javascript:clickRefresh()

[Clare Hollands]

Hello, I hope you can help... When I open Internet Explorer, it keeps opening new pages with javascript:clickRefresh() in the address box. I'm not sure if it's because I have a virus. I have Mcafee antivirus, but it won't update.

I've downloaded DDS and the two logs you asked for follow -

DDS (Ver_10-03-17.01) - NTFSx86
Run by Clarey at 21:53:56.48 on 14/07/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.296 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k yksvcs
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\StkCSrv.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\Bhohub.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\Program Files\Nero\Nero8\InCD\NBHGui.exe
C:\Program Files\Nero\Nero8\InCD\InCD.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\SAMSUNG\MagicKBD\PerformanceManager.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Clarey\LOCALS~1\Temp\Bpr.exe
C:\Program Files\McAfee\VirusScan\mcods.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Clarey\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/ig?hl=en&source=iglk
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100512194842.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [EWABQAF7KL] c:\docume~1\clarey\locals~1\temp\Bpr.exe
uRun: [AdVantage] c:\documents and settings\clarey\application data\advantage\AdVantage.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [<NO NAME>]
mRun: [EDS] c:\program files\samsung\samsung eds\EDSAgent.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DMHotKey] c:\program files\samsung\easy display manager\DMLoader.exe
mRun: [SUPBackground] c:\program files\samsung\samsung update plus\SUPBackground.exe
mRun: [BatteryManager] c:\program files\samsung\samsung battery manager\BatteryManager.exe
mRun: [MagicKeyboard] c:\program files\samsung\magickbd\PreMKBD.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero8\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero8\incd\InCD.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\clarey\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 93.188.162.67,93.188.161.207
TCP: {00E8CC0B-9FBC-4441-B887-3DD9F380F00B} = 93.188.162.67,93.188.161.207
TCP: {31181E19-FED8-492B-94AA-9FE1C6548ED9} = 93.188.162.67,93.188.161.207
TCP: {C12DA6BB-96CD-439B-A8A8-AA2995CF37E6} = 93.188.162.67,93.188.161.207
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-8-27 385880]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-3-30 82952]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2010-3-30 54776]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2009-8-27 4300]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-8-27 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-30 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-30 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-30 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-3-30 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-3-30 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-3-30 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-2-5 229688]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero8\incd\NBHRegInCDSrv.exe [2008-7-10 53032]
R2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;c:\windows\system32\StkCSrv.exe [2009-8-27 31248]
R2 yksvc;Marvell Yukon Service;c:\windows\system32\svchost.exe -k yksvcs [2009-8-27 14336]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-3-30 55456]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2008-1-15 30208]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-8-27 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-8-27 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-3-30 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-3-30 88480]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2009-8-27 238464]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-3-30 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-3-30 83496]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-8-27 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-8-27 40552]
S3 StkCMini;Syntek AVStream USB2.0 1.3M WebCam;c:\windows\system32\drivers\StkCMini.sys [2009-8-27 1448080]
S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [2006-8-1 19840]

=============== Created Last 30 ================

2010-07-09 11:47:07 175104 ----a-w- c:\windows\Bhohub.exe
2010-07-08 19:39:03 0 d-----w- c:\docume~1\clarey\applic~1\advantage
2010-07-08 19:17:50 175104 ----a-w- c:\windows\Bhohua.exe
2010-07-01 06:13:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Trymedia
2010-07-01 06:13:25 0 d-----w- c:\program files\Room on the Broom

==================== Find3M ====================

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2009-12-25 15:32:35 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-08-27 18:26:09 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-12-26 05:38:23 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009122520091226\index.dat

============= FINISH: 21:55:46.26 ===============

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 26/12/2009 05:41:46
System Uptime: 14/07/2010 16:38:42 (5 hours ago)

Motherboard: SAMSUNG ELECTRONICS CO., LTD. | | NC10
Processor: Intel(R) Atom(TM) CPU N270 @ 1.60GHz | U2E1 | 1596/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 71 GiB total, 56.351 GiB free.
D: is FIXED (NTFS) - 72 GiB total, 69.28 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 09/07/2010 12:46:05 - System Checkpoint
RP2: 14/07/2010 20:55:37 - System Checkpoint

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3.2
Adobe Shockwave Player 11.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros WLAN Client
Bonjour
Easy Display Manager
Easy Network Manager
ERUNT 1.1j
Google Toolbar for Internet Explorer
Hotfix for Windows XP (KB952117-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
imagine digital freedom - Samsung
Intel(R) Graphics Media Accelerator Driver
iTunes
Java Auto Updater
Java(TM) 6 Update 18
Magic Keyboard
Marvell Miniport Driver
McAfee Internet Security
McAfee Online Backup
McAfee Security Scan Plus
Microsoft Application Error Reporting
Microsoft IntelliPoint 6.3
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Namuga 1.3M Webcam
Nero 8 Essentials
Play Camera
QuickTime
Realtek High Definition Audio Driver
Room on the Broom (remove only)
Samsung Battery Manager
Samsung EDS
Samsung Magic Doctor
Samsung Recovery Solution III
Samsung Update Plus
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB982135)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Synaptics Pointing Device Driver
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (kb983486)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
User Guide
VCRedistSetup
WebCam SCB-1800D
WebFldrs XP
WIDCOMM Bluetooth Software
Windows Internet Explorer 8
Windows Media Format Runtime
Yahoo! Install Manager

==== Event Viewer Messages From Past Week ========

09/07/2010 21:35:13, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
09/07/2010 12:47:38, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the HTTP SSL service to connect.
09/07/2010 12:47:38, error: Service Control Manager [7000] - The HTTP SSL service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================

[JonTom]

Hello Clare Hollands and

My name is JonTom.

• Malware Logs can sometimes take a lot of time to research and interpret.
  
• Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
  
• Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
  
• Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
  
• PLEASE NOTE: If you do not reply after 5 days your thread will be closed.

As it has been a few days since you posted, please perform a new DDS scan and work you way through the steps below. If you encounter any difficulties come back and let me know.

1. Please scan your system with GMER
   
   
   
   Download GMER Rootkit Scanner from here or here.
   
   • Extract the contents of the zipped file to desktop.
   • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent.
   • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
     
     
     Click the image to enlarge it
     
   • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
     • IAT/EAT
     • Drives/Partition other than Systemdrive (typically C:\)
     • Show All (don't miss this one)
   • Then click the Scan button & wait for it to finish.
   • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
     
   • Save it where you can easily find it, such as your desktop, and post it in your reply.
   
   
   **Caution**
   Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
   
   Please post the DDS logs and the GMER log in your next reply.
   

[JonTom]

Do you still need help?

[Clare Hollands]

Hi,

Thanks for the response; I've tried to run GMER several times but it's either caused a blue-screen restart, or made the computer stop working.

I've created new DDS logs - attached...

DDS log:
DDS (Ver_10-03-17.01) - NTFSx86
Run by Clarey at 15:20:25.78 on 25/07/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.480 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k yksvcs
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\StkCSrv.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Samsung\Samsung Update Plus\SUPBackground.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\Program Files\Nero\Nero8\InCD\NBHGui.exe
C:\Program Files\Nero\Nero8\InCD\InCD.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SAMSUNG\MagicKBD\PerformanceManager.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\igfxext.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Clarey\LOCALS~1\Temp\Bpr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Clarey\Local Settings\Temporary Internet Files\Content.IE5\5CAZYSCD\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/ig?hl=en&amp;source=iglk
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100512194842.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [EWABQAF7KL] c:\docume~1\clarey\locals~1\temp\Bpr.exe
uRun: [AdVantage] c:\documents and settings\clarey\application data\advantage\AdVantage.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [<NO NAME>]
mRun: [EDS] c:\program files\samsung\samsung eds\EDSAgent.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DMHotKey] c:\program files\samsung\easy display manager\DMLoader.exe
mRun: [SUPBackground] c:\program files\samsung\samsung update plus\SUPBackground.exe
mRun: [BatteryManager] c:\program files\samsung\samsung battery manager\BatteryManager.exe
mRun: [MagicKeyboard] c:\program files\samsung\magickbd\PreMKBD.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero8\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero8\incd\InCD.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\clarey\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 93.188.162.67,93.188.161.207
TCP: {00E8CC0B-9FBC-4441-B887-3DD9F380F00B} = 93.188.162.67,93.188.161.207
TCP: {31181E19-FED8-492B-94AA-9FE1C6548ED9} = 93.188.162.67,93.188.161.207
TCP: {C12DA6BB-96CD-439B-A8A8-AA2995CF37E6} = 93.188.162.67,93.188.161.207
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-8-27 385880]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-3-30 82952]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2010-3-30 54776]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2009-8-27 4300]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-8-27 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-30 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-30 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-30 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-3-30 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-3-30 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-3-30 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-2-5 229688]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero8\incd\NBHRegInCDSrv.exe [2008-7-10 53032]
R2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;c:\windows\system32\StkCSrv.exe [2009-8-27 31248]
R2 yksvc;Marvell Yukon Service;c:\windows\system32\svchost.exe -k yksvcs [2009-8-27 14336]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-3-30 55456]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2008-1-15 30208]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-8-27 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-8-27 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-3-30 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-3-30 88480]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2009-8-27 238464]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-3-30 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-3-30 83496]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-8-27 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-8-27 40552]
S3 StkCMini;Syntek AVStream USB2.0 1.3M WebCam;c:\windows\system32\drivers\StkCMini.sys [2009-8-27 1448080]
S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [2006-8-1 19840]

=============== Created Last 30 ================

2010-07-24 22:05:29 0 d-----w- C:\spoolerlogs
2010-07-09 11:47:07 175104 ----a-w- c:\windows\Bhohub.exe
2010-07-08 19:39:03 0 d-----w- c:\docume~1\clarey\applic~1\advantage
2010-07-08 19:17:50 175104 ----a-w- c:\windows\Bhohua.exe
2010-07-01 06:13:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Trymedia
2010-07-01 06:13:25 0 d-----w- c:\program files\Room on the Broom

==================== Find3M ====================

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2009-12-25 15:32:35 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-08-27 18:26:09 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-12-26 05:38:23 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009122520091226\index.dat

============= FINISH: 15:22:32.70 ===============

DDS Attach:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 26/12/2009 05:41:46
System Uptime: 25/07/2010 15:10:36 (0 hours ago)

Motherboard: SAMSUNG ELECTRONICS CO., LTD. | | NC10
Processor: Intel(R) Atom(TM) CPU N270 @ 1.60GHz | U2E1 | 1596/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 71 GiB total, 56.337 GiB free.
D: is FIXED (NTFS) - 72 GiB total, 69.28 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 09/07/2010 12:46:05 - System Checkpoint
RP2: 14/07/2010 20:55:37 - System Checkpoint
RP3: 22/07/2010 22:36:56 - System Checkpoint
RP4: 25/07/2010 00:12:00 - System Checkpoint

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3.2
Adobe Shockwave Player 11.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros WLAN Client
Bonjour
Easy Display Manager
Easy Network Manager
ERUNT 1.1j
Google Toolbar for Internet Explorer
Hotfix for Windows XP (KB952117-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
imagine digital freedom - Samsung
Intel(R) Graphics Media Accelerator Driver
iTunes
Java Auto Updater
Java(TM) 6 Update 18
Magic Keyboard
Marvell Miniport Driver
McAfee Internet Security
McAfee Online Backup
McAfee Security Scan Plus
Microsoft Application Error Reporting
Microsoft IntelliPoint 6.3
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Namuga 1.3M Webcam
Nero 8 Essentials
Play Camera
QuickTime
Realtek High Definition Audio Driver
Room on the Broom (remove only)
Samsung Battery Manager
Samsung EDS
Samsung Magic Doctor
Samsung Recovery Solution III
Samsung Update Plus
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB982135)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Synaptics Pointing Device Driver
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (kb983486)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
User Guide
VCRedistSetup
WebCam SCB-1800D
WebFldrs XP
WIDCOMM Bluetooth Software
Windows Internet Explorer 8
Windows Media Format Runtime
Yahoo! Install Manager

==== Event Viewer Messages From Past Week ========

25/07/2010 15:09:36, error: System Error [1003] - Error code 0000004e, parameter1 00000007, parameter2 0001e143, parameter3 00000001, parameter4 00000000.
25/07/2010 01:13:08, error: Service Control Manager [7031] - The McShield service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
24/07/2010 23:33:12, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the service.
24/07/2010 23:07:36, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
24/07/2010 22:57:02, error: Service Control Manager [7034] - The McAfee Online Backup service terminated unexpectedly. It has done this 1 time(s).
24/07/2010 22:57:00, error: Service Control Manager [7031] - The McAfee VirusScan Announcer service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
24/07/2010 22:57:00, error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
24/07/2010 22:57:00, error: Service Control Manager [7031] - The McAfee Proxy Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
24/07/2010 22:57:00, error: Service Control Manager [7031] - The McAfee Personal Firewall service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
24/07/2010 22:57:00, error: Service Control Manager [7031] - The McAfee Network Agent service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
24/07/2010 22:56:59, error: Service Control Manager [7034] - The McAfee Validation Trust Protection Service service terminated unexpectedly. It has done this 1 time(s).
24/07/2010 22:56:59, error: Service Control Manager [7034] - The McAfee Firewall Core Service service terminated unexpectedly. It has done this 1 time(s).
24/07/2010 22:56:59, error: Service Control Manager [7034] - The InCD Helper service terminated unexpectedly. It has done this 1 time(s).
22/07/2010 21:57:24, error: System Error [1003] - Error code 100000d1, parameter1 00000000, parameter2 0000001c, parameter3 00000001, parameter4 843d5000.
22/07/2010 21:29:28, error: System Error [1003] - Error code 10000050, parameter1 e469a000, parameter2 00000000, parameter3 a801ac3e, parameter4 00000001.
18/07/2010 21:17:05, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

==== End Of File ===========================

[JonTom]

Hello Clare Hollands

I've tried to run GMER several times but it's either caused a blue-screen restart, or made the computer stop working.

Lets try this:

1. GMER
   
   
   
   • If you are having trouble getting GMER to complete a scan, please run it again, but this time uncheck everything EXCEPT "Sections" and "C:\".
   • If GMER does not produce a log please try running it from Safe Mode.
   
   
   
   • How to use the F8 method to Start Your Computer in Safe Mode
   
   
   
   • Restart your computer.
   • As soon as BIOS is loaded begin tapping the F8 key until the "Advanced Options" menu appears.
   • Use the arrow keys to select the Safe mode menu item.
   • Press Enter.
   
   
   
   • If GMER in safe mode does not work, please try RootRepeal:
   
   
   
2. RootRepeal
   
   
   
   • Please download RootRepeal to your desktop.
   • Physically disconnect your machine from the internet as your system will be unprotected.
   • Unzip it to it's own folder, close all other programs especially your security programs (anti-spyware, anti-virus, and firewall) and run RootRepeal.exe
   • Click the Report tab at the bottom and then the Scan button.
   • A box will pop up, check the boxes beside Drivers, Files, Processes SSDT and click OK.
   • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
   • The scan will take a little while to run, so let it go unhindered.
   • Once it is done, click the "Save Report" button, call it RepealScan and save the log to your desktop.
   • Reconnect to the internet.
   
   
   Please provide the GMER/Rootrepeal log in your next reply. If you are still having trouble, come back and let me know.
   

[Clare Hollands]

Thank you - that worked.

I've attached the first half of the GMER log ( second half and Repeal log to follow):

GMER...

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-27 19:45:57
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Clarey\LOCALS~1\Temp\uxtdqpob.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 80515A92 7 Bytes JMP F7517E34 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80572BDF 1 Byte [E9]
PAGE ntoskrnl.exe!ZwOpenKey 80572BDF 5 Bytes JMP F7517DA0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 80578710 5 Bytes JMP F7517DB4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8057A401 5 Bytes JMP F7517E60 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 8057A879 7 Bytes JMP F7517E4A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 8057F592 5 Bytes JMP F7517D78 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 8057FCE0 7 Bytes JMP F7517E0A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 80584849 5 Bytes JMP F7517D8C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 80593435 5 Bytes JMP F7517E74 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 805983A2 7 Bytes JMP F7517DF4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 80599783 7 Bytes JMP F7517DC8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetSecurityObject 805DFB3F 5 Bytes JMP F7517E20 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 80655EA2 7 Bytes JMP F7517DDE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[688] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[688] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C6001B
.text C:\WINDOWS\system32\svchost.exe[688] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C6000A
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C50076
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C5005B
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C5004A
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C50F8D
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C50FC3
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C50F3F
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C50091
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C50EF8
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C50F09
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C50EE7
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C50FA8
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C50FDE
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C50F66
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C5002F
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C50014
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C50F2E
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C40FB9
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C4002F
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C40FCA
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C40FE5
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C40F68
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C40000
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C40F83
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E4, 88] {IN AL, 0x88}
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C40F9E
.text C:\WINDOWS\system32\svchost.exe[688] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C30FAB
.text C:\WINDOWS\system32\svchost.exe[688] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C30FC6
.text C:\WINDOWS\system32\svchost.exe[688] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C3001B
.text C:\WINDOWS\system32\svchost.exe[688] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\svchost.exe[688] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C30036
.text C:\WINDOWS\system32\svchost.exe[688] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C30FD7
.text C:\WINDOWS\system32\svchost.exe[784] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\svchost.exe[784] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00920036
.text C:\WINDOWS\system32\svchost.exe[784] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092001B
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00910FEF
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00910078
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00910F83
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00910F94
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00910051
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00910036
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00910F4D
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00910F68
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00910F21
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009100BA
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00910F10
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00910FA5
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00910000
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00910093
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00910025
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00910FD4
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00910F3C
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00900FD4
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00900F72
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00900FE5
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0090001B
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00900F83
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0090000A
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00900F94
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B0, 88] {MOV AL, 0x88}
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00900FAF
.text C:\WINDOWS\system32\svchost.exe[784] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BF002E
.text C:\WINDOWS\system32\svchost.exe[784] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BF0FAD
.text C:\WINDOWS\system32\svchost.exe[784] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BF0FD2
.text C:\WINDOWS\system32\svchost.exe[784] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[784] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BF001D
.text C:\WINDOWS\system32\svchost.exe[784] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BF0FE3
.text C:\WINDOWS\system32\svchost.exe[784] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[784] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0093001B
.text C:\WINDOWS\system32\svchost.exe[784] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00930FE5
.text C:\WINDOWS\system32\svchost.exe[784] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00930040
.text C:\WINDOWS\system32\svchost.exe[784] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BE0000
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1232] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1232] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[1412] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 006F0000
.text C:\WINDOWS\system32\services.exe[1412] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006F0011
.text C:\WINDOWS\system32\services.exe[1412] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006F0FDB
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006E0FEF
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006E0064
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006E0053
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006E0036
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006E0025
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006E0F9E
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006E0086
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006E0F3E
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006E0F08
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006E0F19
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006E00B2
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006E0F83
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006E0000
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006E0075
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006E0FAF
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006E0FCA
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006E0097
.text C:\WINDOWS\system32\services.exe[1412] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00760F9E
.text C:\WINDOWS\system32\services.exe[1412] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0076004A
.text C:\WINDOWS\system32\services.exe[1412] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00760FB9
.text C:\WINDOWS\system32\services.exe[1412] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00760FD4
.text C:\WINDOWS\system32\services.exe[1412] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0076002F
.text C:\WINDOWS\system32\services.exe[1412] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00760FE5
.text C:\WINDOWS\system32\services.exe[1412] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00760014
.text C:\WINDOWS\system32\services.exe[1412] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00760F8D
.text C:\WINDOWS\system32\services.exe[1412] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00710F90
.text C:\WINDOWS\system32\services.exe[1412] msvcrt.dll!system 77C293C7 5 Bytes JMP 00710FA1
.text C:\WINDOWS\system32\services.exe[1412] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00710FD7
.text C:\WINDOWS\system32\services.exe[1412] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00710000
.text C:\WINDOWS\system32\services.exe[1412] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00710FBC
.text C:\WINDOWS\system32\services.exe[1412] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00710011
.text C:\WINDOWS\system32\services.exe[1412] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00700FEF
.text C:\WINDOWS\system32\lsass.exe[1432] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00E20000
.text C:\WINDOWS\system32\lsass.exe[1432] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00E20036
.text C:\WINDOWS\system32\lsass.exe[1432] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E20011
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C90FE5
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C90F5E
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C90F79
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C90F8A
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C90047
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C90FA5
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C90089
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C90078
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C900B5
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C9009A
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C900D0
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C9002C
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C9000A
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C90F4D
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C90FCA
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C9001B
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C90F1C
.text C:\WINDOWS\system32\lsass.exe[1432] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FD000A
.text C:\WINDOWS\system32\lsass.exe[1432] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FD0040
.text C:\WINDOWS\system32\lsass.exe[1432] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FD0FB9
.text C:\WINDOWS\system32\lsass.exe[1432] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FD0FD4
.text C:\WINDOWS\system32\lsass.exe[1432] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FD0F83
.text C:\WINDOWS\system32\lsass.exe[1432] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FD0FE5
.text C:\WINDOWS\system32\lsass.exe[1432] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FD0F9E
.text C:\WINDOWS\system32\lsass.exe[1432] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1D, 89]
.text C:\WINDOWS\system32\lsass.exe[1432] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FD0025
.text C:\WINDOWS\system32\lsass.exe[1432] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E4004E
.text C:\WINDOWS\system32\lsass.exe[1432] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E4003D
.text C:\WINDOWS\system32\lsass.exe[1432] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E40011
.text C:\WINDOWS\system32\lsass.exe[1432] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E40FE3
.text C:\WINDOWS\system32\lsass.exe[1432] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E4002C
.text C:\WINDOWS\system32\lsass.exe[1432] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E40000
.text C:\WINDOWS\system32\lsass.exe[1432] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B10FEF
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B1002F
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B10014
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B00FEF
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B0007F
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B00F8A
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B00058
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B00047
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B00036
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B000B0
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B00F68
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B00F32
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B000CB
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B00F21
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B00FA5
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B00FDE
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B00F79
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B00025
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B00014
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B00F57
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FE0FB9
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FE0F8D
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FE0014
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FE0FDE
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FE004A
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FE0FA8
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1E, 89]
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FE002F
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B30036
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B30FA1
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B30FD7
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B30000
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B30FB2
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B30011
.text C:\WINDOWS\system32\svchost.exe[1592] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B20000
.text C:\WINDOWS\system32\svchost.exe[1652] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\system32\svchost.exe[1652] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A50FC3
.text C:\WINDOWS\system32\svchost.exe[1652] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A50FD4
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A40000
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A40F52
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A40F63
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A40F74
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A4003D
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A40FB6
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A40062
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A40F26
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A40087
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A40EEE
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A40ED3
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A40F9B
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A40011
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A40F41
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A4002C
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A40FE5
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A40EFF
.text C:\WINDOWS\system32\svchost.exe[1652] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD0FAF
.text C:\WINDOWS\system32\svchost.exe[1652] ADVAPI32.dll!