DC0000
    .text C:\WINDOWS\system32\svchost.exe[2060] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01DC0025
    .text C:\WINDOWS\system32\svchost.exe[2060] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01DC0FE5
    .text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 012A0FE5
    .text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 012A007F
    .text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 012A0F8A
    .text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 012A0062
    .text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 012A0051
    .text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 012A0FCA
    .text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 012A0F5E
    .text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 012A0F6F
    .text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 012A00DC
    .text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 012A00CB
    .text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 012A00F7
    .text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 012A0FB9
    .text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 012A0000
    .text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 012A009A
    .text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 012A0036
    .text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 012A001B
    .text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 012A0F4D
    .text C:\WINDOWS\system32\svchost.exe[2060] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01290025
    .text C:\WINDOWS\system32\svchost.exe[2060] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01290076
    .text C:\WINDOWS\system32\svchost.exe[2060] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01290014
    .text C:\WINDOWS\system32\svchost.exe[2060] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01290FDE
    .text C:\WINDOWS\system32\svchost.exe[2060] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01290065
    .text C:\WINDOWS\system32\svchost.exe[2060] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01290FEF
    .text C:\WINDOWS\system32\svchost.exe[2060] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01290FC3
    .text C:\WINDOWS\system32\svchost.exe[2060] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [49, 89]
    .text C:\WINDOWS\system32\svchost.exe[2060] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01290040
     
  7. aero05

    aero05 TS Rookie Topic Starter Posts: 41

    .text C:\WINDOWS\system32\svchost.exe[2060] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01280029
    .text C:\WINDOWS\system32\svchost.exe[2060] msvcrt.dll!system 77C293C7 5 Bytes JMP 01280F9E
    .text C:\WINDOWS\system32\svchost.exe[2060] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01280FCD
    .text C:\WINDOWS\system32\svchost.exe[2060] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01280FEF
    .text C:\WINDOWS\system32\svchost.exe[2060] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01280018
    .text C:\WINDOWS\system32\svchost.exe[2060] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01280FDE
    .text C:\WINDOWS\system32\svchost.exe[2060] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01270000
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 03050FEF
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 03050014
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 03050FDE
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03040000
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03040F8F
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03040084
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03040073
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03040FB6
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03040058
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03040F52
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03040F63
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 030400C6
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 030400B5
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 030400D7
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03040FC7
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0304001B
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03040F74
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03040047
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03040036
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03040F37
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 039F0FCA
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 039F0F97
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 039F001B
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 039F000A
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 039F004A
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 039F0FEF
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 039F0FA8
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BF, 8B]
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 039F0FB9
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E35203E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351FBF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E352003 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351F4B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351F85 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352079 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E20176A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 039E0F90
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] msvcrt.dll!system 77C293C7 5 Bytes JMP 039E0FB5
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 039E0000
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] msvcrt.dll!_open 77C2F566 5 Bytes JMP 039E0FE3
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 039E0025
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 039E0FD2
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E35223B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 038B0FEF
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 038B0014
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 038B0025
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 038B0FDE
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] ws2_32.dll!socket 71AB4211 5 Bytes JMP 039D0FEF
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00150000
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00150022
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00150011
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00270FEF
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00270F75
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0027006A
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00270F90
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00270FA1
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00270FC3
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 002700A0
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00270F4E
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00270F29
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 002700CC
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 002700DD
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00270FB2
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00270014
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00270085
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0027002F
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00270FDE
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 002700B1
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00360FCA
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00360FAF
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00360FE5
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0036001B
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00360062
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0036000A
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00360047
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00360036
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00370F8B
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] msvcrt.dll!system 77C293C7 5 Bytes JMP 00370FA6
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00370FD2
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00370FE3
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00370FB7
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00370000
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 01550FEF
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 01550000
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 0155001B
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 01550036
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] ws2_32.dll!socket 71AB4211 5 Bytes JMP 02050000

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[1336] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [004076E0] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
    IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[1336] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [00407740] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

    ---- EOF - GMER 1.0.15 ----
     
  8. aero05

    aero05 TS Rookie Topic Starter Posts: 41

    DDS (Ver_09-09-29.01) - NTFSx86
    Run by Kent at 16:06:12.50 on Tue 07/13/2010
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.114 [GMT -4:00]

    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    svchost.exe 4
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    svchost.exe 4
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Kent\My Documents\Downloads\dds.com

    ============== Pseudo HJT Report ===============

    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100519222050.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [F.lux] "c:\documents and settings\kent\local settings\apps\f.lux\flux.exe" /noshow
    uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
    uRun: [ContactKeeper Birthday reminder] "c:\program files\contactkeeper\ContactKeeper.exe" /Reminder
    uRun: [SwiftToDoListLite] "c:\program files\swift to-do list\Swift To-Do List Lite.exe" minimized
    mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
    mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
    mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    StartupFolder: c:\docume~1\kent\startm~1\programs\startup\stickies.lnk - c:\program files\stickies\stickies.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
    SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\kent\applic~1\mozilla\firefox\profiles\0icoraqd.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/defaulta.aspx
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
    FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
    FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-9 385880]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-5-1 82952]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-11-9 93320]
    R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-1 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-1 271480]
    R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-1 271480]
    R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-5-1 170144]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-5-1 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-5-1 141792]
    R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-5-1 55456]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-11-9 152320]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-11-9 51688]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-5-1 312616]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-5-1 88480]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-5-1 88480]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-5-1 83496]
    S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-11-9 34248]
    S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-11-9 40552]

    =============== Created Last 30 ================

    2010-07-13 13:48 <DIR> --d----- c:\windows\system32\wbem\Logs
    2010-07-13 09:00 <DIR> --d----- c:\windows\Downloaded Installations
    2010-07-13 08:59 <DIR> --dsh--- c:\windows\ftpcache
    2010-07-09 12:57 <DIR> --d----- c:\program files\Citrix
    2010-07-09 12:55 72,080 a------- c:\documents and settings\kent\g2mdlhlpx.exe
    2010-06-30 10:04 122,880 a------- c:\windows\system32\cPopMenu6.ocx
    2010-06-30 10:04 <DIR> --d----- c:\program files\Swift To-Do List
    2010-06-30 09:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Data Access Worldwide
    2010-06-30 09:23 <DIR> --d----- c:\program files\Visual DataFlex 14.0
    2010-06-30 08:08 137,000 a------- c:\windows\system32\msmapi32.ocx
    2010-06-30 08:08 108,336 a------- c:\windows\system32\mswinsck.ocx
    2010-06-30 08:08 608,448 a------- c:\windows\system32\comctl32.ocx
    2010-06-30 08:08 166,600 a------- c:\windows\system32\msmask32.ocx
    2010-06-30 08:08 <DIR> --d----- c:\program files\ContactKeeper
    2010-06-30 08:07 <DIR> --d----- c:\docume~1\kent\applic~1\stickies
    2010-06-30 08:07 587 a------- c:\windows\uninstallstickies.bat
    2010-06-30 08:07 <DIR> --d----- c:\program files\stickies
    2010-06-25 13:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\IObit
    2010-06-25 12:16 <DIR> --d----- c:\docume~1\kent\applic~1\IObit
    2010-06-25 12:16 <DIR> --d----- c:\program files\IObit

    ==================== Find3M ====================

    2010-05-21 14:14 221,568 -------- c:\windows\system32\MpSigStub.exe
    2010-05-04 13:20 832,512 a------- c:\windows\system32\wininet.dll
    2010-05-04 13:20 78,336 a------- c:\windows\system32\ieencode.dll
    2010-05-04 13:20 17,408 a------- c:\windows\system32\corpol.dll
    2010-05-02 01:22 1,851,264 a------- c:\windows\system32\win32k.sys
    2010-04-20 01:30 285,696 a------- c:\windows\system32\atmfd.dll
    2010-01-29 00:10 256 a------- c:\documents and settings\kent\pool.bin

    ============= FINISH: 16:06:52.73 ===============
     
  9. aero05

    aero05 TS Rookie Topic Starter Posts: 41

    DDS (Ver_09-09-29.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 7/10/2009 12:02:48 AM
    System Uptime: 7/13/2010 9:20:21 AM (7 hours ago)

    Motherboard: Dell Inc. | | 0X9238
    Processor: Intel(R) Pentium(R) M processor 1.60GHz | Microprocessor | 1596/133mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 75 GiB total, 59.953 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Ethernet Controller
    Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01881028&REV_02\4&2FA23535&0&00F0
    Manufacturer:
    Name: Ethernet Controller
    PNP Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01881028&REV_02\4&2FA23535&0&00F0
    Service:

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: PCI Modem
    Device ID: PCI\VEN_8086&DEV_266D&SUBSYS_542314F1&REV_03\3&61AAA01&0&F3
    Manufacturer:
    Name: PCI Modem
    PNP Device ID: PCI\VEN_8086&DEV_266D&SUBSYS_542314F1&REV_03\3&61AAA01&0&F3
    Service:

    ==== System Restore Points ===================

    RP171: 4/15/2010 8:02:21 PM - System Checkpoint
    RP172: 4/16/2010 10:52:36 PM - System Checkpoint
    RP173: 4/17/2010 7:57:00 AM - Software Distribution Service 3.0
    RP174: 4/18/2010 3:06:25 PM - System Checkpoint
    RP175: 4/20/2010 8:13:18 PM - System Checkpoint
    RP176: 4/22/2010 7:21:36 PM - System Checkpoint
    RP177: 4/23/2010 1:55:11 AM - Software Distribution Service 3.0
    RP178: 4/24/2010 8:16:30 AM - System Checkpoint
    RP179: 4/28/2010 9:13:26 PM - Software Distribution Service 3.0
    RP180: 5/4/2010 9:51:07 PM - System Checkpoint
    RP181: 5/5/2010 3:47:04 PM - Software Distribution Service 3.0
    RP182: 5/6/2010 3:58:15 PM - System Checkpoint
    RP183: 5/7/2010 1:36:10 AM - Software Distribution Service 3.0
    RP184: 5/11/2010 7:34:21 PM - System Checkpoint
    RP185: 5/13/2010 9:27:56 PM - System Checkpoint
    RP186: 5/16/2010 7:30:27 PM - System Checkpoint
    RP187: 5/16/2010 7:56:00 PM - Software Distribution Service 3.0
    RP188: 5/17/2010 9:33:39 PM - System Checkpoint
    RP189: 5/19/2010 10:53:39 PM - System Checkpoint
    RP190: 5/20/2010 1:36:19 AM - Software Distribution Service 3.0
    RP191: 5/20/2010 8:55:48 PM - Software Distribution Service 3.0
    RP192: 5/21/2010 6:36:15 PM - Software Distribution Service 3.0
    RP193: 5/24/2010 7:59:15 PM - Software Distribution Service 3.0
    RP194: 5/27/2010 3:52:14 PM - Software Distribution Service 3.0
    RP195: 5/27/2010 3:55:36 PM - Software Distribution Service 3.0
    RP196: 5/29/2010 3:14:55 PM - System Checkpoint
    RP197: 5/31/2010 3:39:22 PM - Software Distribution Service 3.0
    RP198: 6/1/2010 7:02:42 PM - System Checkpoint
    RP199: 6/3/2010 9:43:54 PM - Software Distribution Service 3.0
    RP200: 6/5/2010 6:43:21 PM - System Checkpoint
    RP201: 6/6/2010 7:29:27 AM - Software Distribution Service 3.0
    RP202: 6/7/2010 4:58:57 PM - Software Distribution Service 3.0
    RP203: 6/9/2010 6:27:39 PM - System Checkpoint
    RP204: 6/10/2010 7:01:19 AM - Software Distribution Service 3.0
    RP205: 6/11/2010 9:14:10 AM - Software Distribution Service 3.0
    RP206: 6/14/2010 12:28:54 PM - System Checkpoint
    RP207: 6/15/2010 8:01:05 AM - Software Distribution Service 3.0
    RP208: 6/16/2010 7:09:10 PM - System Checkpoint
    RP209: 6/17/2010 7:22:47 PM - Installed Windows Media Player Firefox Plugin
    RP210: 6/18/2010 7:47:17 AM - Software Distribution Service 3.0
    RP211: 6/20/2010 5:30:12 PM - System Checkpoint
    RP212: 6/22/2010 8:02:32 AM - Software Distribution Service 3.0
    RP213: 6/24/2010 7:00:54 AM - Software Distribution Service 3.0
    RP214: 6/25/2010 7:18:25 AM - Software Distribution Service 3.0
    RP215: 6/25/2010 12:19:00 PM - Advanced SystemCare RestorePoint
    RP216: 6/27/2010 12:52:58 PM - System Checkpoint
    RP217: 6/28/2010 1:28:45 PM - System Checkpoint
    RP218: 6/29/2010 7:07:47 AM - Software Distribution Service 3.0
    RP219: 6/30/2010 8:39:07 AM - System Checkpoint
    RP220: 7/1/2010 5:58:59 PM - System Checkpoint
    RP221: 7/2/2010 1:32:49 AM - Software Distribution Service 3.0
    RP222: 7/3/2010 8:25:12 AM - System Checkpoint
    RP223: 7/4/2010 10:04:28 AM - System Checkpoint
    RP224: 7/5/2010 12:50:31 PM - System Checkpoint
    RP225: 7/5/2010 6:08:40 PM - Software Distribution Service 3.0
    RP226: 7/8/2010 5:50:27 PM - Software Distribution Service 3.0
    RP227: 7/9/2010 9:12:18 PM - System Checkpoint
    RP228: 7/12/2010 10:11:51 AM - System Checkpoint
    RP229: 7/13/2010 7:27:39 AM - Software Distribution Service 3.0

    ==== Installed Programs ======================

    ABC Amber BlackBerry Converter
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.3.2
    Advanced SystemCare 3
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ATI - Software Uninstall Utility
    ATI Control Panel
    ATI Display Driver
    BlackBerry Desktop Software 5.0.1
    BlackBerry® Media Sync
    Bonjour
    C-Major Audio
    Canon i860
    ContactKeeper 1.4.3
    Dell ResourceCD
    F.lux
    FoxyTunes for Firefox
    GoToMeeting 4.5.0.457
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Intel(R) PROSet/Wireless Software
    Internal Network Card Power Management
    iTunes
    Java(TM) 6 Update 14
    LG USB Modem driver
    Malwarebytes' Anti-Malware
    Maxtor Manager
    McAfee Total Protection
    mCore
    mDriver
    mDrWiFi
    mHlpDell
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Standard Edition 2003
    mIWA
    mIWCA
    mLogView
    mMHouse
    Mozilla Firefox (3.6.3)
    mPfMgr
    mPfWiz
    mProSafe
    mSSO
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    mToolkit
    mWlsSafe
    mXML
    mZConfig
    PowerDVD
    PrimoPDF -- brought to you by Nitro PDF Software
    QuickSet
    QuickTime
    Registry Patrol
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB981349)
    Smart Defrag
    Stickies 7.0a
    Swift To-Do List Lite 1.33
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB973687)
    V CAST Music with Rhapsody
    Visual DataFlex 2008 Client Engine 14.0
    VZAccess Manager
    WebFldrs XP
    Windows Defender
    Windows Genuine Advantage Notifications (KB905474)
    Windows Internet Explorer 7
    Windows Media Player Firefox Plugin
    Windows XP Service Pack 3

    ==== Event Viewer Messages From Past Week ========

    7/8/2010 9:28:03 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    7/12/2010 9:39:11 PM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Security with the following error: System could not allocate the required space in a registry log.

    ==== End Of File ===========================
     
  10. aero05

    aero05 TS Rookie Topic Starter Posts: 41

    How should I address this problem? Since I haven't received a response, did I use improper protocol? Thanks!
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Dulicate thread of http://www.techspot.com/vb/topic150040.html

    I'd like to address a couple of issues before I go on:
    1. I recommend that you uninstall the IOBIT Advanced System Care, This is not a good program to have on the system and the home site is questionable.
    2. You are using Registry Patrol[/B]. Most of us don't recommend Registry cleaning programs. Very often, the entries they remove should not be removed or the user does not know enough about the process to decide whether it should be removed
    3. MRT.exe is the Malicious Software Removal Tool. At this point you don't know if it's a problem with the program itself or if malware is shutting it down. We have to look further as the current logs aren't giving malware information.
    4. The fan running is a heat issue. If it is now louder than usual, you may need to open the computer and clean the inside. (carefully)
    5. You do have a process running actively which is thought to be a Trojan: flu.exe
    ==============================
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    Re-enable your Antivirus software.
    ==================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Please paste these logs into your next reply.

    This is a very busy forum. Please pracrtice patience.
     
  12. aero05

    aero05 TS Rookie Topic Starter Posts: 41

    Thanks for the help Bobbye. I uninstalled IOBIT Advanced System Care and F.lux.

    I was unable to uninstall Registry Patrol and received the following message "The following file does not exist or is not a valid uninstallation log file. C;\Program Files\Registry Patrol\uninstal.log"

    Attached are the logs for combofix & ESET.
     

    Attached Files:

  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Found Registry Patrol!

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files 
      C:\Program Files\ABC Amber BlackBerry Converter\abcberry.exe	
      C:\Program Files\Registry Patrol\RegistryPatrol.exe	
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    Go ahead and run this. I have to go out for a bit and will check the Combofix as soon as I get back.
     
  14. aero05

    aero05 TS Rookie Topic Starter Posts: 41

    I downloaded and ran OTMovit. Here's the log:

    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\Program Files\ABC Amber BlackBerry Converter\abcberry.exe moved successfully.
    C:\Program Files\Registry Patrol\RegistryPatrol.exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User

    User: Kent
    ->Temp folder emptied: 230792 bytes
    ->Temporary Internet Files folder emptied: 13824939 bytes
    ->FireFox cache emptied: 88749158 bytes
    ->Flash cache emptied: 17407 bytes

    User: Kids
    ->FireFox cache emptied: 3292179 bytes

    User: Kids.DELL-3DD1301BF7

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 24871032 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 111759 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 528055 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 32969 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 126.00 mb


    OTM by OldTimer - Version 3.1.14.0 log created on 07162010_111956

    Files moved on Reboot...
    C:\Documents and Settings\Kent\Local Settings\Temp\~DFB033.tmp moved successfully.
    C:\Documents and Settings\Kent\Local Settings\Temporary Internet Files\Content.IE5\FWG3ZMTX\ads[2].htm moved successfully.
    C:\Documents and Settings\Kent\Local Settings\Temporary Internet Files\Content.IE5\FWG3ZMTX\topic149961[1].htm moved successfully.
    C:\Documents and Settings\Kent\Local Settings\Temporary Internet Files\Content.IE5\9FAREKS0\sh20[1].htm moved successfully.
    C:\Documents and Settings\Kent\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.
    File C:\WINDOWS\temp\TMP000000014F29C6299C5DE561 not found!

    Registry entries deleted on Reboot...
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I found the Registry program in Combofix. It was actually downloaded twice> 10/2009 and 12/2009. I have written script to remove them. Some of the problem you mentioned can easily be system-related. Please run the following:

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    
    Folder::
    c:\documents and settings\All Users\Application Data\IObit
    c:\documents and settings\Kent\Application Data\IObit
    c:\program files\IObit
    c:\program files\Registry Patrol
    c:\program files\Registry Patrol(2)
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=-
    
    Driver::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================

    Download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Please let me know if there are any malware related problems remaining.
     
  16. aero05

    aero05 TS Rookie Topic Starter Posts: 41

    Attached is the ComboFix log and here is pasted log for HijackThis. Thanks again for all the help!

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 3:34:00 PM, on 7/17/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17055)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
    C:\Program Files\Swift To-Do List\Swift To-Do List Lite.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100519222050.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
    O4 - HKCU\..\Run: [ContactKeeper Birthday reminder] "C:\Program Files\ContactKeeper\ContactKeeper.exe" /Reminder
    O4 - HKCU\..\Run: [SwiftToDoListLite] "C:\Program Files\Swift To-Do List\Swift To-Do List Lite.exe" minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: McAfee Personal Firewall (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
    O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
    O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
    O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    --
    End of file - 8204 bytes
     

    Attached Files:

  17. aero05

    aero05 TS Rookie Topic Starter Posts: 41

    Hi Bobbye ... I'm patiently looking forward to your reply. Okay, I'm not that patient, but I am curious to find out what the latest logs revealed. I notice that I still have 2 instances of iexplore.exe running.
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I think you missed this line in GMER: Warning ! Please, do not select the "Show all" checkbox during the scan.

    1. Slow can cover a wide range of causes. Two very common reasons are: Not enough RAM and/or too many programs on startup and running in the background.

    2. You have an antivirus program to protect the system and remove viruses, Worms and some Trojans. So it's doing it's job.

    3. A BSOD can happen-occasionally- You may never know the reason for it. IF you continue to get BSODs and/or notice you are getting them when you try to run a specific program or do a specific function on the system, then you worry.

    4. Regarding multiple iexplore.exe processes running: do you know that this is normal for IE8? While it is possible that malware can hide in the process, it is also acceptable to have multiple running.

    Are there any other problems in addition to the subject of the thread? These logs are clean.
     
  19. aero05

    aero05 TS Rookie Topic Starter Posts: 41

    Thanks Bobbye for giving me a clean "bill of health" on the logs. What is the consequence of "Show All" in GMER? My apologies if I created extra work for you.

    I don't recall the exact sequence, but McAfee didn't find and remove Artemis until after I was running the logs (it might have been Malwarebytes).

    There haven't been an more BSODs (now I know the terminology!) and my computer is booting up faster ... thanks to your help!

    Thanks for the info on iexplore.exe ... no, I didn't know that was normal for IE8.

    My last questions: 1) Registry Patrol icon is still on my Desktop and 2) What steps do you recommend to keep my computer running clean?

    Thanks so much for your help and your time! - Kent
     
  20. aero05

    aero05 TS Rookie Topic Starter Posts: 41

    Update: McAfee found "FakeAlert-FakeSpy!env.a earlier and now I'm getting redirected to different websites when I do a Google search (this occurred after I downloaded Google Toolbar). Urggghhh ... what now?

    Here's a log of Malwarebytes that I just ran:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4309

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    7/20/2010 10:13:46 PM
    mbam-log-2010-07-20 (22-13-46).txt

    Scan type: Quick scan
    Objects scanned: 143069
    Time elapsed: 29 minute(s), 14 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 6

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wheyazucoc (Trojan.Hiloti) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\kbdibdhs.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
    C:\WINDOWS\temp\kAZYTNUhEh.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JMRS7NDP\setup[2].exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JMRS7NDP\setup[3].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\temp\0.18964769238173818.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Run this first:

    TFC (Temp File Cleaner)

    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

    TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

    TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

    Follow with Eset scan:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Leave Eset log. Some of these entries are in the temporary internet files- maybe I can pinpoint source and/or locations of other entries..
     
  22. aero05

    aero05 TS Rookie Topic Starter Posts: 41

    Is there another site to download TFC? (geekstogo is offline while they "investigate a repeated URL injection)
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

  24. aero05

    aero05 TS Rookie Topic Starter Posts: 41

    eset log attached.
     

    Attached Files:

    • log.txt
      File size:
      2.2 KB
      Views:
      1
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    What is your status now please?

    BTW, this site is back up for TFC:
    TFC (Temp File Cleaner)

    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

    TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies.TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

    TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...