View Full Version : Google searches redirecting, need help
I have McAfee Security Center, Adaware, Malwarebytes and Spybot Search and Destroy. I have updated and run all three but continue to get Google web redirecting on search results. I turned off System restore recommend by a post I found somewhere else and turned it back on. I still have the issue.
I downlaoded ERUNT and HJT. Here is my log file.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:14:33 PM, on 12/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Array Networks\Common\8,1,0,307\arr_isrv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Array Networks\Array SSL VPN\8,1,0,307\arr_srvs.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Corel\Corel GuideMenu\GuideMenu.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Documents and Settings\Alex\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Alex\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070218
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070218
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [GuideMenu] C:\Program Files\Corel\Corel GuideMenu\GuideMenu.exe -hide
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {032C5CBC-2272-438F-AC73-38EA92AF19BD} (WebViewer Control) - http://68.253.179.127/WebViewer.cab
O16 - DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} (NetCamPlayerWeb11g Control) - http://192.168.1.26/img/NetCamPlayerWeb11g.ocx
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {7B133798-FAA8-4A7E-950D-BEB35D3363AF} (LinksysViewer Control) - http://192.168.1.36/img/LinksysViewer.cab
O16 - DPF: {B0424F8A-E33B-44C1-B076-4ECB9B3FA6F8} (FileDownloadCtrl Control) - https://dlweb.cti.depaul.edu/COL4/CLIENT5/FileDownloadCtrl.cab
O16 - DPF: {B6648EB8-2460-484F-9255-9654454C4C70} (ArrVPNAX Control) - https://ouvpn.us.oracle.com/prx/000/http/localhost/arr_x.cab
O16 - DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} (NetCamPlayerWeb11gv2 Control) - http://192.168.1.115/NetCamPlayerWeb11gv2.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2474277-E85B-4784-BBF6-F480EF01EDCC}: NameServer = 130.35.249.41,138.2.202.15,144.20.190.70
O18 - Protocol: bw+0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: offline-8876480 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Array SSL VPN Service 8,1,0,307 (ArraySSL_VPN_Service8.1.0.307) - Array Networks, Inc. - C:\Program Files\Array Networks\Array SSL VPN\8,1,0,307\arr_srvs.exe
O23 - Service: Array Utility Service 8,1,0,307 (Array_Utility_Service8.1.0.307) - Array Networks, Inc. - C:\Program Files\Array Networks\Common\8,1,0,307\arr_isrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: Hummingbird Exceed Display Management (HumDisplayServer) - Hummingbird Ltd. - C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: SAMSUNG WiselinkPro Service (WiselinkPro) - Unknown owner - C:\Program Files\SAMSUNG\SAMSUNG PC Share Manager\WiselinkPro.exe
--
End of file - 26277 bytes
Thanks for the help.....
Alex
Hi klipsch
Download gmer.zip (http://gmer.net/gmer.zip) and save to your desktop.
alternate download site (http://hype.free.googlepages.com/gmer.zip)
Unzip/extract the file to its own folder. (Click here (http://www.bleepingcomputer.com/tutorials/tutorial105.html) for information on how to do this if not sure. Win 2000 users click here (http://www.bleepingcomputer.com/tutorials/tutorial106.html).
When you have done this, disconnect from the Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click on Gmer.exe to start the program.
Allow the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Run Gmer again and click on the Rootkit tab.
Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on the "Scan" and wait for the scan to finish.
Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Note: If you have any problems, try running GMER in SAFE MODE (http://www.bleepingcomputer.com/forums/tutorial61.html)"
Important! Please do not select the "Show all" checkbox during the scan..
GMER 1.0.15.15273 - http://www.gmer.net
Rootkit scan 2009-12-12 17:09:19
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Alex\LOCALS~1\Temp\fxtdapow.sys
---- System - GMER 1.0.15 ----
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xACA8D78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xACA8D821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xACA8D738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xACA8D74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xACA8D835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xACA8D861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xACA8D8CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xACA8D8B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xACA8D7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xACA8D8FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xACA8D80D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xACA8D710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xACA8D724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xACA8D79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xACA8D937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xACA8D8A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xACA8D88D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xACA8D84B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xACA8D923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xACA8D90F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xACA8D776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xACA8D762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xACA8D877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xACA8D7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xACA8D8E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xACA8D7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xACA8D7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP ACA8D7B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP ACA8D78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2004 7 Bytes JMP ACA8D7CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E12 5 Bytes JMP ACA8D7E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E8 7 Bytes JMP ACA8D7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB40A 5 Bytes JMP ACA8D714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB696 5 Bytes JMP ACA8D728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE54 5 Bytes JMP ACA8D766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1144 7 Bytes JMP ACA8D750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11FA 5 Bytes JMP ACA8D73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1704 5 Bytes JMP ACA8D77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AC 5 Bytes JMP ACA8D7FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219EA 7 Bytes JMP ACA8D891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D38 7 Bytes JMP ACA8D87B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622062 7 Bytes JMP ACA8D8E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80622900 7 Bytes JMP ACA8D8A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231D4 7 Bytes JMP ACA8D84F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237B2 5 Bytes JMP ACA8D825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C42 7 Bytes JMP ACA8D839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E12 7 Bytes JMP ACA8D865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF2 7 Bytes JMP ACA8D8D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062425C 7 Bytes JMP ACA8D8BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B84 5 Bytes JMP ACA8D811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624EAA 7 Bytes JMP ACA8D93B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8062516A 5 Bytes JMP ACA8D913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062585E 5 Bytes JMP ACA8D927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625978 5 Bytes JMP ACA8D8FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xB9F0B7AC]
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9065000, 0x238E77, 0xE8000020]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\svchost.exe[628] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D6000A
.text C:\WINDOWS\system32\svchost.exe[628] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D60F80
.text C:\WINDOWS\system32\svchost.exe[628] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D60075
.text C:\WINDOWS\system32\svchost.exe[628] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D60064
.text C:\WINDOWS\system32\svchost.exe[628] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D60FA5
.text C:\WINDOWS\system32\svchost.exe[628] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D6002C
.text C:\WINDOWS\system32\svchost.exe[628] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D60F63
.text C:\WINDOWS\system32\svchost.exe[628] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D600AB
.text C:\WINDOWS\system32\svchost.exe[628] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D600D0
.text C:\WINDOWS\system32\svchost.exe[628] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D60F37
.text C:\WINDOWS\system32\svchost.exe[628] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D600E1
.text C:\WINDOWS\system32\svchost.exe[628] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D6003D
.text C:\WINDOWS\system32\svchost.exe[628] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D60FE5
.text C:\WINDOWS\system32\svchost.exe[628] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D6009A
.text C:\WINDOWS\system32\svchost.exe[628] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D6001B
.text C:\WINDOWS\system32\svchost.exe[628] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D60FD4
.text C:\WINDOWS\system32\svchost.exe[628] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D60F52
.text C:\WINDOWS\system32\svchost.exe[628] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006A0036
.text C:\WINDOWS\system32\svchost.exe[628] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006A0F9E
.text C:\WINDOWS\system32\svchost.exe[628] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006A0FDB
.text C:\WINDOWS\system32\svchost.exe[628] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006A001B
.text C:\WINDOWS\system32\svchost.exe[628] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006A0FB9
.text C:\WINDOWS\system32\svchost.exe[628] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006A0000
.text C:\WINDOWS\system32\svchost.exe[628] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 006A0051
.text C:\WINDOWS\system32\svchost.exe[628] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006A0FCA
.text C:\WINDOWS\system32\svchost.exe[628] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00690FA8
.text C:\WINDOWS\system32\svchost.exe[628] msvcrt.dll!system 77C293C7 5 Bytes JMP 00690033
.text C:\WINDOWS\system32\svchost.exe[628] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00690FCD
.text C:\WINDOWS\system32\svchost.exe[628] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00690FEF
.text C:\WINDOWS\system32\svchost.exe[628] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00690022
.text C:\WINDOWS\system32\svchost.exe[628] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00690FDE
.text C:\WINDOWS\system32\svchost.exe[628] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00670FEF
.text C:\WINDOWS\system32\svchost.exe[628] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00670FDE
.text C:\WINDOWS\system32\svchost.exe[628] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0067000A
.text C:\WINDOWS\system32\svchost.exe[628] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0067001B
.text C:\WINDOWS\system32\svchost.exe[628] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00680FEF
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 014C0FE5
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 014C0F79
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 014C0078
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 014C005B
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 014C0F9E
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 014C0FC0
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 014C009D
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 014C0F57
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 014C00B8
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 014C0F29
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 014C00DD
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 014C0FAF
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 014C0000
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 014C0F68
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 014C002C
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 014C0011
.text C:\WINDOWS\system32\services.exe[1128] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 014C0F3A
.text C:\WINDOWS\system32\services.exe[1128] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 014B001B
.text C:\WINDOWS\system32\services.exe[1128] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 014B0F94
.text C:\WINDOWS\system32\services.exe[1128] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 014B0FCA
.text C:\WINDOWS\system32\services.exe[1128] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 014B0000
.text C:\WINDOWS\system32\services.exe[1128] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 014B0FA5
.text C:\WINDOWS\system32\services.exe[1128] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 014B0FE5
.text C:\WINDOWS\system32\services.exe[1128] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 014B0047
.text C:\WINDOWS\system32\services.exe[1128] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 014B0036
.text C:\WINDOWS\system32\services.exe[1128] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 014A0027
.text C:\WINDOWS\system32\services.exe[1128] msvcrt.dll!system 77C293C7 5 Bytes JMP 014A0FA6
.text C:\WINDOWS\system32\services.exe[1128] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 014A0FB7
.text C:\WINDOWS\system32\services.exe[1128] msvcrt.dll!_open 77C2F566 5 Bytes JMP 014A0FE3
.text C:\WINDOWS\system32\services.exe[1128] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 014A000C
.text C:\WINDOWS\system32\services.exe[1128] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 014A0FD2
.text C:\WINDOWS\system32\services.exe[1128] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\services.exe[1128] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\services.exe[1128] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FE0FDE
.text C:\WINDOWS\system32\services.exe[1128] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FE0FCD
.text C:\WINDOWS\system32\services.exe[1128] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF0F8D
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF0082
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0065
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF004A
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0FC3
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF00BA
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF009D
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF0F21
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF0F32
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF00D5
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF0FA8
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF0FDE
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF0F72
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF0025
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\lsass.exe[1140] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF0F4D
.text C:\WINDOWS\system32\lsass.exe[1140] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E6002F
.text C:\WINDOWS\system32\lsass.exe[1140] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E6005B
.text C:\WINDOWS\system32\lsass.exe[1140] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E60014
.text C:\WINDOWS\system32\lsass.exe[1140] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E60FDE
.text C:\WINDOWS\system32\lsass.exe[1140] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E60FA8
.text C:\WINDOWS\system32\lsass.exe[1140] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E60FEF
.text C:\WINDOWS\system32\lsass.exe[1140] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E6004A
.text C:\WINDOWS\system32\lsass.exe[1140] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E60FC3
.text C:\WINDOWS\system32\lsass.exe[1140] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E50F8B
.text C:\WINDOWS\system32\lsass.exe[1140] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E50FA6
.text C:\WINDOWS\system32\lsass.exe[1140] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E50FC8
.text C:\WINDOWS\system32\lsass.exe[1140] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E5000C
.text C:\WINDOWS\system32\lsass.exe[1140] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E50FB7
.text C:\WINDOWS\system32\lsass.exe[1140] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E50FEF
.text C:\WINDOWS\system32\lsass.exe[1140] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E40FE5
.text C:\WINDOWS\system32\lsass.exe[1140] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00D70FEF
.text C:\WINDOWS\system32\lsass.exe[1140] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00D70FDE
.text C:\WINDOWS\system32\lsass.exe[1140] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00D70014
.text C:\WINDOWS\system32\lsass.exe[1140] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00D70FC3
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F40F7E
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F40073
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F40062
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F40FA5
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F40FCA
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F40F63
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F400B5
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F400E1
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F40F52
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F40F2D
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F40051
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F40000
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F4008E
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F40036
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F4001B
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F400C6
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F30FAF
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F3002F
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F30FCA
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F30FE5
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F30F68
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F30000
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F30F79
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [13, 89]
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F30F94
.text C:\WINDOWS\system32\svchost.exe[1388] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0082000A
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F20FB9
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F2004E
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F20029
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F20000
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F20FD4
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F20FEF
.text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00BB0FDE
.text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00BB0014
.text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00BB0FC3
.text C:\WINDOWS\system32\svchost.exe[1388] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01060000
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0106008C
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01060F8D
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01060FA8
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01060065
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0106004A
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01060F6B
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010600A7
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010600D8
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01060F35
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010600F3
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01060FB9
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01060025
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01060F7C
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01060FDE
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01060FEF
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01060F50
.text C:\WINDOWS\system32\svchost.exe[1500] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01050025
.text C:\WINDOWS\system32\svchost.exe[1500] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01050F9E
.text C:\WINDOWS\system32\svchost.exe[1500] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01050FD4
.text C:\WINDOWS\system32\svchost.exe[1500] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0105000A
.text C:\WINDOWS\system32\svchost.exe[1500] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0105005B
.text C:\WINDOWS\system32\svchost.exe[1500] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01050FEF
.text C:\WINDOWS\system32\svchost.exe[1500] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01050FAF
.text C:\WINDOWS\system32\svchost.exe[1500] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [25, 89]
.text C:\WINDOWS\system32\svchost.exe[1500] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01050040
.text C:\WINDOWS\system32\svchost.exe[1500] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF004E
.text C:\WINDOWS\system32\svchost.exe[1500] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FB9
.text C:\WINDOWS\system32\svchost.exe[1500] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0FD4
.text C:\WINDOWS\system32\svchost.exe[1500] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[1500] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0029
.text C:\WINDOWS\system32\svchost.exe[1500] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\svchost.exe[1500] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FD0FE5
.text C:\WINDOWS\system32\svchost.exe[1500] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FD0FD4
.text C:\WINDOWS\system32\svchost.exe[1500] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FD0FC3
.text C:\WINDOWS\system32\svchost.exe[1500] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FD0FB2
.text C:\WINDOWS\system32\svchost.exe[1500] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\System32\svchost.exe[1620] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 04C00000
.text C:\WINDOWS\System32\svchost.exe[1620] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 04C00084
.text C:\WINDOWS\System32\svchost.exe[1620] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 04C00F8F
.text C:\WINDOWS\System32\svchost.exe[1620] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 04C00073
.text C:\WINDOWS\System32\svchost.exe[1620] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 04C00FB6
.text C:\WINDOWS\System32\svchost.exe[1620] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 04C00FC7
.text C:\WINDOWS\System32\svchost.exe[1620] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 04C00F63
.text C:\WINDOWS\System32\svchost.exe[1620] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 04C000A9
.text C:\WINDOWS\System32\svchost.exe[1620] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 04C000E1
.text C:\WINDOWS\System32\svchost.exe[1620] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 04C000D0
.text C:\WINDOWS\System32\svchost.exe[1620] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 04C00F2D
.text C:\WINDOWS\System32\svchost.exe[1620] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 04C0004E
.text C:\WINDOWS\System32\svchost.exe[1620] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 04C00011
.text C:\WINDOWS\System32\svchost.exe[1620] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 04C00F7E
.text C:\WINDOWS\System32\svchost.exe[1620] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 04C00033
.text C:\WINDOWS\System32\svchost.exe[1620] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 04C00022
.text C:\WINDOWS\System32\svchost.exe[1620] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 04C00F52
.text C:\WINDOWS\System32\svchost.exe[1620] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 04BF0025
.text C:\WINDOWS\System32\svchost.exe[1620] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 04BF0F8D
.text C:\WINDOWS\System32\svchost.exe[1620] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 04BF0FD4
.text C:\WINDOWS\System32\svchost.exe[1620] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 04BF0FEF
.text C:\WINDOWS\System32\svchost.exe[1620] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 04BF0FA8
.text C:\WINDOWS\System32\svchost.exe[1620] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 04BF000A
.text C:\WINDOWS\System32\svchost.exe[1620] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 04BF0040
.text C:\WINDOWS\System32\svchost.exe[1620] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 04BF0FB9
.text C:\WINDOWS\System32\svchost.exe[1620] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 04A10053
.text C:\WINDOWS\System32\svchost.exe[1620] msvcrt.dll!system 77C293C7 5 Bytes JMP 04A10042
.text C:\WINDOWS\System32\svchost.exe[1620] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 04A1000C
.text C:\WINDOWS\System32\svchost.exe[1620] msvcrt.dll!_open 77C2F566 5 Bytes JMP 04A10FEF
.text C:\WINDOWS\System32\svchost.exe[1620] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 04A10027
.text C:\WINDOWS\System32\svchost.exe[1620] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 04A10FD2
.text C:\WINDOWS\System32\svchost.exe[1620] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 049E0000
.text C:\WINDOWS\System32\svchost.exe[1620] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 049E0FE5
.text C:\WINDOWS\System32\svchost.exe[1620] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 049E001B
.text C:\WINDOWS\System32\svchost.exe[1620] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 049E0FD4
.text C:\WINDOWS\System32\svchost.exe[1620] WS2_32.dll!socket 71AB4211 5 Bytes JMP 04A00FEF
.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D20FE5
.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D20067
.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D20F72
.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D2004C
.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D20F83
.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D20025
.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D200B3
.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D2008C
.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D200C4
.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D20F2B
.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D20F1A
.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D20F9E
.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D20FCA
.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D20F61
.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D20FB9
.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D2000A
.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D20F46
.text C:\WINDOWS\system32\svchost.exe[1680] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D10022
.text C:\WINDOWS\system32\svchost.exe[1680] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D10069
.text C:\WINDOWS\system32\svchost.exe[1680] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D10011
.text C:\WINDOWS\system32\svchost.exe[1680] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D10FDB
.text C:\WINDOWS\system32\svchost.exe[1680] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D1004E
.text C:\WINDOWS\system32\svchost.exe[1680] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D10000
.text C:\WINDOWS\system32\svchost.exe[1680] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D1003D
.text C:\WINDOWS\system32\svchost.exe[1680] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D10FB6
.text C:\WINDOWS\system32\svchost.exe[1680] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D00049
.text C:\WINDOWS\system32\svchost.exe[1680] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D00038
.text C:\WINDOWS\system32\svchost.exe[1680] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D0001D
.text C:\WINDOWS\system32\svchost.exe[1680] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D0000C
.text C:\WINDOWS\system32\svchost.exe[1680] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D00FBE
.text C:\WINDOWS\system32\svchost.exe[1680] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\svchost.exe[1680] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\svchost.exe[1680] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00CE000A
.text C:\WINDOWS\system32\svchost.exe[1680] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00CE0FD4
.text C:\WINDOWS\system32\svchost.exe[1680] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00CE0FC3
.text C:\WINDOWS\system32\svchost.exe[1680] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CF0000
.text C:\WINDOWS\system32\svchost.exe[1928] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 017E0FEF
.text C:\WINDOWS\system32\svchost.exe[1928] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 017E0F5E
.text C:\WINDOWS\system32\svchost.exe[1928] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 017E005D
.text C:\WINDOWS\system32\svchost.exe[1928] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 017E0F83
.text C:\WINDOWS\system32\svchost.exe[1928] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 017E0F9E
.text C:\WINDOWS\system32\svchost.exe[1928] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 017E002C
.text C:\WINDOWS\system32\svchost.exe[1928] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 017E0F26
.text C:\WINDOWS\system32\svchost.exe[1928] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 017E0F43
.text C:\WINDOWS\system32\svchost.exe[1928] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 017E0EDF
.text C:\WINDOWS\system32\svchost.exe[1928] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 017E0EF0
.text C:\WINDOWS\system32\svchost.exe[1928] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 017E0093
.text C:\WINDOWS\system32\svchost.exe[1928] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 017E0FAF
.text C:\WINDOWS\system32\svchost.exe[1928] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 017E000A
.text C:\WINDOWS\system32\svchost.exe[1928] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 017E006E
.text C:\WINDOWS\system32\svchost.exe[1928] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 017E001B
.text C:\WINDOWS\system32\svchost.exe[1928] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 017E0FD4
.text C:\WINDOWS\system32\svchost.exe[1928] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 017E0F15
.text C:\WINDOWS\system32\svchost.exe[1928] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 017D0FAF
.text C:\WINDOWS\system32\svchost.exe[1928] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 017D0036
.text C:\WINDOWS\system32\svchost.exe[1928] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 017D0FCA
.text C:\WINDOWS\system32\svchost.exe[1928] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 017D0000
.text C:\WINDOWS\system32\svchost.exe[1928] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 017D0F83
.text C:\WINDOWS\system32\svchost.exe[1928] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 017D0FE5
.text C:\WINDOWS\system32\svchost.exe[1928] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 017D001B
.text C:\WINDOWS\system32\svchost.exe[1928] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 017D0F94
.text C:\WINDOWS\system32\svchost.exe[1928] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 017C0042
.text C:\WINDOWS\system32\svchost.exe[1928] msvcrt.dll!system 77C293C7 5 Bytes JMP 017C0031
.text C:\WINDOWS\system32\svchost.exe[1928] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 017C0FD2
.text C:\WINDOWS\system32\svchost.exe[1928] msvcrt.dll!_open 77C2F566 5 Bytes JMP 017C0FEF
.text C:\WINDOWS\system32\svchost.exe[1928] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 017C0FC1
.text C:\WINDOWS\system32\svchost.exe[1928] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 017C000C
.text C:\WINDOWS\system32\svchost.exe[1928] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 017A0FEF
.text C:\WINDOWS\system32\svchost.exe[1928] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 017A0FCA
.text C:\WINDOWS\system32\svchost.exe[1928] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 017A0000
.text C:\WINDOWS\system32\svchost.exe[1928] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 017A0FAF
.text C:\WINDOWS\system32\svchost.exe[1928] WS2_32.dll!socket 71AB4211 5 Bytes JMP 017B0FE5
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01120FE5
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01120F55
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0112004A
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01120F66
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0112002F
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01120FA8
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0112008C
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01120065
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01120F15
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011200AE
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01120F04
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01120F8D
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01120FD4
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01120F3A
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0112000A
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01120FB9
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!WinExec 7C86250D 3 Bytes JMP 0112009D
.text C:\WINDOWS\System32\svchost.exe[1992] kernel32.dll!WinExec + 4 7C862511 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1992] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01110FC0
.text C:\WINDOWS\System32\svchost.exe[1992] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01110F94
.text C:\WINDOWS\System32\svchost.exe[1992] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01110011
.text C:\WINDOWS\System32\svchost.exe[1992] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01110000
.text C:\WINDOWS\System32\svchost.exe[1992] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01110FA5
.text C:\WINDOWS\System32\svchost.exe[1992] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01110FEF
.text C:\WINDOWS\System32\svchost.exe[1992] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01110051
.text C:\WINDOWS\System32\svchost.exe[1992] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01110036
.text C:\WINDOWS\System32\svchost.exe[1992] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0042
.text C:\WINDOWS\System32\svchost.exe[1992] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0027
.text C:\WINDOWS\System32\svchost.exe[1992] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0FD2
.text C:\WINDOWS\System32\svchost.exe[1992] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0000
.text C:\WINDOWS\System32\svchost.exe[1992] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0FB7
.text C:\WINDOWS\System32\svchost.exe[1992] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0FE3
.text C:\WINDOWS\System32\svchost.exe[1992] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FD0000
.text C:\WINDOWS\System32\svchost.exe[1992] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FD0011
.text C:\WINDOWS\System32\svchost.exe[1992] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FD0FDB
.text C:\WINDOWS\System32\svchost.exe[1992] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FD002C
.text C:\WINDOWS\System32\svchost.exe[1992] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2744] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2744] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\dllhost.exe[3256] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0000
.text C:\WINDOWS\system32\dllhost.exe[3256] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C0087
.text C:\WINDOWS\system32\dllhost.exe[3256] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0F92
.text C:\WINDOWS\system32\dllhost.exe[3256] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C006C
.text C:\WINDOWS\system32\dllhost.exe[3256] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C0FAF
.text C:\WINDOWS\system32\dllhost.exe[3256] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0FDB
.text C:\WINDOWS\system32\dllhost.exe[3256] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C00B3
.text C:\WINDOWS\system32\dllhost.exe[3256] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0F6B
.text C:\WINDOWS\system32\dllhost.exe[3256] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C0F2E
.text C:\WINDOWS\system32\dllhost.exe[3256] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C0F3F
.text C:\WINDOWS\system32\dllhost.exe[3256] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C00E2
.text C:\WINDOWS\system32\dllhost.exe[3256] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C0FCA
.text C:\WINDOWS\system32\dllhost.exe[3256] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C001B
.text C:\WINDOWS\system32\dllhost.exe[3256] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C00A2
.text C:\WINDOWS\system32\dllhost.exe[3256] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C0047
.text C:\WINDOWS\system32\dllhost.exe[3256] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C0036
.text C:\WINDOWS\system32\dllhost.exe[3256] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C0F5A
.text C:\WINDOWS\system32\dllhost.exe[3256] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0049
.text C:\WINDOWS\system32\dllhost.exe[3256] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0FBE
.text C:\WINDOWS\system32\dllhost.exe[3256] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B001D
.text C:\WINDOWS\system32\dllhost.exe[3256] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0000
.text C:\WINDOWS\system32\dllhost.exe[3256] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B002E
.text C:\WINDOWS\system32\dllhost.exe[3256] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B0FE3
.text C:\WINDOWS\system32\dllhost.exe[3256] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002C0FDE
.text C:\WINDOWS\system32\dllhost.exe[3256] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002C0080
.text C:\WINDOWS\system32\dllhost.exe[3256] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002C002F
.text C:\WINDOWS\system32\dllhost.exe[3256] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\system32\dllhost.exe[3256] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002C0065
.text C:\WINDOWS\system32\dllhost.exe[3256] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002C000A
.text C:\WINDOWS\system32\dllhost.exe[3256] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002C004A
.text C:\WINDOWS\system32\dllhost.exe[3256] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002C0FC3
.text C:\WINDOWS\system32\dllhost.exe[3256] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00710000
.text C:\WINDOWS\system32\dllhost.exe[3256] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00710FDB
.text C:\WINDOWS\system32\dllhost.exe[3256] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00710FCA
.text C:\WINDOWS\system32\dllhost.exe[3256] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00710FB9
.text C:\WINDOWS\system32\dllhost.exe[3256] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006C0000
.text C:\WINDOWS\system32\svchost.exe[3348] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F70FE5
.text C:\WINDOWS\system32\svchost.exe[3348] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F70069
.text C:\WINDOWS\system32\svchost.exe[3348] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F70F74
.text C:\WINDOWS\system32\svchost.exe[3348] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F70058
.text C:\WINDOWS\system32\svchost.exe[3348] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F70047
.text C:\WINDOWS\system32\svchost.exe[3348] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F7002C
.text C:\WINDOWS\system32\svchost.exe[3348] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F70F48
.text C:\WINDOWS\system32\svchost.exe[3348] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F70F63
.text C:\WINDOWS\system32\svchost.exe[3348] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F70F19
.text C:\WINDOWS\system32\svchost.exe[3348] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F700BC
.text C:\WINDOWS\system32\svchost.exe[3348] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F700CD
.text C:\WINDOWS\system32\svchost.exe[3348] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F70FA5
.text C:\WINDOWS\system32\svchost.exe[3348] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F70000
.text C:\WINDOWS\system32\svchost.exe[3348] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F7008E
.text C:\WINDOWS\system32\svchost.exe[3348] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F70FC0
.text C:\WINDOWS\system32\svchost.exe[3348] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F7001B
.text C:\WINDOWS\system32\svchost.exe[3348] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F700AB
.text C:\WINDOWS\system32\svchost.exe[3348] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\system32\svchost.exe[3348] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F6008A
.text C:\WINDOWS\system32\svchost.exe[3348] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F60036
.text C:\WINDOWS\system32\svchost.exe[3348] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F6001B
.text C:\WINDOWS\system32\svchost.exe[3348] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F60FC3
.text C:\WINDOWS\system32\svchost.exe[3348] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F60000
.text C:\WINDOWS\system32\svchost.exe[3348] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F60065
.text C:\WINDOWS\system32\svchost.exe[3348] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F60FDE
.text C:\WINDOWS\system32\svchost.exe[3348] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F50FB0
.text C:\WINDOWS\system32\svchost.exe[3348] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F50FC1
.text C:\WINDOWS\system32\svchost.exe[3348] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F50FE3
.text C:\WINDOWS\system32\svchost.exe[3348] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F50000
.text C:\WINDOWS\system32\svchost.exe[3348] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F50FD2
.text C:\WINDOWS\system32\svchost.exe[3348] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F50011
.text C:\WINDOWS\system32\svchost.exe[3348] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\system32\svchost.exe[3348] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00F30FD4
.text C:\WINDOWS\system32\svchost.exe[3348] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00F3000A
.text C:\WINDOWS\system32\svchost.exe[3348] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00F3001B
.text C:\WINDOWS\system32\svchost.exe[3348] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F40000
.text C:\WINDOWS\system32\svchost.exe[3400] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DE0000
.text C:\WINDOWS\system32\svchost.exe[3400] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DE00B2
.text C:\WINDOWS\system32\svchost.exe[3400] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DE00A1
.text C:\WINDOWS\system32\svchost.exe[3400] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DE007A
.text C:\WINDOWS\system32\svchost.exe[3400] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DE0069
.text C:\WINDOWS\system32\svchost.exe[3400] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DE004E
.text C:\WINDOWS\system32\svchost.exe[3400] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DE0F76
.text C:\WINDOWS\system32\svchost.exe[3400] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DE0F91
.text C:\WINDOWS\system32\svchost.exe[3400] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DE00EA
.text C:\WINDOWS\system32\svchost.exe[3400] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DE0F5B
.text C:\WINDOWS\system32\svchost.exe[3400] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DE00FB
.text C:\WINDOWS\system32\svchost.exe[3400] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DE0FC7
.text C:\WINDOWS\system32\svchost.exe[3400] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DE0011
.text C:\WINDOWS\system32\svchost.exe[3400] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DE0FA2
.text C:\WINDOWS\system32\svchost.exe[3400] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DE003D
.text C:\WINDOWS\system32\svchost.exe[3400] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DE002C
.text C:\WINDOWS\system32\svchost.exe[3400] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DE00D9
.text C:\WINDOWS\system32\svchost.exe[3400] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DD0FE5
.text C:\WINDOWS\system32\svchost.exe[3400] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DD0FAF
.text C:\WINDOWS\system32\svchost.exe[3400] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DD0036
.text C:\WINDOWS\system32\svchost.exe[3400] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DD001B
.text C:\WINDOWS\system32\svchost.exe[3400] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DD006C
.text C:\WINDOWS\system32\svchost.exe[3400] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DD0000
.text C:\WINDOWS\system32\svchost.exe[3400] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00DD005B
.text C:\WINDOWS\system32\svchost.exe[3400] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DD0FCA
.text C:\WINDOWS\system32\svchost.exe[3400] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006E0FB4
.text C:\WINDOWS\system32\svchost.exe[3400] msvcrt.dll!system 77C293C7 5 Bytes JMP 006E003F
.text C:\WINDOWS\system32\svchost.exe[3400] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006E001D
.text C:\WINDOWS\system32\svchost.exe[3400] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006E0000
.text C:\WINDOWS\system32\svchost.exe[3400] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006E002E
.text C:\WINDOWS\system32\svchost.exe[3400] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006E0FE3
.text C:\WINDOWS\system32\svchost.exe[3400] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\system32\svchost.exe[3400] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006D0FD4
.text C:\WINDOWS\system32\svchost.exe[3400] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006D0014
.text C:\WINDOWS\system32\svchost.exe[3400] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 006D0025
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
Device pci.sys (NT Plug and Play PCI Enumerator/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
Device atapi.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \Driver\00000802 -> \Driver\atapi \Device\Harddisk0\DR0 8A75450C
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----
We will continue with ComboFix. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
Looks like ComboFix is unavailable. I will post as soon as its available again.
Do you have windows CD handy?
Yes, I do have a Windows CD.
Good :)
Then please install recovery console as described here (http://support.microsoft.com/kb/307654) and we will continue.
Looks like combofix is back up. So i decided to go that route. Here are the log files.
ComboFix Log File
ComboFix 09-12-19.03 - Alex 12/20/2009 11:37:52.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1437 [GMT -6:00]
Running from: c:\documents and settings\Alex\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\kb913800.exe
J:\autorun.inf
K:\Autorun.inf
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2009-11-20 to 2009-12-20 )))))))))))))))))))))))))))))))
.
2009-12-10 14:54 . 2009-12-10 14:54 -------- d-----w- c:\program files\iPod
2009-12-10 14:54 . 2009-12-10 14:56 -------- d-----w- c:\program files\iTunes
2009-12-10 14:54 . 2009-12-10 14:56 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-10 14:53 . 2009-12-10 14:53 -------- d-----w- c:\program files\Bonjour
2009-12-10 09:04 . 2009-12-10 09:04 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-12-07 20:12 . 2009-12-07 20:12 -------- d-----w- c:\program files\ERUNT
2009-12-07 19:47 . 2009-12-07 19:47 -------- d-----w- c:\program files\Trend Micro
2009-12-06 14:52 . 2009-12-16 05:57 -------- d-----w- c:\documents and settings\Alex\Local Settings\Application Data\Temp
2009-12-06 04:31 . 2009-12-06 05:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-06 04:31 . 2009-12-06 04:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-04 00:13 . 2009-12-04 00:13 -------- d-----w- c:\documents and settings\Alex\Application Data\Malwarebytes
2009-12-04 00:12 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-04 00:12 . 2009-12-04 00:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-04 00:12 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-04 00:12 . 2009-12-04 00:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-20 17:09 . 2007-08-01 02:18 -------- d-----w- c:\program files\LogMeIn
2009-12-10 14:58 . 2008-01-10 01:41 126616 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-10 14:57 . 2007-02-24 15:05 -------- d-----w- c:\documents and settings\Alex\Application Data\Apple Computer
2009-12-10 14:54 . 2007-07-12 21:52 -------- d-----w- c:\program files\Common Files\Apple
2009-12-10 14:52 . 2007-03-11 17:54 -------- d-----w- c:\program files\QuickTime
2009-12-10 14:50 . 2007-03-11 17:53 -------- d-----w- c:\program files\Apple Software Update
2009-12-10 09:05 . 2008-08-02 03:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-04 23:55 . 2007-02-23 00:31 -------- d-----w- c:\program files\McAfee
2009-11-25 22:47 . 2007-02-24 04:35 -------- d-----w- c:\program files\MediaMonkey
2009-11-18 02:27 . 2009-10-17 00:52 -------- d-----w- c:\documents and settings\Alex\Application Data\Ulead Systems
2009-11-17 23:34 . 2007-02-23 02:24 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-11-15 15:21 . 2009-11-11 02:19 -------- d-----w- c:\documents and settings\Alex\Application Data\Move Networks
2009-11-11 21:01 . 2007-02-18 20:38 153400 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-11 09:06 . 2007-02-18 20:27 -------- d-----w- c:\program files\Microsoft Works
2009-11-07 14:41 . 2008-01-22 22:13 -------- d-----w- c:\program files\Lavasoft
2009-11-07 14:40 . 2009-11-07 14:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-07 14:39 . 2008-01-22 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-29 07:45 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-23 20:57 . 2007-02-24 15:57 -------- d-----w- c:\program files\Logitech
2009-10-23 19:30 . 2007-02-18 20:29 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-21 05:38 . 2005-08-16 10:18 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2005-08-16 10:18 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 05:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-16 23:12 . 2009-10-16 23:14 10368 ----a-w- c:\windows\system32\drivers\iviaspi.sys
2009-10-13 10:30 . 2005-08-16 10:18 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2005-08-16 10:18 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2005-08-16 10:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-02 01:31 . 2007-08-01 02:18 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-10-02 01:31 . 2007-08-01 02:18 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-10-02 01:31 . 2007-08-01 02:18 28984 ----a-w- c:\windows\system32\LMIport.dll
2007-04-25 08:49 . 2009-10-16 23:11 328 ------w- c:\program files\GuideMenuSetup.iss
2007-04-06 03:28 . 2009-10-16 23:15 1237 ------w- c:\program files\WinDVDSetup.iss
2001-06-20 22:19 . 2001-06-19 22:34 40960 ----a-w- c:\program files\ACMonitor_X83.exe
2008-02-28 19:30 . 2007-08-01 02:19 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2008-02-28 19:33 . 2007-08-01 02:19 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
2007-02-23 21:43 . 2007-02-23 02:24 88 --sh--r- c:\windows\system32\F575E7666E.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-08-14 98304]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"GuideMenu"="c:\program files\Corel\Corel GuideMenu\GuideMenu.exe" [2007-08-07 1282048]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-10-3 813584]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 17:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-02 01:31 87352 ----a-w- c:\windows\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2007-10-31 02:11 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 17:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 09:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2007-12-12 14:11 72192 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2007-10-05 00:38 307200 ----a-w- c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMCService]
2008-06-06 05:31 172032 ------w- c:\program files\ATI\Catalyst Media Center\CMCService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 11:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 09:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-12-06 14:51 135664 ----atw- c:\documents and settings\Alex\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 17:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 22:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 22:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 22:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2007-02-24 15:57 32768 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 21:40 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-08-24 01:12 7630848 ----a-w- c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-08-24 01:12 86016 ----a-w- c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-08-24 01:12 1617920 ----a-w- c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
2001-10-25 18:20 36864 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\printray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 05:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-08-15 16:00 282624 ----a-w- c:\windows\stsystra.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-08-14 02:24 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2007-10-31 02:06 2595616 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 01:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Macromedia\\Flash MX\\Flash.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Hummingbird\\Connectivity\\9.00\\Exceed\\exceed.exe"=
"c:\\Program Files\\Sprite Software\\Sprite Backup\\spriteservice.exe"=
"c:\\Program Files\\SAMSUNG\\SAMSUNG PC Share Manager\\WiselinkPro.exe"=
"c:\\Program Files\\SAMSUNG\\SAMSUNG PC Share Manager\\http_ss_win_pro.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R2 Array_Utility_Service8.1.0.307;Array Utility Service 8,1,0,307;c:\program files\Array Networks\Common\8,1,0,307\arr_isrv.exe [7/21/2009 1:14 PM 303164]
R2 ArraySSL_VPN_Service8.1.0.307;Array SSL VPN Service 8,1,0,307;c:\program files\Array Networks\Array SSL VPN\8,1,0,307\arr_srvs.exe [7/21/2009 1:15 PM 180284]
R2 HumDisplayServer;Hummingbird Exceed Display Management;c:\program files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe [7/23/2003 3:19 PM 53248]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [7/31/2007 8:18 PM 47640]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys [2/26/2007 10:12 PM 15104]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [4/17/2007 1:00 PM 12856]
S3 ATP;Array Networks VPN Adapter;c:\windows\system32\drivers\atpdrvr.sys [7/21/2009 1:15 PM 16242]
S3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [12/12/2007 8:56 PM 458820]
S3 RemoteControl-USBLAN;RemoteControl-USBLAN;c:\windows\system32\drivers\rcblan.sys [12/25/2007 4:44 PM 39704]
S3 WiselinkPro;SAMSUNG WiselinkPro Service;c:\program files\SAMSUNG\SAMSUNG PC Share Manager\WiselinkPro.exe [7/1/2009 9:29 AM 6795333]
S4 E10uhcbday;E10uhcbday; [x]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
Trusted Zone: turbotax.com
TCP: {A2474277-E85B-4784-BBF6-F480EF01EDCC} = 130.35.249.41,138.2.202.15,144.20.190.70
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {032C5CBC-2272-438F-AC73-38EA92AF19BD} - hxxp://68.253.179.127/WebViewer.cab
DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} - hxxp://192.168.1.26/img/NetCamPlayerWeb11g.ocx
DPF: {7B133798-FAA8-4A7E-950D-BEB35D3363AF} - hxxp://192.168.1.36/img/LinksysViewer.cab
DPF: {B0424F8A-E33B-44C1-B076-4ECB9B3FA6F8} - hxxps://dlweb.cti.depaul.edu/COL4/CLIENT5/FileDownloadCtrl.cab
DPF: {B6648EB8-2460-484F-9255-9654454C4C70} - hxxps://ouvpn.us.oracle.com/prx/000/http/localhost/arr_x.cab
DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} - hxxp://192.168.1.115/NetCamPlayerWeb11gv2.cab
FF - ProfilePath - c:\documents and settings\Alex\Application Data\Mozilla\Firefox\Profiles\yz9jcs5j.default\
FF - plugin: c:\documents and settings\Alex\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\Alex\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdsplay.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwmsdrm.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
- - - - ORPHANS REMOVED - - - -
HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
MSConfigStartUp-Acrobat Assistant 8 - c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
MSConfigStartUp-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
MSConfigStartUp-BitTorrent DNA - c:\program files\DNA\btdna.exe
AddRemove-Array SSL VPN8,1,0,307 - c:\program files\Array Networks\Common\8
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-20 12:00
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
GuideMenu = c:\program files\Corel\Corel GuideMenu\GuideMenu.exe -hide???????h????????????????+x????????????Step1_1_Base????????????0J?????????e???e???e???e"??e???e???e??????+x????????????CTRL_POS?????????? ?????????(|??????????28,107,295,162????????????+x?????????????p?
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1060)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\windows\system32\LMIinit.dll
- - - - - - - > 'lsass.exe'(1124)
c:\windows\system32\relog_ap.dll
- - - - - - - > 'explorer.exe'(5556)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Hummingbird\Connectivity\9.00\Hummingbird Neighborhood\heshell.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
c:\program files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Common Files\Protexis\License Service\PSIService.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-12-20 12:11:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-20 18:11
Pre-Run: 86,149,742,592 bytes free
Post-Run: 86,611,505,152 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
- - End Of File - - AE471656444A330958B3E0295E4596F8
New HijackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:43 PM, on 12/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Array Networks\Common\8,1,0,307\arr_isrv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Array Networks\Array SSL VPN\8,1,0,307\arr_srvs.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070218
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [GuideMenu] C:\Program Files\Corel\Corel GuideMenu\GuideMenu.exe -hide
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {032C5CBC-2272-438F-AC73-38EA92AF19BD} (WebViewer Control) - http://68.253.179.127/WebViewer.cab
O16 - DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} (NetCamPlayerWeb11g Control) - http://192.168.1.26/img/NetCamPlayerWeb11g.ocx
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {7B133798-FAA8-4A7E-950D-BEB35D3363AF} (LinksysViewer Control) - http://192.168.1.36/img/LinksysViewer.cab
O16 - DPF: {B0424F8A-E33B-44C1-B076-4ECB9B3FA6F8} (FileDownloadCtrl Control) - https://dlweb.cti.depaul.edu/COL4/CLIENT5/FileDownloadCtrl.cab
O16 - DPF: {B6648EB8-2460-484F-9255-9654454C4C70} (ArrVPNAX Control) - https://ouvpn.us.oracle.com/prx/000/http/localhost/arr_x.cab
O16 - DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} (NetCamPlayerWeb11gv2 Control) - http://192.168.1.115/NetCamPlayerWeb11gv2.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2474277-E85B-4784-BBF6-F480EF01EDCC}: NameServer = 130.35.249.41,138.2.202.15,144.20.190.70
O18 - Protocol: bw+0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: offline-8876480 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Array SSL VPN Service 8,1,0,307 (ArraySSL_VPN_Service8.1.0.307) - Array Networks, Inc. - C:\Program Files\Array Networks\Array SSL VPN\8,1,0,307\arr_srvs.exe
O23 - Service: Array Utility Service 8,1,0,307 (Array_Utility_Service8.1.0.307) - Array Networks, Inc. - C:\Program Files\Array Networks\Common\8,1,0,307\arr_isrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: Hummingbird Exceed Display Management (HumDisplayServer) - Hummingbird Ltd. - C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: SAMSUNG WiselinkPro Service (WiselinkPro) - Unknown owner - C:\Program Files\SAMSUNG\SAMSUNG PC Share Manager\WiselinkPro.exe
--
End of file - 25794 bytes
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, December 22, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, December 22, 2009 01:55:36
Records in database: 3397597
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
Scan statistics:
Objects scanned: 189745
Threats found: 5
Infected objects found: 7
Suspicious objects found: 3
Scan duration: 08:01:57
File name / Threat / Threats count
C:\Documents and Settings\Alex\Local Settings\Application Data\Microsoft\Outlook\archive1.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 3
C:\Documents and Settings\Alex\Local Settings\temp\File234.exe Infected: Trojan.Win32.Buzus.cuvy 1
C:\Documents and Settings\Alex\Local Settings\temp\File235.exe Infected: Trojan.Win32.Buzus.cuvy 1
C:\Documents and Settings\Alex\Local Settings\temp\plugtmp\plugin-oHce777e04V03006f35002Rd6696d38102T855883c3Q000002fd901801F0020000aJ06000501l0409K6147504a317 Infected: Exploit.Win32.Pidief.cvl 1
C:\Documents and Settings\Alex\Local Settings\Temporary Internet Files\Content.IE5\13M639F3\codec[1].exe Infected: Trojan.Win32.Buzus.cuvy 1
C:\Documents and Settings\Alex\Local Settings\Temporary Internet Files\Content.IE5\8PRFUT46\codec[1].exe Infected: Trojan.Win32.Buzus.cuvy 1
C:\Documents and Settings\Alex\My Documents\My Music\Limewire\DJ Klubbingman - Ragsy vs. Laurent Konrad - This beat is.wma Infected: Trojan-Downloader.WMA.Wimad.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.TDSS.y 1
Selected area has been scanned.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:02:09 PM, on 12/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Array Networks\Common\8,1,0,307\arr_isrv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Array Networks\Array SSL VPN\8,1,0,307\arr_srvs.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070218
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {032C5CBC-2272-438F-AC73-38EA92AF19BD} (WebViewer Control) - http://68.253.179.127/WebViewer.cab
O16 - DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} (NetCamPlayerWeb11g Control) - http://192.168.1.26/img/NetCamPlayerWeb11g.ocx
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {7B133798-FAA8-4A7E-950D-BEB35D3363AF} (LinksysViewer Control) - http://192.168.1.36/img/LinksysViewer.cab
O16 - DPF: {B0424F8A-E33B-44C1-B076-4ECB9B3FA6F8} (FileDownloadCtrl Control) - https://dlweb.cti.depaul.edu/COL4/CLIENT5/FileDownloadCtrl.cab
O16 - DPF: {B6648EB8-2460-484F-9255-9654454C4C70} (ArrVPNAX Control) - https://ouvpn.us.oracle.com/prx/000/http/localhost/arr_x.cab
O16 - DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} (NetCamPlayerWeb11gv2 Control) - http://192.168.1.115/NetCamPlayerWeb11gv2.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2474277-E85B-4784-BBF6-F480EF01EDCC}: NameServer = 130.35.249.41,138.2.202.15,144.20.190.70
O18 - Protocol: bw+0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: offline-8876480 - {5F259202-0D98-40B7-A63C-0F101CBA9D1B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Array SSL VPN Service 8,1,0,307 (ArraySSL_VPN_Service8.1.0.307) - Array Networks, Inc. - C:\Program Files\Array Networks\Array SSL VPN\8,1,0,307\arr_srvs.exe
O23 - Service: Array Utility Service 8,1,0,307 (Array_Utility_Service8.1.0.307) - Array Networks, Inc. - C:\Program Files\Array Networks\Common\8,1,0,307\arr_isrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: Hummingbird Exceed Display Management (HumDisplayServer) - Hummingbird Ltd. - C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: SAMSUNG WiselinkPro Service (WiselinkPro) - Unknown owner - C:\Program Files\SAMSUNG\SAMSUNG PC Share Manager\WiselinkPro.exe
--
End of file - 25793 bytes
Please download ATF Cleaner by Atribune (http://www.atribune.org/ccount/click.php?id=1) and save
it to desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit to close ATF-Cleaner.
Empty these folders:
C:\Documents and Settings\Alex\My Documents\My Music\Limewire\
C:\Qoobox\Quarantine\
Empty Recycle Bin.
Still problems?
It doesn't seem to be redirecting anymore. What can I do to protect myself from future issues, purchase spyware software, etc...?
See below for my tips :)
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Now lets uninstall ComboFix:
Click START then RUN
Now type Combofix /u in the runbox and click OK
Next we remove all used tools.
Please download OTCleanIt (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.
Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Re-enable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:
Malwarebytes' Anti-Malware Setup Guide (http://www.lognrock.com/forum/index.php?showtopic=6926)
Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. See also a hosts file tutorial here (http://malwareremoval.com/forum/viewtopic.php?t=22187)
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://forums.spybot.info/showthread.php?t=279)
Happy surfing and stay clean! :bigthumb:
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.