View Full Version : multiple iexplore.exe + cpu usage
hi not sure if i have a virus but i updated ie7 to ie8 a few days ago and since,i noticed that i have multiple iexplore.exe with 1 page 1 tab open. i have ran a number of virus scanners.Malwarebytes found and deleted the following but problem still there....
Can u please check the log for me. thanks in advance!
Malwarebytes' Anti-Malware 1.44
Database version: 3787
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
25/02/2010 03:36:21
mbam-log-2010-02-25 (03-36-21).txt
Scan type: Full Scan (C:\|E:\|)
Objects scanned: 270763
Time elapsed: 1 hour(s), 20 minute(s), 28 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{68d6728a-d715-492a-a57b-8dda01f4921f} (Trojan.Hiloti) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\RLOFRDec.ax (Trojan.Hiloti) -> Quarantined and deleted successfully.
Log created by WinPatrol PLUS version 17.0.2010.0:17.0.2010.0
Scan saved at 1:31:45 AM, on 3/01/2010
Platform: Windows XP SP3 Service Pack 3 (Build 2600)
MSIE: Internet Explorer (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRAM FILES\A-SQUARED FREE\A2SERVICE.EXE
C:\PROGRAM FILES\COMMON FILES\Apple\MOBILE DEVICE SUPPORT\bin\APPLEMOBILEDEVICESERVICE.EXE
C:\PROGRAM FILES\Bonjour\MDNSRESPONDER.EXE
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\MBAMSERVICE.EXE
C:\PROGRAM FILES\McAfee\SITEADVISOR\McSACore.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\PROGRAM FILES\COMMON FILES\McAfee\MNA\McNASvc.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\PROGRAM FILES\McAfee\MPF\MpfSrv.exe
C:\PROGRAM FILES\McAfee\MSK\msksrver.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\McAfee\VirusScan\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\stsystra.exe
C:\PROGRAM FILES\MICROSOFT INTELLITYPE PRO\itype.exe
C:\PROGRAM FILES\MICROSOFT INTELLIPOINT\ipoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\WINDOWS LIVE\MESSENGER\msnmsgr.exe
C:\PROGRAM FILES\iPod\bin\IPODSERVICE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\firefox.exe
C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe
C:\PROGRAM FILES\ESET\ESET ONLINE SCANNER\ONLINECMDLINESCANNER.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROLEX.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/webhp?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: - {5C255C8A-E604-49b4-9D64-90988571CECB} -
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp]stsystra.exe
O4 - HKLM\..\Run: [mcagent_exe]C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [itype]C:\Program Files\Microsoft IntelliType Pro\itype.exe
O4 - HKLM\..\Run: [IntelliPoint]C:\Program Files\Microsoft IntelliPoint\ipoint.exe
O4 - HKLM\..\Run: [amd_dc_opt]C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKCU\..\Run: [ctfmon.exe]C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinPatrol PLUS]C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
O4 - HKCU\..\Run: [msnmsgr]C:\PROGRAM FILES\WINDOWS LIVE\MESSENGER\MSNMSGR.EXE /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [Java (Sun)] Java (Sun) - C:\Program Files\Java\jre6\bin
O11 - Options group: [] -
O14 - IERESET.INF: START_PAGE_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
O14 - IERESET.INF: SEARCH_PAGE_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O14 - IERESET.INF:HKCU, Start Page = %START_PAGE_URL%
O14 - IERESET.INF:HKLM, Default_Page_URL = %START_PAGE_URL%
O14 - IERESET.INF:HKLM, Default_Search_URL = %SEARCH_PAGE_URL%
O14 - IERESET.INF:HKLM, Search Page = %SEARCH_PAGE_URL%
O14 - IERESET.INF:HKCU, Search Page = %SEARCH_PAGE_URL%
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180963787375
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_17) - http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} (http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim) - http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} (Java Plug-in 1.6.0_17) - http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_17) - http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,5904/mcfscan.cab
O21 - WPDShServiceObj - WPDShServiceObj Class - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: McAfee Application Installer Cleanup (0259611266474712) - - C:\WINDOWS\TEMP\025961~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
O23 - Service: a-squared Free Service - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Defragmentation-Service - mst software GmbH, Germany - C:\Program Files\Ashampoo\Ashampoo WinOptimizer 6\DfSdkS.exe
O23 - Service: Google Software Updater - - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service - - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter - - C:\Program Files\Java\jre6\bin\jqs.exe -service -config C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent - McAfee, Inc. - c:\program files\common files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service - McAfee, Inc. - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: McAfee SpamKiller Service - McAfee, Inc. - C:\Program Files\McAfee\MSK\msksrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Seagate Scheduler2 Service - Seagate - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) - - C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service /p dellsupportcenter
O23 - Service: WUSB54GSv2SVC - - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe WUSB54GSv2.exe
--- Additional WinPatrol Info ---
Default Browser: Windows® Internet Explorer - Internet Explorer version 8.00.6001.18702
MSIE: Internet Explorer (8.00.6001.18702)
Firefox 3.6 installed in C:\Program Files\Mozilla Firefox.
6 IE Cookies in Folder: C:\Documents and Settings\Shez\Cookies\
0 Mozilla Cookies in Folder: C:\Documents and Settings\Shez\Application Data\Mozilla\FireFox\Profiles\cysjj9ci.default
WP00 - HKLM\CS1: BootExecute = autocheck autochk *
WP00 - HKLM\CCS: BootExecute = autocheck autochk *
WP00 - HKLM\CS2: BootExecute = autocheck autochk *
WP00 - HKLM\CS3: BootExecute = autocheck autochk *
WP02 - HKLM\CCS: Command = C:\WINDOWS\system32\cmd.exe
WP03 - Windows Automatic Update = 4:Automatically download recommended updates for my computer and install them.
WP06 - Delayed Start: [msnmsgr]C:\PROGRAM FILES\WINDOWS LIVE\MESSENGER\msnmsgr.exe
WP08 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix: Default = http://
WP08 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes: www = http://
WP31 - Scheduled Tasks: [Microsoft_Hardware_Launch_IType_exe.job]C:\Program Files\Microsoft IntelliType Pro\itype.exe Never
WP31 - Scheduled Tasks: [Microsoft_Hardware_Launch_IPoint_exe.job]C:\Program Files\Microsoft IntelliPoint\ipoint.exe 12/08/2008 1:42 AM
WP31 - Scheduled Tasks: [McQcTask.job]c:\program files\McAfee\MQC\QcConsol.exe 03/01/2010 1:00 AM
WP31 - Scheduled Tasks: [McDefragTask.job]c:\program files\McAfee\MQC\QcConsol.exe 01/15/2010 1:00 AM
WP31 - Scheduled Tasks: [AppleSoftwareUpdate.job]C:\Program Files\Apple Software Update\SoftwareUpdate.exe 02/26/2010 7:52 PM
WP16 - ActiveX: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} [QuickTime Object] C:\PROGRAM FILES\QUICKTIME\QTPlugin.ocx QuickTime 7.5.5 (990.7)
WP16 - ActiveX: {0468C085-CA5B-11D0-AF08-00609797F0E0} [Outlook Today's Data-binding control] C:\Program Files\Microsoft Office\Office12\OUTLCTL.DLL
WP16 - ActiveX: {17492023-C23A-453E-A040-C7C580BBF700} [Windows Genuine Advantage Validation Tool] C:\WINDOWS\system32\LEGITCHECKCONTROL.DLL 1.7.0069.2
WP16 - ActiveX: {19916E01-B44E-4E31-94A4-4696DF46157B} [InformationCardSigninHelper Class] C:\WINDOWS\system32\icardie.dll 8.00.6001.18702
WP16 - ActiveX: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} [Windows Media Player] C:\WINDOWS\system32\wmpdxm.dll 11.0.5721.5268
WP16 - ActiveX: {25336920-03F9-11CF-8FD0-00AA00686F13} [HTML Document] C:\WINDOWS\system32\mshtml.dll 8.00.6001.18876
WP16 - ActiveX: {2933BF90-7B36-11D2-B20E-00C04F983E60} [XML DOM Document] C:\WINDOWS\system32\msxml3.dll 8.100.1051.0
WP16 - ActiveX: {2D360201-FFF5-11D1-8D03-00A0C959BC0A} [DHTML Edit Control Safe for Scripting for IE5] C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\Triedit\dhtmled.ocx 6.01.9247
WP16 - ActiveX: {38481807-CA0E-42D2-BF39-B33AF135CC4D} [IETag Factory] C:\Program Files\Common Files\Microsoft Shared\Smart Tag\IETAG.DLL 12.0.6425.1000
WP16 - ActiveX: {4063BE15-3B08-470D-A0D5-B37161CFFD69} [QuickTime Object] C:\PROGRAM FILES\QUICKTIME\QTPlugin.ocx QuickTime 7.5.5 (990.7)
WP16 - ActiveX: {48123BC4-99D9-11D1-A6B3-00C04FD91555} [XML Document] C:\WINDOWS\system32\msxml3.dll 8.100.1051.0
WP16 - ActiveX: {4eb89ff4-7f78-4a0f-8b8d-2bf02e94e4b2} [Microsoft Terminal Services Client Control (redist)] C:\WINDOWS\system32\mstscax.dll 6.0.6001.18266
WP16 - ActiveX: {5852F5ED-8BF4-11D4-A245-0080C6F74284} [isInstalled Class] C:\PROGRAM FILES\Java\jre6\bin\wsdetect.dll 6.0.170.4
WP16 - ActiveX: {6414512B-B978-451D-A0D8-FCFDF33E833C} [WUWebControl Class] C:\WINDOWS\system32\wuweb.dll 7.4.7600.226
WP16 - ActiveX: {6BF52A52-394A-11D3-B153-00C04F79FAA6} [Windows Media Player] C:\WINDOWS\system32\wmp.dll 11.0.5721.5268
WP16 - ActiveX: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [MUWebControl Class] C:\WINDOWS\system32\muweb.dll 7.4.7600.226
WP16 - ActiveX: {7390f3d8-0439-4c05-91e3-cf5cb290c3d0} [Microsoft Terminal Services Client Control (redist)] C:\WINDOWS\system32\mstscax.dll 6.0.6001.18266
WP16 - ActiveX: {7530BFB8-7293-4D34-9923-61A11451AFC5} [OnlineScanner Control] C:\Program Files\ESET\ESET Online Scanner\OnlineScanner.ocx 1.0.0.6211
WP16 - ActiveX: {8856F961-340A-11D0-A96B-00C04FD705A2} [Microsoft Web Browser] C:\WINDOWS\system32\ieframe.dll 8.00.6001.18876
WP16 - ActiveX: {88D969C0-F192-11D4-A65F-0040963251E5} [XML DOM Document 4.0] C:\WINDOWS\system32\msxml4.dll 4.20.9876.0
WP16 - ActiveX: {88D969E5-F192-11D4-A65F-0040963251E5} [XML DOM Document 5.0] C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\OFFICE11\msxml5.dll 5.20.1087.0
WP16 - ActiveX: {88D96A05-F192-11D4-A65F-0040963251E5} [XML DOM Document 6.0] C:\WINDOWS\system32\msxml6.dll 6.20.1103.0
WP16 - ActiveX: {88D96A06-F192-11D4-A65F-0040963251E5} [Free Threaded XML DOM Document 6.0] C:\WINDOWS\system32\msxml6.dll 6.20.1103.0
WP16 - ActiveX: {88D96A08-F192-11D4-A65F-0040963251E5} [XSL Template 6.0] C:\WINDOWS\system32\msxml6.dll 6.20.1103.0
WP16 - ActiveX: {88D96A0A-F192-11D4-A65F-0040963251E5} [XML HTTP 6.0] C:\WINDOWS\system32\msxml6.dll 6.20.1103.0
WP16 - ActiveX: {8AD9C840-044E-11D1-B3E9-00805F499D93} [Java Plug-in 1.6.0_17] C:\PROGRAM FILES\Java\jre6\bin\jp2iexp.dll
WP16 - ActiveX: {C9712B19-838B-45A5-ABF2-9A315DDDED50} [Microsoft Office 12 Authorization Control] C:\Program Files\Microsoft Office\Office12\AUTHZAX.DLL 12.0.6413.1000
WP16 - ActiveX: {CA8A9780-280D-11CF-A24D-444553540000} [Adobe PDF Reader] C:\PROGRAM FILES\COMMON FILES\Adobe\Acrobat\ActiveX\AcroPDF.dll
WP16 - ActiveX: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [Java Plug-in 1.6.0_07] C:\PROGRAM FILES\Java\jre6\bin\jp2iexp.dll
WP16 - ActiveX: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} [Java Plug-in 1.6.0_12] C:\PROGRAM FILES\Java\jre6\bin\jp2iexp.dll
WP16 - ActiveX: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [Java Plug-in 1.6.0_17] C:\PROGRAM FILES\Java\jre6\bin\jp2iexp.dll
WP16 - ActiveX: {CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA} [Deployment Toolkit] C:\WINDOWS\system32\deploytk.dll 6.0.170.4
WP16 - ActiveX: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [Java Plug-in 1.6.0_17] C:\PROGRAM FILES\Java\jre6\bin\NPJPI160_17.DLL 6.0.170.4
WP16 - ActiveX: {CB927D12-4FF7-4A9E-A169-56E4B8A75598} [Behavior Object] C:\PROGRAM FILES\QUICKTIME\QTPlugin.ocx QuickTime 7.5.5 (990.7)
WP16 - ActiveX: {CD3AFA76-B84F-48F0-9393-7EDC34128127} [AUDIO__MP3 Moniker Class] C:\WINDOWS\system32\wmp.dll 11.0.5721.5268
WP16 - ActiveX: {CD3AFA8F-B84F-48F0-9393-7EDC34128127} [VIDEO__X_MS_ASF Moniker Class] C:\WINDOWS\system32\wmp.dll 11.0.5721.5268
WP16 - ActiveX: {CD3AFA94-B84F-48F0-9393-7EDC34128127} [VIDEO__X_MS_WMV Moniker Class] C:\WINDOWS\system32\wmp.dll 11.0.5721.5268
WP16 - ActiveX: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} [Microsoft Url Search Hook] C:\WINDOWS\system32\ieframe.dll 8.00.6001.18876
WP16 - ActiveX: {D2517915-48CE-4286-970F-921E881B8C5C} [Windows Live Sign-in Control] C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WINDOWS LIVE\WINDOWSLIVELOGIN.DLL 5.000.818.6
WP16 - ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} [Shockwave Flash Object] C:\WINDOWS\system32\Macromed\Flash\Flash10e.ocx 10,0,45,2
WP16 - ActiveX: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} [iTunesDetector Class] C:\PROGRAM FILES\Itunes\ITDETECTOR.OCX 2.0.1.1
WP16 - ActiveX: {DE4AF3B0-F4D4-11D3-B41A-0050DA2E6C21} [QuickTimeCheck Class] C:\PROGRAM FILES\QUICKTIME\QTSystem\QUICKTIMECHECK.OCX QuickTime 7.6.5 (1327.80)
WP16 - ActiveX: {DFEAF541-F3E1-4C24-ACAC-99C30715084A} [Microsoft Silverlight] C:\PROGRAM FILES\MICROSOFT SILVERLIGHT\3.0.50106.0\npctrl.dll 3.0.50106.0
WP16 - ActiveX: {E1771B7F-98BE-407F-BA67-AA16ADA5D0C5} [msgsc.14.0.8089.0726] C:\Program Files\Windows Live\Messenger\msgsc.14.0.8089.0726.dll 14.0.8089.0726
WP16 - ActiveX: {E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05} [NameCtrl Class] C:\PROGRAM FILES\MICROSOFT OFFICE\Office12\NAME.DLL 12.0.6423.1000
WP16 - ActiveX: {ED8C108E-4349-11D2-91A4-00C04F7969E8} [XML HTTP Request] C:\WINDOWS\system32\msxml3.dll 8.100.1051.0
WP16 - ActiveX: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} [McFreeScan Class] C:\WINDOWS\McAfee.com\FreeScan\mcfscan.dll 3, 0, 0, 5904
WP16 - ActiveX: {F5078F32-C551-11D3-89B9-0000F81FE221} [XML DOM Document 3.0] C:\WINDOWS\system32\msxml3.dll 8.100.1051.0
WP16 - ActiveX: {F6D90F11-9C73-11D3-B32E-00C04F990BB4} [XML DOM Document] C:\WINDOWS\system32\msxml3.dll 8.100.1051.0
WP16 - ActiveX: {F6D90F16-9C73-11D3-B32E-00C04F990BB4} [XML HTTP] C:\WINDOWS\system32\msxml3.dll 8.100.1051.0
WP16 - ActiveX: {DFEAF541-F3E1-4c24-ACAC-99C30715084A} [Microsoft Silverlight] C:\PROGRAM FILES\MICROSOFT SILVERLIGHT\3.0.50106.0\npctrl.dll 3.0.50106.0
WP16 - ActiveX: DFEAF541-F3E1-4c24-ACAC-99C30715084A [Microsoft Silverlight] C:\PROGRAM FILES\MICROSOFT SILVERLIGHT\3.0.50106.0\npctrl.dll 3.0.50106.0
WP16 - ActiveX: {00024522-0000-0000-C000-000000000046} [RefEdit.Ctrl] C:\Program Files\Microsoft Office\Office12\REFEDIT.DLL 12.0.6413.1000
WP16 - ActiveX: {261B8CA9-3BAF-4BD0-B0C2-BF04286785C6} [Microsoft Office Outlook View Control] C:\Program Files\Microsoft Office\Office12\OUTLCTL.DLL
WP16 - ActiveX: {05589fa1-c356-11ce-bf01-00aa0055595a} [ActiveMovieControl Object] C:\WINDOWS\system32\wmpdxm.dll 11.0.5721.5268
WP16 - ActiveX: {0713E8A2-850A-101B-AFC0-4210102A8DA7} [Microsoft TreeView Control, version 5.0 (SP2)] C:\WINDOWS\system32\COMCTL3N.OCX 6.00.8105
WP16 - ActiveX: {0713E8D2-850A-101B-AFC0-4210102A8DA7} [Microsoft ProgressBar Control, version 5.0 (SP2)] C:\WINDOWS\system32\COMCTL3N.OCX 6.00.8105
WP16 - ActiveX: {1D2B4F40-1F10-11D1-9E88-00C04FDCAB92} [ThumbCtl Class] C:\WINDOWS\system32\webvw.dll 6.00.2900.5512
WP16 - ActiveX: {F8CF7A98-2C45-4c8d-9151-2D716989DDAB} [Microsoft Visio Document] C:\Program Files\Microsoft Office\Office12\VVIEWER.DLL 12.0.6513.5000
WP16 - ActiveX: {DFEAF541-F3E1-4c24-ACAC-99C30715084A} [Microsoft Silverlight] C:\PROGRAM FILES\MICROSOFT SILVERLIGHT\3.0.50106.0\npctrl.dll 3.0.50106.0
WP16 - ActiveX: {ECD0ECC6-DCA4-4013-A915-12355AB70999} [MSWebDVD Class] C:\WINDOWS\system32\mswebdvd.dll 6.05.2600.5857
WP16 - ActiveX: {52A2AAAE-085D-4187-97EA-8C30DB990436} [HHCtrl Object] C:\WINDOWS\system32\hhctrl.ocx 5.2.3790.4110
WP16 - ActiveX: {54CE37E0-9834-41ae-9896-4DAB69DC022B} [Microsoft Terminal Services Client Control (redist)] C:\WINDOWS\system32\mstscax.dll 6.0.6001.18266
WP16 - ActiveX: {58DA8D8A-9D6A-101B-AFC0-4210102A8DA7} [Microsoft ListView Control, version 5.0 (SP2)] C:\WINDOWS\system32\COMCTL3N.OCX 6.00.8105
WP16 - ActiveX: {58DA8D8F-9D6A-101B-AFC0-4210102A8DA7} [Microsoft ImageList Control, version 5.0 (SP2)] C:\WINDOWS\system32\COMCTL3N.OCX 6.00.8105
WP16 - ActiveX: {6B7E638F-850A-101B-AFC0-4210102A8DA7} [Microsoft StatusBar Control, version 5.0 (SP2)] C:\WINDOWS\system32\COMCTL3N.OCX 6.00.8105
WP16 - ActiveX: {6A6F4B83-45C5-4ca9-BDD9-0D81C12295E4} [Microsoft Terminal Services Client Control (redist)] C:\WINDOWS\system32\mstscax.dll 6.0.6001.18266
WP16 - ActiveX: {8856F961-340A-11D0-A96B-00C04FD705A2} [Microsoft Web Browser] C:\WINDOWS\system32\ieframe.dll 8.00.6001.18876
WP16 - ActiveX: {8BD21D50-EC42-11CE-9E0D-00AA006002F3} [Microsoft Forms 2.0 OptionButton] C:\WINDOWS\system32\FM20.DLL 12.0.6514.5000
WP16 - ActiveX: {A3F2A195-0D11-463b-96BB-D2FF1B7490A1} [MSDVDAdm Class] C:\WINDOWS\system32\mswebdvd.dll 6.05.2600.5857
WP16 - ActiveX: {971127BB-259F-48c2-BD75-5F97A3331551} [Microsoft Terminal Services Client Control (redist)] C:\WINDOWS\system32\mstscax.dll 6.0.6001.18266
WP16 - ActiveX: {1989C694-3CF9-4a56-B1CC-2E3CB1D753D7} [HtmlInput Class] C:\WINDOWS\ehome\ehkeyctl.dll 5.1.2715.5512
WP16 - ActiveX: {AE24FDAE-03C6-11D1-8B76-0080C744F389} [Microsoft Scriptlet Component] C:\WINDOWS\system32\mshtml.dll 8.00.6001.18876
WP16 - ActiveX: {CA8A9780-280D-11CF-A24D-444553540000} [Adobe PDF Reader] C:\PROGRAM FILES\COMMON FILES\Adobe\Acrobat\ActiveX\AcroPDF.dll
WP16 - ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} [Shockwave Flash Object] C:\WINDOWS\system32\Macromed\Flash\Flash10e.ocx 10,0,45,2
WP16 - ActiveX: {E5DF9D10-3B52-11D1-83E8-00A0C90DC849} [WebViewFolderIcon Class] C:\WINDOWS\system32\webvw.dll 6.00.2900.5512
WP32 - Hidden File: C:\boot.ini
WP32 - Hidden File: C:\dell.sdr
WP32 - Hidden File: C:\IO.SYS
WP32 - Hidden File: C:\IPH.PH
WP32 - Hidden File: C:\MSDOS.SYS
WP32 - Hidden File: C:\NTDETECT.COM
WP32 - Hidden File: C:\ntldr
WP32 - Hidden File: C:\pagefile.sys
WP32 - Hidden File: C:\sqmdata00.sqm
WP32 - Hidden File: C:\sqmdata01.sqm
WP32 - Hidden File: C:\sqmdata02.sqm
WP32 - Hidden File: C:\sqmdata03.sqm
WP32 - Hidden File: C:\sqmdata04.sqm
WP32 - Hidden File: C:\sqmdata05.sqm
WP32 - Hidden File: C:\sqmdata06.sqm
WP32 - Hidden File: C:\sqmdata07.sqm
WP32 - Hidden File: C:\sqmdata08.sqm
WP32 - Hidden File: C:\sqmdata09.sqm
WP32 - Hidden File: C:\sqmdata10.sqm
WP32 - Hidden File: C:\sqmdata11.sqm
WP32 - Hidden File: C:\sqmdata12.sqm
WP32 - Hidden File: C:\sqmdata13.sqm
WP32 - Hidden File: C:\sqmdata14.sqm
WP32 - Hidden File: C:\sqmdata15.sqm
WP32 - Hidden File: C:\sqmdata16.sqm
WP32 - Hidden File: C:\sqmdata17.sqm
WP32 - Hidden File: C:\sqmdata18.sqm
WP32 - Hidden File: C:\sqmdata19.sqm
WP32 - Hidden File: C:\sqmnoopt00.sqm
WP32 - Hidden File: C:\sqmnoopt01.sqm
WP32 - Hidden File: C:\sqmnoopt02.sqm
WP32 - Hidden File: C:\sqmnoopt03.sqm
WP32 - Hidden File: C:\sqmnoopt04.sqm
WP32 - Hidden File: C:\sqmnoopt05.sqm
WP32 - Hidden File: C:\sqmnoopt06.sqm
WP32 - Hidden File: C:\sqmnoopt07.sqm
WP32 - Hidden File: C:\sqmnoopt08.sqm
WP32 - Hidden File: C:\sqmnoopt09.sqm
WP32 - Hidden File: C:\sqmnoopt10.sqm
WP32 - Hidden File: C:\sqmnoopt11.sqm
WP32 - Hidden File: C:\sqmnoopt12.sqm
WP33 - File Type .AVI: [Video Clip]C:\Program Files\Windows Media Player\wmplayer.exe /prefetch:8 /Open %L
WP33 - File Type .BAT: [MS-DOS Batch File]%1 %*
WP33 - File Type .CAB: [WinRAR archive]C:\Program Files\WinRAR\WinRAR.exe %1
WP33 - File Type .CAT: [Security Catalog]rundll32.exe cryptext.dll,CryptExtOpenCAT %1
WP33 - File Type .CHM: [Compiled HTML Help file]C:\WINDOWS\hh.exe %1
WP33 - File Type .COM: [MS-DOS Application]%1 %*
WP33 - File Type .CMD: [Windows NT Command Script]%1 %*
WP33 - File Type .DOC: [Microsoft Office Word 97 - 2003 Document]C:\Program Files\Microsoft Office\Office12\WINWORD.EXE /n /dde
WP33 - File Type .EML: [Internet E-Mail Message]C:\Program Files\Outlook Express\msimn.exe /eml:%1
WP33 - File Type .EXE: [Application]%1 %*
WP33 - File Type .INF: [Setup Information]C:\WINDOWS\System32\NOTEPAD.EXE %1
WP33 - File Type .JS: [JScript Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .LOG: [Text Document]C:\WINDOWS\system32\NOTEPAD.EXE %1
WP33 - File Type .MSI: [Windows Installer Package]C:\WINDOWS\System32\msiexec.exe /i %1 %*
WP33 - File Type .MSG: [Outlook Item]C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE /f %1
WP33 - File Type .MID: [MIDI Sequence]C:\Program Files\Windows Media Player\wmplayer.exe /Open %L
WP33 - File Type .MP3: [MP3 Format Sound]C:\Program Files\Windows Media Player\wmplayer.exe /prefetch:6 /Open %L
WP33 - File Type .PIF: [Shortcut to MS-DOS Program]%1 %*
WP33 - File Type .RAM: [RealMedia file]C:\Program Files\Magic Video Converter\codec\real\Media Player Classic\mplayerc.exe %1
WP33 - File Type .REG: [Registration Entries]regedit.exe %1
WP33 - File Type .RTF: [Rich Text Format]C:\Program Files\Microsoft Office\Office12\WINWORD.EXE /n /dde
WP33 - File Type .SBS: [Spyware supplemental file]C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe %1
WP33 - File Type .SCR: [Screen Saver]%1 /S
WP33 - File Type .TXT: [Text Document]C:\WINDOWS\system32\NOTEPAD.EXE %1
WP33 - File Type .URL: [Internet Shortcut]C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ieframe.dll,OpenURL %l
WP33 - File Type .VBS: [VBScript Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .VBE: [VBScript Encoded Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .WSF: [Windows Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .WSH: [Windows Script Host Settings File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .XLS: [Microsoft Office Excel 97-2003 Worksheet]C:\Program Files\Microsoft Office\Office12\EXCEL.EXE /e
Memory currently in use: 33%
Physical Memory Free: 2,094,012 KB
Paging File Free: 4,194,303 KB
Virtual Memory Free: 2,025,976 KB
--
End of file
Hi,
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.
first of i had a problem when running gmer on first attempt i got blue screen of death second time it ran but computer froze after it had finnished attached are all logs finally.
DDS (Ver_09-12-01.01) - NTFSx86
Run by Shez at 13:53:14.67 on 04/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2470 [GMT 0:00]
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: ESET NOD32 antivirus system 2.51 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\PROGRAM FILES\WINDOWS LIVE\MESSENGER\MSNMSGR.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Shez\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.co.uk/webhp?hl=en
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2070107
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WinPatrol PLUS] c:\program files\billp studios\winpatrol\WinPatrol.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\MSNMSGR.EXE" /background
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mPolicies-explorer: NoResolveTrack = 1 (0x1)
mPolicies-explorer: NoFileAssociate = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180963787375
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,5904/mcfscan.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 relog_ap
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\shez\applic~1\mozilla\firefox\profiles\cysjj9ci.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\magic video converter\codec\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\magic video converter\codec\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: browser.blink_allowed - true
FF - user.js: network.prefetch-next - true
FF - user.js: layout.spellcheckDefault - 1
FF - user.js: browser.urlbar.autoFill - false
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
FF - user.js: browser.urlbar.hideGoButton - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-10 214664]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2010-2-28 1858144]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-4-5 236368]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-7 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-2-10 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-2-10 144704]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-4-5 19160]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-10 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-10 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-10 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-10 40552]
S2 0259611266474712mcinstcleanup;McAfee Application Installer Cleanup (0259611266474712);c:\windows\temp\025961~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\025961~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 DfSdkS;Defragmentation-Service;c:\program files\ashampoo\ashampoo winoptimizer 6\DfSdkS.exe [2009-3-13 410976]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-7-6 13224]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-10 34248]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
S3 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2008-6-24 431384]
S3 SQTECH930B;Trust WB-3500T USB2 Webcam;c:\windows\system32\drivers\Capt930b.sys [2007-5-23 273982]
S3 W35UND;ISSC35 802.11bg WLAN USB Adapter Driver;c:\windows\system32\drivers\w35und.sys --> c:\windows\system32\drivers\W35UND.SYS [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WUSB54GSv2SVC;WUSB54GSv2SVC;c:\program files\linksys wireless-g usb wireless network monitor\WLService.exe [2009-5-13 53307]
=============== Created Last 30 ================
2010-03-03 12:26:08 15360 ----a-w- c:\windows\system32\taskman.exe
2010-03-01 10:34:24 0 d-----w- c:\docume~1\shez\applic~1\DVDCreator
2010-02-28 15:57:46 0 d-----w- c:\program files\a-squared Free
2010-02-27 16:14:32 421888 ----a-w- c:\windows\system32\ac3filter.acm
2010-02-27 15:44:37 737280 ----a-w- c:\windows\iun6002.exe
2010-02-27 01:27:13 0 d-----w- c:\windows\McAfee.com
2010-02-26 15:46:05 0 d-----w- c:\windows\system32\system
2010-02-26 15:46:03 719872 ----a-w- c:\windows\system32\devil.dll
2010-02-26 15:46:03 308224 ----a-w- c:\windows\system32\avisynth.dll
2010-02-26 15:29:17 685056 ----a-w- c:\windows\is-O8P9S.exe
2010-02-26 15:29:17 295 ----a-w- c:\windows\is-O8P9S.lst
2010-02-26 15:29:17 10821 ----a-w- c:\windows\is-O8P9S.msg
2010-02-25 01:23:07 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2010-02-24 22:36:59 0 dc-h--w- c:\windows\ie8
2010-02-24 22:33:53 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-10 16:02:28 0 d-----w- c:\program files\iPod
==================== Find3M ====================
2010-03-03 12:26:08 3072 ----a-w- c:\windows\system32\systray.exe
2010-03-03 12:26:08 3072 ----a-w- c:\windows\system32\dllcache\systray.exe
2010-03-03 12:26:08 15360 ----a-w- c:\windows\taskman.exe
2010-03-03 12:26:08 15360 ----a-w- c:\windows\system32\dllcache\taskman.exe
2010-01-07 16:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00:21 133120 ----a-w- c:\windows\system32\dllcache\extmgr.dll
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-11 08:38:55 69120 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-12-09 05:53:44 726528 ----a-w- c:\windows\system32\dllcache\jscript.dll
2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 19:26:15 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:43:51 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-05 18:32:27 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2008-02-03 22:43:03 168 --sha-r- c:\windows\system32\B5D7B751F3.sys
2008-02-03 22:43:10 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-05-12 22:14:31 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051220080513\index.dat
============= FINISH: 13:54:04.03 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-12-01.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 10/01/2007 13:02:13
System Uptime: 03/04/2010 13:48:24 (-720 hours ago)
Motherboard: Dell Inc | | 0CT103
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5000+ | Socket M2 | 2605/1000mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 293 GiB total, 211.216 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 932 GiB total, 403.096 GiB free.
==== Disabled Device Manager Items =============
==== System Restore Points ===================
No restore point in system.
==== Installed Programs ======================
µTorrent
a-squared Free 4.5
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3.1
Adobe® Photoshop® Album Starter Edition 3.0
Adobe® Photoshop® Album Starter Edition 3.0.1
AiO_Scan_CDA
AiOSoftwareNPI
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ashampoo WinOptimizer 6.20
ATI Catalyst Control Center
ATI Display Driver
Bonjour
Broadcom Management Programs
BufferChm
C3100
c3100_Help
Critical Update for Windows Media Player 11 (KB959772)
CustomerResearchQFolder
Dell System Restore
Destinations
DeviceManagementQFolder
DivX
DocProc
DocProcQFolder
Dual-Core Optimizer
eSupportQFolder
Fax_CDA
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Customer Participation Program 7.0
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart, Officejet and Deskjet 7.0.A
HP Product Assistant
HP Solution Center 7.0
HP Update
HPPhotoSmartExpress
HPProductAssistant
InstantShareDevicesMFC
iTunes
Java(TM) 6 Update 17
Linksys Wireless-G USB Network Adapter
Magic Video Converter 10.0.10.2009
Malwarebytes' Anti-Malware
MarketResearch
McAfee SecurityCenter
McAfee Uninstaller
McAfee Virtual Technician
MCU
MediaMonkey 3.2
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft IntelliPoint 6.1
Microsoft IntelliType Pro 6.1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Works
Microsoft XML Parser
Mozilla Firefox (3.6)
MSVC80_x86
MSVCRT
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
Nero 7 Ultra Edition
neroxml
NewCopy_CDA
NVIDIA Drivers
OCR Software by I.R.I.S 7.0
PanoStandAlone
ProductContextNPI
PSP ISO Compressor
QuickTime
Readme
Scan
ScannerCopy
Seagate*DiscWizard
Secunia PSI
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Segoe UI
SolutionCenter
Sonic Activation Module
Sonic Encoders
Sonic Update Manager
Spybot - Search & Destroy
SpywareBlaster 4.2
Status
Toolbox
TrayApp
Unload
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office Access 2007 Help (KB957241)
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office OneNote 2007 Help (KB957245)
Update for Microsoft Office Outlook 2007 Help (KB957246)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Publisher 2007 Help (KB957249)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Microsoft Windows (KB971513)
Update for Outlook 2007 Junk Email Filter (kb977719)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
VCRedistSetup
WBFS Manager 3.0
WD Diagnostics
WebCyberCoach 3.2 Dell
WebFldrs XP
WebReg
WIDCOMM Bluetooth Software
Windows Imaging Component
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows Presentation Foundation
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinPatrol 2009
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
XP Codec Pack
Your Uninstaller! 2010
==== Event Viewer Messages From Past Week ========
28/02/2010 17:44:45, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
28/02/2010 17:43:37, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 Fips IPSec mfehidk MPFP MRxSmb NetBIOS NetBT nvatabus nvraid RasAcd Rdbss Tcpip
28/02/2010 17:43:37, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
28/02/2010 17:43:37, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
28/02/2010 17:43:37, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
28/02/2010 17:43:37, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
28/02/2010 17:43:13, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
28/02/2010 17:43:11, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
27/02/2010 18:29:23, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}
27/02/2010 15:54:37, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: nvatabus nvraid
27/02/2010 15:54:34, error: Service Control Manager [7001] - The Media Center Extender Service service depends on the SSDP Discovery Service service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
25/02/2010 03:38:53, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
04/03/2010 13:47:17, error: Service Control Manager [7031] - The McAfee Network Agent service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
03/03/2010 12:19:07, error: Dhcp [1002] - The IP address lease 192.168.2.2 for the Network Card with network address 00188B85C411 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
03/03/2010 12:17:39, information: Windows File Protection [64002] - File replacement was attempted on the protected system file taskman.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.0.
03/03/2010 12:17:39, information: Windows File Protection [64002] - File replacement was attempted on the protected system file systray.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.0.
==== End Of File ===========================
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-04 14:54:31
Windows 5.1.2600 Service Pack 3
Running: u4ts3zvl.exe; Driver: C:\DOCUME~1\Shez\LOCALS~1\Temp\uxddapog.sys
---- System - GMER 1.0.15 ----
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA814678A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA8146821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA8146738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA814674C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA8146835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA8146861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xA81468CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xA81468B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA81467CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xA81468FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA814680D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA8146710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA8146724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA814679E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xA8146937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xA81468A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xA814688D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA814684B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xA8146923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xA814690F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA8146776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA8146762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA8146877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA81467F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xA81468E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA81467E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA81467B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwYieldExecution 80504AF4 7 Bytes JMP A81467B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02150FEF
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02150F7F
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02150F90
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02150FA1
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0215005E
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02150FCD
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02150F3D
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02150F58
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02150F22
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 021500B1
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02150F11
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02150FBC
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0215000A
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0215008F
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02150FDE
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02150025
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 021500A0
.text C:\WINDOWS\Explorer.EXE[360] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02140036
.text C:\WINDOWS\Explorer.EXE[360] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02140FAF
.text C:\WINDOWS\Explorer.EXE[360] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02140025
.text C:\WINDOWS\Explorer.EXE[360] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02140FE5
.text C:\WINDOWS\Explorer.EXE[360] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0214006C
.text C:\WINDOWS\Explorer.EXE[360] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02140000
.text C:\WINDOWS\Explorer.EXE[360] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0214005B
.text C:\WINDOWS\Explorer.EXE[360] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02140FCA
.text C:\WINDOWS\Explorer.EXE[360] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02130053
.text C:\WINDOWS\Explorer.EXE[360] msvcrt.dll!system 77C293C7 5 Bytes JMP 02130FBE
.text C:\WINDOWS\Explorer.EXE[360] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0213001D
.text C:\WINDOWS\Explorer.EXE[360] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02130FE3
.text C:\WINDOWS\Explorer.EXE[360] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0213002E
.text C:\WINDOWS\Explorer.EXE[360] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0213000C
.text C:\WINDOWS\Explorer.EXE[360] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01E90FEF
.text C:\WINDOWS\Explorer.EXE[360] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01E90FD4
.text C:\WINDOWS\Explorer.EXE[360] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01E9000A
.text C:\WINDOWS\Explorer.EXE[360] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01E9001B
.text C:\WINDOWS\Explorer.EXE[360] WS2_32.dll!socket 71AB4211 5 Bytes JMP 020D0FE5
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A70FE5
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A70F69
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A70F7A
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A70F8B
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A70FA8
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A70FB9
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A700AF
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A70094
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A70F31
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A70F42
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A70F0C
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A7004A
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A7000A
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A70079
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A70FCA
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A7001B
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A700C0
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00810025
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00810065
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00810FD4
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0081000A
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00810FA8
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00810FEF
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00810FB9
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A1, 88]
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00810036
.text C:\WINDOWS\system32\svchost.exe[552] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00800F92
.text C:\WINDOWS\system32\svchost.exe[552] msvcrt.dll!system 77C293C7 5 Bytes JMP 0080001D
.text C:\WINDOWS\system32\svchost.exe[552] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00800FB7
.text C:\WINDOWS\system32\svchost.exe[552] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00800FEF
.text C:\WINDOWS\system32\svchost.exe[552] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0080000C
.text C:\WINDOWS\system32\svchost.exe[552] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00800FDE
.text C:\WINDOWS\system32\svchost.exe[552] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 007E0FE5
.text C:\WINDOWS\system32\svchost.exe[552] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 007E0FCA
.text C:\WINDOWS\system32\svchost.exe[552] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 007E0000
.text C:\WINDOWS\system32\svchost.exe[552] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 007E0FAF
.text C:\WINDOWS\system32\svchost.exe[552] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007F0000
.text C:\Program Files\a-squared Free\a2service.exe[724] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0045495D C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 002A0F7C
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 002A0067
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 002A0056
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 002A0F8D
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 002A0FA8
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 002A0F44
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 002A0F61
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 002A00C2
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 002A00A7
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 002A00D3
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 002A0039
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 002A0FD4
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 002A008C
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 002A000A
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 002A0FC3
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 002A0F29
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FD4
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290F90
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FEF
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290025
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290FA1
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0029000A
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00290FB2
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [49, 88]
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290FC3
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0028002F
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!system 77C293C7 5 Bytes JMP 00280F9A
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00280FAB
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00280FEF
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00280000
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00280FC6
.text C:\WINDOWS\system32\svchost.exe[856] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00270000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[920] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[920] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[1160] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[1160] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0006007D
.text C:\WINDOWS\system32\services.exe[1160] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00060F92
.text C:\WINDOWS\system32\services.exe[1160] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0006006C
.text C:\WINDOWS\system32\services.exe[1160] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00060FAF
.text C:\WINDOWS\system32\services.exe[1160] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00060040
.text C:\WINDOWS\system32\services.exe[1160] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 000600B3
.text C:\WINDOWS\system32\services.exe[1160] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00060F77
.text C:\WINDOWS\system32\services.exe[1160] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000600E9
.text C:\WINDOWS\system32\services.exe[1160] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00060F50
.text C:\WINDOWS\system32\services.exe[1160] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00060F2B
.text C:\WINDOWS\system32\services.exe[1160] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00060051
.text C:\WINDOWS\system32\services.exe[1160] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00060011
.text C:\WINDOWS\system32\services.exe[1160] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00060098
.text C:\WINDOWS\system32\services.exe[1160] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00060FCA
.text C:\WINDOWS\system32\services.exe[1160] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00060FDB
.text C:\WINDOWS\system32\services.exe[1160] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 000600C4
.text C:\WINDOWS\system32\services.exe[1160] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0005004A
.text C:\WINDOWS\system32\services.exe[1160] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00050FA8
.text C:\WINDOWS\system32\services.exe[1160] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0005002F
.text C:\WINDOWS\system32\services.exe[1160] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00050014
.text C:\WINDOWS\system32\services.exe[1160] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00050FC3
.text C:\WINDOWS\system32\services.exe[1160] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[1160] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00050FD4
.text C:\WINDOWS\system32\services.exe[1160] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [25, 88]
.text C:\WINDOWS\system32\services.exe[1160] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0005005B
.text C:\WINDOWS\system32\services.exe[1160] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00040069
.text C:\WINDOWS\system32\services.exe[1160] msvcrt.dll!system 77C293C7 5 Bytes JMP 00040FDE
.text C:\WINDOWS\system32\services.exe[1160] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0004003A
.text C:\WINDOWS\system32\services.exe[1160] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0004000C
.text C:\WINDOWS\system32\services.exe[1160] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[1160] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0004001D
.text C:\WINDOWS\system32\services.exe[1160] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00030000
.text C:\WINDOWS\system32\lsass.exe[1172] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C9000A
.text C:\WINDOWS\system32\lsass.exe[1172] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C90090
.text C:\WINDOWS\system32\lsass.exe[1172] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C9007F
.text C:\WINDOWS\system32\lsass.exe[1172] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C90058
.text C:\WINDOWS\system32\lsass.exe[1172] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C90047
.text C:\WINDOWS\system32\lsass.exe[1172] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C90025
.text C:\WINDOWS\system32\lsass.exe[1172] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C90F63
.text C:\WINDOWS\system32\lsass.exe[1172] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C900AB
.text C:\WINDOWS\system32\lsass.exe[1172] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C90F19
.text C:\WINDOWS\system32\lsass.exe[1172] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C900BC
.text C:\WINDOWS\system32\lsass.exe[1172] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C900CD
.text C:\WINDOWS\system32\lsass.exe[1172] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C90036
.text C:\WINDOWS\system32\lsass.exe[1172] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\system32\lsass.exe[1172] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C90F80
.text C:\WINDOWS\system32\lsass.exe[1172] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C90FB9
.text C:\WINDOWS\system32\lsass.exe[1172] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C90FD4
.text C:\WINDOWS\system32\lsass.exe[1172] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C90F48
.text C:\WINDOWS\system32\lsass.exe[1172] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C80FC3
.text C:\WINDOWS\system32\lsass.exe[1172] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C80065
.text C:\WINDOWS\system32\lsass.exe[1172] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C80FD4
.text C:\WINDOWS\system32\lsass.exe[1172] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C8000A
.text C:\WINDOWS\system32\lsass.exe[1172] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C80FA8
.text C:\WINDOWS\system32\lsass.exe[1172] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\lsass.exe[1172] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C8004A
.text C:\WINDOWS\system32\lsass.exe[1172] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C8002F
.text C:\WINDOWS\system32\lsass.exe[1172] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C70049
.text C:\WINDOWS\system32\lsass.exe[1172] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C7002E
.text C:\WINDOWS\system32\lsass.exe[1172] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C70FD9
.text C:\WINDOWS\system32\lsass.exe[1172] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C70000
.text C:\WINDOWS\system32\lsass.exe[1172] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C70FC8
.text C:\WINDOWS\system32\lsass.exe[1172] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C7001D
.text C:\WINDOWS\system32\lsass.exe[1172] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EF0FE5
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EF004A
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EF0F55
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EF0039
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EF0F7C
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EF0F97
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EF0082
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EF0067
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EF009D
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EF0F04
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EF00AE
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EF001E
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EF0FD4
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EF0F3A
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EF0FA8
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EF0FB9
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EF0F1F
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EE002C
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EE005F
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EE0011
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EE0000
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EE004E
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EE0FEF
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00EE0FB6
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [0E, 89]
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EE003D
.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00ED0040
.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!system 77C293C7 5 Bytes JMP 00ED0FB5
.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00ED000A
.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00ED0FEF
.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00ED001B
.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00ED0FC6
.text C:\WINDOWS\system32\svchost.exe[1344] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EC000A
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF007B
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF006A
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF004D
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0F90
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0FB2
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF0F44
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF008C
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF0F18
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF00B1
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF0F07
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF0FA1
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF0F61
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0FC3
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF0FD4
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF0F33
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE002C
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE0FA5
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE001B
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE0058
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BE0047
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE0FC0
.text C:\WINDOWS\system32\svchost.exe[1468] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BD0049
.text C:\WINDOWS\system32\svchost.exe[1468] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BD0FBE
.text C:\WINDOWS\system32\svchost.exe[1468] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BD0FE3
.text C:\WINDOWS\system32\svchost.exe[1468] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[1468] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BD002E
.text C:\WINDOWS\system32\svchost.exe[1468] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BD0011
.text C:\WINDOWS\system32\svchost.exe[1468] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\wuauclt.exe[1516] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\system32\wuauclt.exe[1516] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A004C
.text C:\WINDOWS\system32\wuauclt.exe[1516] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F61
.text C:\WINDOWS\system32\wuauclt.exe[1516] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F72
.text C:\WINDOWS\system32\wuauclt.exe[1516] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A002F
.text C:\WINDOWS\system32\wuauclt.exe[1516] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\system32\wuauclt.exe[1516] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F15
.text C:\WINDOWS\system32\wuauclt.exe[1516] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A005D
.text C:\WINDOWS\system32\wuauclt.exe[1516] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0093
.text C:\WINDOWS\system32\wuauclt.exe[1516] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0078
.text C:\WINDOWS\system32\wuauclt.exe[1516] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0EDF
.text C:\WINDOWS\system32\wuauclt.exe[1516] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0F8D
.text C:\WINDOWS\system32\wuauclt.exe[1516] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\system32\wuauclt.exe[1516] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F3C
.text C:\WINDOWS\system32\wuauclt.exe[1516] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FB9
.text C:\WINDOWS\system32\wuauclt.exe[1516] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\system32\wuauclt.exe[1516] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0F04
.text C:\WINDOWS\system32\wuauclt.exe[1516] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290FCD
.text C:\WINDOWS\system32\wuauclt.exe[1516] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290058
.text C:\WINDOWS\system32\wuauclt.exe[1516] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290FDE
.text C:\WINDOWS\system32\wuauclt.exe[1516] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290FEF
.text C:\WINDOWS\system32\wuauclt.exe[1516] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0029003D
.text C:\WINDOWS\system32\wuauclt.exe[1516] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290018
.text C:\WINDOWS\system32\wuauclt.exe[1516] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A001E
.text C:\WINDOWS\system32\wuauclt.exe[1516] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0054
.text C:\WINDOWS\system32\wuauclt.exe[1516] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0FCD
.text C:\WINDOWS\system32\wuauclt.exe[1516] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0FDE
.text C:\WINDOWS\system32\wuauclt.exe[1516] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0FA1
.text C:\WINDOWS\system32\wuauclt.exe[1516] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\system32\wuauclt.exe[1516] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002A0FB2
.text C:\WINDOWS\system32\wuauclt.exe[1516] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4A, 88]
.text C:\WINDOWS\system32\wuauclt.exe[1516] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A002F
.text C:\WINDOWS\system32\wuauclt.exe[1516] WS2_32.dll!socket 71AB4211 5 Bytes JMP 003C0000
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 05450000
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 05450F83
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 05450F94
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 05450062
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 05450FA5
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 05450036
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 054500B0
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0545009F
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 05450F4D
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 054500E6
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0545010B
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 05450047
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 05450FE5
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 05450F68
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 05450025
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 05450FD4
.text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 054500C1
.text C:\WINDOWS\System32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0544002F
.text C:\WINDOWS\System32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0544006C
.text C:\WINDOWS\System32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 05440FDE
.text C:\WINDOWS\System32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 05440014
.text C:\WINDOWS\System32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 05440FB9
.text C:\WINDOWS\System32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 05440FEF
.text C:\WINDOWS\System32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0544005B
.text C:\WINDOWS\System32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 05440040
.text C:\WINDOWS\System32\svchost.exe[1564] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 05430031
.text C:\WINDOWS\System32\svchost.exe[1564] msvcrt.dll!system 77C293C7 5 Bytes JMP 05430016
.text C:\WINDOWS\System32\svchost.exe[1564] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 05430FC1
.text C:\WINDOWS\System32\svchost.exe[1564] msvcrt.dll!_open 77C2F566 5 Bytes JMP 05430FEF
.text C:\WINDOWS\System32\svchost.exe[1564] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 05430FB0
.text C:\WINDOWS\System32\svchost.exe[1564] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 05430FD2
.text C:\WINDOWS\System32\svchost.exe[1564] WS2_32.dll!socket 71AB4211 5 Bytes JMP 05420000
.text C:\WINDOWS\System32\svchost.exe[1564] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 05410000
.text C:\WINDOWS\System32\svchost.exe[1564] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0541001B
.text C:\WINDOWS\System32\svchost.exe[1564] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 05410FDB
.text C:\WINDOWS\System32\svchost.exe[1564] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 05410FCA
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00290FEF
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00290F7B
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0029007A
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00290069
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00290058
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00290036
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0029009C
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0029008B
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00290F1E
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00290F2F
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 002900D2
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00290047
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0029000A
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00290F60
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0029001B
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00290FD4
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 002900AD
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00280FD4
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00280FAF
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00280FE5
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0028001B
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0028006C
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00280000
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0028005B
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00280040
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00270FAD
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!system 77C293C7 5 Bytes JMP 00270038
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0027001D
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0027000C
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00270FC8
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00270FE3
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008E0000
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008E0FA8
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008E0FB9
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008E0087
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008E0076
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008E0FCA
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008E00D5
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008E0F8D
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008E0F43
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008E00E6
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008E00F7
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008E005B
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008E0FE5
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008E00B8
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008E0036
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008E0025
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008E0F68
.text C:\WINDOWS\system32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008D0FB2
.text C:\WINDOWS\system32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008D002F
.text C:\WINDOWS\system32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008D0FC3
.text C:\WINDOWS\system32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008D0FD4
.text C:\WINDOWS\system32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008D0F7C
.text C:\WINDOWS\system32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008D0FEF
.text C:\WINDOWS\system32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 008D0F8D
.text C:\WINDOWS\system32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [AD, 88]
.text C:\WINDOWS\system32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008D0014
.text C:\WINDOWS\system32\svchost.exe[1672] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008C0FD2
.text C:\WINDOWS\system32\svchost.exe[1672] msvcrt.dll!system 77C293C7 5 Bytes JMP 008C0FE3
.text C:\WINDOWS\system32\svchost.exe[1672] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008C002E
.text C:\WINDOWS\system32\svchost.exe[1672] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008C000C
.text C:\WINDOWS\system32\svchost.exe[1672] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008C0053
.text C:\WINDOWS\system32\svchost.exe[1672] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008C001D
.text C:\WINDOWS\system32\svchost.exe[1672] WS2_32.dll!socket 71AB4211 5 Bytes JMP 008B0000
.text C:\WINDOWS\system32\svchost.exe[2432] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A6000A
.text C:\WINDOWS\system32\svchost.exe[2432] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A60095
.text C:\WINDOWS\system32\svchost.exe[2432] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A60084
.text C:\WINDOWS\system32\svchost.exe[2432] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A60069
.text C:\WINDOWS\system32\svchost.exe[2432] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A60058
.text C:\WINDOWS\system32\svchost.exe[2432] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A60FD1
.text C:\WINDOWS\system32\svchost.exe[2432] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A60F71
.text C:\WINDOWS\system32\svchost.exe[2432] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A600C3
.text C:\WINDOWS\system32\svchost.exe[2432] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A60F56
.text C:\WINDOWS\system32\svchost.exe[2432] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A600E5
.text C:\WINDOWS\system32\svchost.exe[2432] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A6010A
.text C:\WINDOWS\system32\svchost.exe[2432] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A60FB6
.text C:\WINDOWS\system32\svchost.exe[2432] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A6001B
.text C:\WINDOWS\system32\svchost.exe[2432] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A600A6
.text C:\WINDOWS\system32\svchost.exe[2432] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A60047
.text C:\WINDOWS\system32\svchost.exe[2432] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A6002C
.text C:\WINDOWS\system32\svchost.exe[2432] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A600D4
.text C:\WINDOWS\system32\svchost.exe[2432] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A5003D
.text C:\WINDOWS\system32\svchost.exe[2432] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A5009F
.text C:\WINDOWS\system32\svchost.exe[2432] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A5002C
.text C:\WINDOWS\system32\svchost.exe[2432] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A5001B
.text C:\WINDOWS\system32\svchost.exe[2432] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A50084
.text C:\WINDOWS\system32\svchost.exe[2432] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A5000A
.text C:\WINDOWS\system32\svchost.exe[2432] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A50069
.text C:\WINDOWS\system32\svchost.exe[2432] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A50058
.text C:\WINDOWS\system32\svchost.exe[2432] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A40038
.text C:\WINDOWS\system32\svchost.exe[2432] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A40FB7
.text C:\WINDOWS\system32\svchost.exe[2432] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A4001D
.text C:\WINDOWS\system32\svchost.exe[2432] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A40FEF
.text C:\WINDOWS\system32\svchost.exe[2432] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A40FD2
.text C:\WINDOWS\system32\svchost.exe[2432] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A4000C
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DE0FEF
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DE007F
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DE006E
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DE0F94
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DE0051
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DE0025
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DE00B5
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DE0F6F
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DE00EB
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DE0F52
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DE00FC
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DE0036
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DE0014
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DE009A
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DE0FB9
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DE0FDE
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DE00C6
.text C:\WINDOWS\system32\dllhost.exe[3688] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DC004E
.text C:\WINDOWS\system32\dllhost.exe[3688] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DC0FCD
.text C:\WINDOWS\system32\dllhost.exe[3688] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DC0022
.text C:\WINDOWS\system32\dllhost.exe[3688] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DC0FEF
.text C:\WINDOWS\system32\dllhost.exe[3688] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DC0033
.text C:\WINDOWS\system32\dllhost.exe[3688] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DC0FDE
.text C:\WINDOWS\system32\dllhost.exe[3688] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DD000A
.text C:\WINDOWS\system32\dllhost.exe[3688] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DD0076
.text C:\WINDOWS\system32\dllhost.exe[3688] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DD0FB9
.text C:\WINDOWS\system32\dllhost.exe[3688] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DD0FDE
.text C:\WINDOWS\system32\dllhost.exe[3688] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DD005B
.text C:\WINDOWS\system32\dllhost.exe[3688] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DD0FEF
.text C:\WINDOWS\system32\dllhost.exe[3688] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00DD0040
.text C:\WINDOWS\system32\dllhost.exe[3688] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DD0025
.text C:\WINDOWS\system32\dllhost.exe[3688] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DB0000
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
Device \FileSystem\Fastfat \Fat A4831D20
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\0016383a89f2 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\0016383a89f2@0016b89a1eac 0xC5 0x25 0xB4 0x29 ...
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\0016383a89f2@00162036fc10 0x25 0xEB 0xE5 0x04 ...
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxboultoyxyenxjmsfyxjbaomydcnmpapm.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk@imagepath \systemroot\system32\drivers\ovfsthodymrdttptqqcyopdncraawolnojpkfp.sys
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk@inst 0
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main@ver icv310309
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main@cid 01
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main@bid 2021506057-2606577421-1681171435-465083108
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main@aid 303431
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main@sid 64
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main@feed 0x22 0x64 0x78 0x36 ...
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main@cmddelay 14401
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main\ff (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main\ff@extension \\?\C:\Program Files\Mozilla Firefox\extensions\{FAFC72D4-EC82-4882-8FCD-6FF8A40CD6B5}
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main\ff@version 1
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main\injector@iexplore.exe ovfsthwi.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main\injector@explorer.exe ovfsthff.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\modules@ovfsth.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\modules@ovfsth.sys
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\modules@ovfsthlog.dat \systemroot\system32\ovfsthmcdjkfavgutndvntknythwsyiowjmbir.dat
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\modules@ovfsthwi.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\modules@ovfsthff.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\modules@ovfsth.dat \systemroot\system32\ovfsthrtftbnoctcedyrtjrfvvbymlghbtqenc.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016383a89f2
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016383a89f2@0016b89a1eac 0xC5 0x25 0xB4 0x29 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016383a89f2@00162036fc10 0x25 0xEB 0xE5 0x04 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0016383a89f2 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0016383a89f2@0016b89a1eac 0xC5 0x25 0xB4 0x29 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0016383a89f2@00162036fc10 0x25 0xEB 0xE5 0x04 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{419CBC81-6C63-B8F0-9287-CBCA5B9F7FA6}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{419CBC81-6C63-B8F0-9287-CBCA5B9F7FA6}@ablgadpineiaodmckkdgdmmnbofcogdiak 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{419CBC81-6C63-B8F0-9287-CBCA5B9F7FA6}@bblgadpineiaodmckkcgcmemjapgggmojdko 0x61 0x61 0x00 0x00
---- EOF - GMER 1.0.15 ----
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
µTorrent
I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
After that:
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
ComboFix 10-03-04.01 - Shez 04/03/2010 20:15:55.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2440 [GMT 0:00]
Running from: c:\documents and settings\Shez\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.51 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\is-O8P9S.exe
c:\windows\system32\system
c:\windows\system32\system\msvcr80.dll
c:\windows\system32\system\msvcr80d.dll
.
((((((((((((((((((((((((( Files Created from 2010-02-04 to 2010-03-04 )))))))))))))))))))))))))))))))
.
2010-03-04 19:58 . 2010-03-04 19:58 49152 ----a-r- c:\documents and settings\Shez\Application Data\Microsoft\Installer\{166E180E-9A3F-41AE-8B40-22D8FFF4AF87}\Icon49FA793C.exe
2010-03-04 19:57 . 2010-03-04 19:58 -------- d-----w- c:\windows\166E180E9A3F41AE8B4022D8FFF4AF87.TMP
2010-03-03 12:26 . 2010-03-03 12:26 15360 ----a-w- c:\windows\system32\taskman.exe
2010-03-01 10:34 . 2010-03-01 10:34 -------- d-----w- c:\documents and settings\Shez\Application Data\DVDCreator
2010-02-28 15:57 . 2010-03-03 12:23 -------- d-----w- c:\program files\a-squared Free
2010-02-27 15:44 . 2010-02-27 15:43 737280 ----a-w- c:\windows\iun6002.exe
2010-02-27 01:27 . 2010-02-27 01:27 -------- d-----w- c:\windows\McAfee.com
2010-02-27 01:16 . 2010-02-27 01:22 -------- d-----w- c:\windows\BDOSCAN8
2010-02-26 15:46 . 2010-02-26 15:46 -------- d-----w- c:\documents and settings\Shez\Local Settings\Application Data\Real
2010-02-26 15:46 . 2005-10-28 08:44 308224 ----a-w- c:\windows\system32\avisynth.dll
2010-02-26 15:46 . 2004-02-22 00:11 719872 ----a-w- c:\windows\system32\devil.dll
2010-02-25 01:23 . 2008-06-08 23:58 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2010-02-24 22:36 . 2010-02-24 22:38 -------- dc-h--w- c:\windows\ie8
2010-02-24 22:33 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-10 16:02 . 2010-02-10 16:02 -------- d-----w- c:\program files\iPod
2010-02-10 15:55 . 2010-02-10 15:55 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-04 16:31 . 2007-01-07 18:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-04 16:30 . 2009-07-29 01:55 -------- d-----w- c:\documents and settings\Shez\Application Data\uTorrent
2010-03-03 12:26 . 2005-08-16 04:33 15360 ----a-w- c:\windows\taskman.exe
2010-03-03 12:26 . 2005-08-16 04:18 3072 ----a-w- c:\windows\system32\systray.exe
2010-03-02 23:37 . 2008-03-10 21:11 -------- d-----w- c:\program files\SpywareBlaster
2010-03-01 00:54 . 2009-03-21 13:15 -------- d-----w- c:\documents and settings\Shez\Application Data\Thinstall
2010-02-27 16:14 . 2009-07-04 20:17 -------- d-----w- c:\program files\XP Codec Pack
2010-02-27 14:24 . 2005-08-16 20:58 -------- d-----w- c:\program files\RGB
2010-02-26 16:20 . 2009-08-25 22:15 -------- d-----w- c:\program files\Magic Video Converter
2010-02-25 01:46 . 2009-07-29 01:57 -------- d-----w- c:\program files\uTorrent
2010-02-24 22:40 . 2007-02-22 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-18 12:42 . 2007-01-07 18:18 -------- d-----w- c:\program files\McAfee
2010-02-13 13:52 . 2009-12-28 18:43 -------- d-----w- c:\program files\Your Uninstaller 2010
2010-02-10 16:03 . 2007-01-17 21:21 -------- d-----w- c:\program files\Itunes
2010-02-10 16:02 . 2007-07-05 10:31 -------- d-----w- c:\program files\Common Files\Apple
2010-02-10 15:59 . 2007-05-31 10:02 -------- d-----w- c:\program files\QuickTime
2010-02-02 11:59 . 2007-02-16 16:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-01 21:36 . 2010-01-22 16:49 -------- d-----w- c:\program files\QuickFreedom
2010-01-28 15:12 . 2010-01-28 15:11 -------- d-----w- c:\program files\MediaMonkey
2010-01-28 15:06 . 2010-01-28 14:46 -------- d-----w- c:\program files\Magic MP3 Tagger
2010-01-27 22:15 . 2010-01-27 22:10 -------- d-----w- c:\program files\MP3's Utilities
2010-01-21 02:26 . 2007-01-07 18:24 84664 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-21 01:14 . 2008-06-06 20:16 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-18 14:46 . 2007-03-10 00:13 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-18 02:00 . 2009-09-22 01:55 316160 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-11 23:11 . 2009-04-05 00:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-11 23:11 . 2009-04-10 02:46 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 16:07 . 2009-04-05 00:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2009-04-05 00:35 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50 . 2005-08-16 04:18 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-27 23:13 . 2007-01-20 20:00 84664 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-27 20:27 . 2009-12-27 20:27 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2009-12-27 20:27 . 2009-12-27 20:27 441760 ----a-w- c:\windows\system32\drivers\timntr.sys
2009-12-27 20:27 . 2009-12-27 20:27 132224 ----a-w- c:\windows\system32\drivers\snapman.sys
2009-12-27 20:27 . 2009-12-27 20:27 368480 ----a-w- c:\windows\system32\drivers\tdrpman.sys
2009-12-22 14:24 . 2009-12-22 14:23 1924200 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-12-21 19:14 . 2005-08-16 04:18 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2005-08-16 04:37 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2005-08-16 04:18 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2005-08-16 04:18 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 22:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-05 18:32 . 2009-12-05 18:32 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2009-12-05 18:32 . 2008-07-06 20:55 25512 ----a-w- c:\windows\system32\drivers\ggsemc.sys
2009-12-05 18:32 . 2008-07-06 20:55 13224 ----a-w- c:\windows\system32\drivers\ggflt.sys
2008-02-03 22:43 . 2007-01-10 19:14 168 --sha-r- c:\windows\system32\B5D7B751F3.sys
2008-02-03 22:43 . 2007-02-17 16:12 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol PLUS"="c:\program files\BillP Studios\WinPatrol\WinPatrol.exe" [2009-10-10 320832]
"msnmsgr"="c:\program files\WINDOWS LIVE\MESSENGER\MSNMSGR.EXE" [2009-07-26 3883856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 282624]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoFileAssociate"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Itunes\\iTunes.exe"=
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [28/02/2010 15:57 1858144]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [05/04/2009 00:35 236368]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [07/12/2008 02:24 93320]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [05/04/2009 00:35 19160]
S2 0259611266474712mcinstcleanup;McAfee Application Installer Cleanup (0259611266474712);c:\windows\TEMP\025961~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\025961~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\DfSdkS.exe [13/03/2009 20:06 410976]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [06/07/2008 20:55 13224]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [17/06/2009 12:20 12648]
S3 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [24/06/2008 19:56 431384]
S3 SQTECH930B;Trust WB-3500T USB2 Webcam;c:\windows\system32\drivers\Capt930b.sys [23/05/2007 11:48 273982]
S3 W35UND;ISSC35 802.11bg WLAN USB Adapter Driver;c:\windows\system32\DRIVERS\W35UND.SYS --> c:\windows\system32\DRIVERS\W35UND.SYS [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [06/05/2008 16:06 11520]
S3 WUSB54GSv2SVC;WUSB54GSv2SVC;c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe [13/05/2009 21:58 53307]
.
Contents of the 'Scheduled Tasks' folder
2010-02-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]
2010-01-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-10 11:22]
2010-03-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-10 11:22]
2008-12-08 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-02-05 23:52]
2008-12-08 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2006-11-22 01:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/webhp?hl=en
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2070107
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Shez\Application Data\Mozilla\Firefox\Profiles\cysjj9ci.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Magic Video Converter\codec\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\Magic Video Converter\codec\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: browser.blink_allowed - true
FF - user.js: network.prefetch-next - true
FF - user.js: layout.spellcheckDefault - 1
FF - user.js: browser.urlbar.autoFill - false
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
FF - user.js: browser.urlbar.hideGoButton - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -
AddRemove-9CD348AE9C64C4B939B624E8E24F3903EFDFC82B - c:\progra~1\DIFX\270581355A767BF1\dpinst.exe
AddRemove-B726756F5B5A5AA9D798B399386FC6205A45F19E - c:\progra~1\DIFX\270581355A767BF1\dpinst.exe
AddRemove-C5A76DC11BABDA0A881E7BE8DDEB641365A77FFD - c:\progra~1\DIFX\270581355A767BF1\dpinst.exe
AddRemove-CD8424B9400BFF7D34AA18F816C71322AC4BDAA7 - c:\progra~1\DIFX\270581355A767BF1\dpinst.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-04 20:20
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2606577421-1681171435-465083108-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-2606577421-1681171435-465083108-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{419CBC81-6C63-B8F0-9287-CBCA5B9F7FA6}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"ablgadpineiaodmckkdgdmmnbofcogdiak"=hex:61,61,00,00
"bblgadpineiaodmckkcgcmemjapgggmojdko"=hex:61,61,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(1172)
c:\windows\system32\relog_ap.dll
.
Completion time: 2010-03-04 20:22:08
ComboFix-quarantined-files.txt 2010-03-04 20:22
Pre-Run: 229,308,043,264 bytes free
Post-Run: 229,268,918,272 bytes free
- - End Of File - - CA777E4A9EA1BB3E31741E5877BB9C5F
DDS (Ver_09-12-01.01) - NTFSx86
Run by Shez at 20:28:07.43 on 04/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2471 [GMT 0:00]
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: ESET NOD32 antivirus system 2.51 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Shez\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.co.uk/webhp?hl=en
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2070107
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [WinPatrol PLUS] c:\program files\billp studios\winpatrol\WinPatrol.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\MSNMSGR.EXE" /background
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mPolicies-explorer: NoResolveTrack = 1 (0x1)
mPolicies-explorer: NoFileAssociate = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180963787375
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,5904/mcfscan.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 relog_ap
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\shez\applic~1\mozilla\firefox\profiles\cysjj9ci.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: browser.blink_allowed - true
FF - user.js: network.prefetch-next - true
FF - user.js: layout.spellcheckDefault - 1
FF - user.js: browser.urlbar.autoFill - false
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
FF - user.js: browser.urlbar.hideGoButton - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-10 214664]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2010-2-28 1858144]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-4-5 236368]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-7 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-2-10 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-2-10 144704]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-4-5 19160]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-10 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-10 35272]
S2 0259611266474712mcinstcleanup;McAfee Application Installer Cleanup (0259611266474712);c:\windows\temp\025961~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\025961~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 DfSdkS;Defragmentation-Service;c:\program files\ashampoo\ashampoo winoptimizer 6\DfSdkS.exe [2009-3-13 410976]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-7-6 13224]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-10 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-10 40552]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
S3 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2008-6-24 431384]
S3 SQTECH930B;Trust WB-3500T USB2 Webcam;c:\windows\system32\drivers\Capt930b.sys [2007-5-23 273982]
S3 W35UND;ISSC35 802.11bg WLAN USB Adapter Driver;c:\windows\system32\drivers\w35und.sys --> c:\windows\system32\drivers\W35UND.SYS [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WUSB54GSv2SVC;WUSB54GSv2SVC;c:\program files\linksys wireless-g usb wireless network monitor\WLService.exe [2009-5-13 53307]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-10 606736]
=============== Created Last 30 ================
2010-03-04 20:15:21 98816 ----a-w- c:\windows\sed.exe
2010-03-04 20:15:21 77312 ----a-w- c:\windows\MBR.exe
2010-03-04 20:15:21 261632 ----a-w- c:\windows\PEV.exe
2010-03-04 20:15:21 161792 ----a-w- c:\windows\SWREG.exe
2010-03-04 19:57:46 0 d-----w- c:\windows\166E180E9A3F41AE8B4022D8FFF4AF87.TMP
2010-03-03 12:26:08 15360 ----a-w- c:\windows\system32\taskman.exe
2010-03-01 10:34:24 0 d-----w- c:\docume~1\shez\applic~1\DVDCreator
2010-02-28 15:57:46 0 d-----w- c:\program files\a-squared Free
2010-02-27 16:14:32 421888 ----a-w- c:\windows\system32\ac3filter.acm
2010-02-27 15:44:37 737280 ----a-w- c:\windows\iun6002.exe
2010-02-27 01:27:13 0 d-----w- c:\windows\McAfee.com
2010-02-26 15:46:03 719872 ----a-w- c:\windows\system32\devil.dll
2010-02-26 15:46:03 308224 ----a-w- c:\windows\system32\avisynth.dll
2010-02-26 15:29:17 295 ----a-w- c:\windows\is-O8P9S.lst
2010-02-26 15:29:17 10821 ----a-w- c:\windows\is-O8P9S.msg
2010-02-25 01:23:07 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2010-02-24 22:36:59 0 dc-h--w- c:\windows\ie8
2010-02-24 22:33:53 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-10 16:02:28 0 d-----w- c:\program files\iPod
==================== Find3M ====================
2010-03-03 12:26:08 3072 ----a-w- c:\windows\system32\systray.exe
2010-03-03 12:26:08 3072 ----a-w- c:\windows\system32\dllcache\systray.exe
2010-03-03 12:26:08 15360 ----a-w- c:\windows\taskman.exe
2010-03-03 12:26:08 15360 ----a-w- c:\windows\system32\dllcache\taskman.exe
2010-01-07 16:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00:21 133120 ----a-w- c:\windows\system32\dllcache\extmgr.dll
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-11 08:38:55 69120 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-12-09 05:53:44 726528 ----a-w- c:\windows\system32\dllcache\jscript.dll
2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-05 18:32:27 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2008-02-03 22:43:03 168 --sha-r- c:\windows\system32\B5D7B751F3.sys
2008-02-03 22:43:10 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-05-12 22:14:31 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051220080513\index.dat
============= FINISH: 20:28:25.00 ===============
Hi again,
Disable WinPatrol's realtime protection.
Right-click the running icon of Winpatrol in the system tray
Choose exit. It will automatically restart at next boot.
Open notepad and copy/paste the text in the quotebox below into it:
Folder::
c:\documents and settings\Shez\Application Data\uTorrent
c:\program files\uTorrent
SecCenter::
{E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
DDS::
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
RegNull::
[HKEY_USERS\S-1-5-21-2606577421-1681171435-465083108-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{419CBC81-6C63-B8F0-9287-CBCA5B9F7FA6}*]
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Check here (http://www.adobe.com/software/flash/about/) to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
attached are logs requested kaspersky is running as we speak also i still have more then 1 iexplore.exe running with 1 page 1 tab not sure if its meant to be like that other then that all seems to be ok.
ComboFix 10-03-04.01 - Shez 04/03/2010 21:04:18.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2495 [GMT 0:00]
Running from: c:\documents and settings\Shez\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Shez\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Shez\Application Data\uTorrent
c:\documents and settings\Shez\Application Data\uTorrent\Brazil v Republic of Ireland – 02-03-10 – 1st half.torrent
c:\documents and settings\Shez\Application Data\uTorrent\Brazil v Republic of Ireland – 02-03-10 – 2nd half.torrent
c:\documents and settings\Shez\Application Data\uTorrent\Case 39 {2009} DVDRIP. Jaybob.torrent
c:\documents and settings\Shez\Application Data\uTorrent\dht.dat
c:\documents and settings\Shez\Application Data\uTorrent\dht.dat.old
c:\documents and settings\Shez\Application Data\uTorrent\Harry Brown 2009 DVDRip.torrent
c:\documents and settings\Shez\Application Data\uTorrent\Lovely Bones.torrent
c:\documents and settings\Shez\Application Data\uTorrent\Ninja.Assassin.2009.DVDRip.XviD-Emery1337x.torrent
c:\documents and settings\Shez\Application Data\uTorrent\resume.dat
c:\documents and settings\Shez\Application Data\uTorrent\resume.dat.old
c:\documents and settings\Shez\Application Data\uTorrent\rss.dat
c:\documents and settings\Shez\Application Data\uTorrent\rss.dat.old
c:\documents and settings\Shez\Application Data\uTorrent\settings.dat
c:\documents and settings\Shez\Application Data\uTorrent\settings.dat.old
c:\documents and settings\Shez\Application Data\uTorrent\utorrent.lng
.
((((((((((((((((((((((((( Files Created from 2010-02-04 to 2010-03-04 )))))))))))))))))))))))))))))))
.
2010-03-04 19:58 . 2010-03-04 19:58 49152 ----a-r- c:\documents and settings\Shez\Application Data\Microsoft\Installer\{166E180E-9A3F-41AE-8B40-22D8FFF4AF87}\Icon49FA793C.exe
2010-03-04 19:57 . 2010-03-04 19:58 -------- d-----w- c:\windows\166E180E9A3F41AE8B4022D8FFF4AF87.TMP
2010-03-03 12:26 . 2010-03-03 12:26 15360 ----a-w- c:\windows\system32\taskman.exe
2010-03-01 10:34 . 2010-03-01 10:34 -------- d-----w- c:\documents and settings\Shez\Application Data\DVDCreator
2010-02-28 15:57 . 2010-03-03 12:23 -------- d-----w- c:\program files\a-squared Free
2010-02-27 15:44 . 2010-02-27 15:43 737280 ----a-w- c:\windows\iun6002.exe
2010-02-27 01:27 . 2010-02-27 01:27 -------- d-----w- c:\windows\McAfee.com
2010-02-27 01:16 . 2010-02-27 01:22 -------- d-----w- c:\windows\BDOSCAN8
2010-02-26 15:46 . 2010-02-26 15:46 -------- d-----w- c:\documents and settings\Shez\Local Settings\Application Data\Real
2010-02-26 15:46 . 2005-10-28 08:44 308224 ----a-w- c:\windows\system32\avisynth.dll
2010-02-26 15:46 . 2004-02-22 00:11 719872 ----a-w- c:\windows\system32\devil.dll
2010-02-25 01:23 . 2008-06-08 23:58 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2010-02-24 22:36 . 2010-02-24 22:38 -------- dc-h--w- c:\windows\ie8
2010-02-24 22:33 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-10 16:02 . 2010-02-10 16:02 -------- d-----w- c:\program files\iPod
2010-02-10 15:55 . 2010-02-10 15:55 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-04 20:33 . 2007-01-07 18:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-03 12:26 . 2005-08-16 04:33 15360 ----a-w- c:\windows\taskman.exe
2010-03-03 12:26 . 2005-08-16 04:18 3072 ----a-w- c:\windows\system32\systray.exe
2010-03-02 23:37 . 2008-03-10 21:11 -------- d-----w- c:\program files\SpywareBlaster
2010-03-01 00:54 . 2009-03-21 13:15 -------- d-----w- c:\documents and settings\Shez\Application Data\Thinstall
2010-02-27 16:14 . 2009-07-04 20:17 -------- d-----w- c:\program files\XP Codec Pack
2010-02-27 14:24 . 2005-08-16 20:58 -------- d-----w- c:\program files\RGB
2010-02-26 16:20 . 2009-08-25 22:15 -------- d-----w- c:\program files\Magic Video Converter
2010-02-24 22:40 . 2007-02-22 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-18 12:42 . 2007-01-07 18:18 -------- d-----w- c:\program files\McAfee
2010-02-13 13:52 . 2009-12-28 18:43 -------- d-----w- c:\program files\Your Uninstaller 2010
2010-02-10 16:03 . 2007-01-17 21:21 -------- d-----w- c:\program files\Itunes
2010-02-10 16:02 . 2007-07-05 10:31 -------- d-----w- c:\program files\Common Files\Apple
2010-02-10 15:59 . 2007-05-31 10:02 -------- d-----w- c:\program files\QuickTime
2010-02-02 11:59 . 2007-02-16 16:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-01 21:36 . 2010-01-22 16:49 -------- d-----w- c:\program files\QuickFreedom
2010-01-28 15:12 . 2010-01-28 15:11 -------- d-----w- c:\program files\MediaMonkey
2010-01-28 15:06 . 2010-01-28 14:46 -------- d-----w- c:\program files\Magic MP3 Tagger
2010-01-27 22:15 . 2010-01-27 22:10 -------- d-----w- c:\program files\MP3's Utilities
2010-01-21 02:26 . 2007-01-07 18:24 84664 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-21 01:14 . 2008-06-06 20:16 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-18 14:46 . 2007-03-10 00:13 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-18 02:00 . 2009-09-22 01:55 316160 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-11 23:11 . 2009-04-05 00:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-11 23:11 . 2009-04-10 02:46 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 16:07 . 2009-04-05 00:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2009-04-05 00:35 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50 . 2005-08-16 04:18 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-27 23:13 . 2007-01-20 20:00 84664 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-27 20:27 . 2009-12-27 20:27 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2009-12-27 20:27 . 2009-12-27 20:27 441760 ----a-w- c:\windows\system32\drivers\timntr.sys
2009-12-27 20:27 . 2009-12-27 20:27 132224 ----a-w- c:\windows\system32\drivers\snapman.sys
2009-12-27 20:27 . 2009-12-27 20:27 368480 ----a-w- c:\windows\system32\drivers\tdrpman.sys
2009-12-22 14:24 . 2009-12-22 14:23 1924200 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-12-21 19:14 . 2005-08-16 04:18 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2005-08-16 04:37 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2005-08-16 04:18 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2005-08-16 04:18 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-05 18:32 . 2009-12-05 18:32 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2009-12-05 18:32 . 2008-07-06 20:55 25512 ----a-w- c:\windows\system32\drivers\ggsemc.sys
2009-12-05 18:32 . 2008-07-06 20:55 13224 ----a-w- c:\windows\system32\drivers\ggflt.sys
2008-02-03 22:43 . 2007-01-10 19:14 168 --sha-r- c:\windows\system32\B5D7B751F3.sys
2008-02-03 22:43 . 2007-02-17 16:12 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol PLUS"="c:\program files\BillP Studios\WinPatrol\WinPatrol.exe" [2009-10-10 320832]
"msnmsgr"="c:\program files\WINDOWS LIVE\MESSENGER\MSNMSGR.EXE" [2009-07-26 3883856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 282624]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoFileAssociate"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Itunes\\iTunes.exe"=
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [28/02/2010 15:57 1858144]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [05/04/2009 00:35 236368]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [07/12/2008 02:24 93320]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [05/04/2009 00:35 19160]
S2 0259611266474712mcinstcleanup;McAfee Application Installer Cleanup (0259611266474712);c:\windows\TEMP\025961~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\025961~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\DfSdkS.exe [13/03/2009 20:06 410976]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [06/07/2008 20:55 13224]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [17/06/2009 12:20 12648]
S3 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [24/06/2008 19:56 431384]
S3 SQTECH930B;Trust WB-3500T USB2 Webcam;c:\windows\system32\drivers\Capt930b.sys [23/05/2007 11:48 273982]
S3 W35UND;ISSC35 802.11bg WLAN USB Adapter Driver;c:\windows\system32\DRIVERS\W35UND.SYS --> c:\windows\system32\DRIVERS\W35UND.SYS [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [06/05/2008 16:06 11520]
S3 WUSB54GSv2SVC;WUSB54GSv2SVC;c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe [13/05/2009 21:58 53307]
.
Contents of the 'Scheduled Tasks' folder
2010-02-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]
2010-01-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-10 11:22]
2010-03-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-10 11:22]
2008-12-08 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-02-05 23:52]
2008-12-08 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2006-11-22 01:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/webhp?hl=en
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2070107
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Shez\Application Data\Mozilla\Firefox\Profiles\cysjj9ci.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: browser.blink_allowed - true
FF - user.js: network.prefetch-next - true
FF - user.js: layout.spellcheckDefault - 1
FF - user.js: browser.urlbar.autoFill - false
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
FF - user.js: browser.urlbar.hideGoButton - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-04 21:06
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2606577421-1681171435-465083108-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(1172)
c:\windows\system32\relog_ap.dll
.
Completion time: 2010-03-04 21:07:41
ComboFix-quarantined-files.txt 2010-03-04 21:07
ComboFix2.txt 2010-03-04 20:22
Pre-Run: 229,237,911,552 bytes free
Post-Run: 229,209,444,352 bytes free
- - End Of File - - 7D560F8643383D93C451C455A556FB39
DDS (Ver_09-12-01.01) - NTFSx86
Run by Shez at 21:16:05.23 on 04/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2424 [GMT 0:00]
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Shez\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.co.uk/webhp?hl=en
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2070107
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [WinPatrol PLUS] c:\program files\billp studios\winpatrol\WinPatrol.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\MSNMSGR.EXE" /background
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mPolicies-explorer: NoResolveTrack = 1 (0x1)
mPolicies-explorer: NoFileAssociate = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180963787375
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,5904/mcfscan.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 relog_ap
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\shez\applic~1\mozilla\firefox\profiles\cysjj9ci.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\magic video converter\codec\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\magic video converter\codec\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: browser.blink_allowed - true
FF - user.js: network.prefetch-next - true
FF - user.js: layout.spellcheckDefault - 1
FF - user.js: browser.urlbar.autoFill - false
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
FF - user.js: browser.urlbar.hideGoButton - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-10 214664]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2010-2-28 1858144]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-4-5 236368]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-7 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-2-10 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-2-10 144704]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-4-5 19160]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-10 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-10 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-10 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-10 40552]
S2 0259611266474712mcinstcleanup;McAfee Application Installer Cleanup (0259611266474712);c:\windows\temp\025961~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\025961~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 DfSdkS;Defragmentation-Service;c:\program files\ashampoo\ashampoo winoptimizer 6\DfSdkS.exe [2009-3-13 410976]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-7-6 13224]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-10 34248]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
S3 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2008-6-24 431384]
S3 SQTECH930B;Trust WB-3500T USB2 Webcam;c:\windows\system32\drivers\Capt930b.sys [2007-5-23 273982]
S3 W35UND;ISSC35 802.11bg WLAN USB Adapter Driver;c:\windows\system32\drivers\w35und.sys --> c:\windows\system32\drivers\W35UND.SYS [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WUSB54GSv2SVC;WUSB54GSv2SVC;c:\program files\linksys wireless-g usb wireless network monitor\WLService.exe [2009-5-13 53307]
=============== Created Last 30 ================
2010-03-04 20:15:21 98816 ----a-w- c:\windows\sed.exe
2010-03-04 20:15:21 77312 ----a-w- c:\windows\MBR.exe
2010-03-04 20:15:21 261632 ----a-w- c:\windows\PEV.exe
2010-03-04 20:15:21 161792 ----a-w- c:\windows\SWREG.exe
2010-03-04 19:57:46 0 d-----w- c:\windows\166E180E9A3F41AE8B4022D8FFF4AF87.TMP
2010-03-03 12:26:08 15360 ----a-w- c:\windows\system32\taskman.exe
2010-03-01 10:34:24 0 d-----w- c:\docume~1\shez\applic~1\DVDCreator
2010-02-28 15:57:46 0 d-----w- c:\program files\a-squared Free
2010-02-27 16:14:32 421888 ----a-w- c:\windows\system32\ac3filter.acm
2010-02-27 15:44:37 737280 ----a-w- c:\windows\iun6002.exe
2010-02-27 01:27:13 0 d-----w- c:\windows\McAfee.com
2010-02-26 15:46:03 719872 ----a-w- c:\windows\system32\devil.dll
2010-02-26 15:46:03 308224 ----a-w- c:\windows\system32\avisynth.dll
2010-02-26 15:29:17 295 ----a-w- c:\windows\is-O8P9S.lst
2010-02-26 15:29:17 10821 ----a-w- c:\windows\is-O8P9S.msg
2010-02-25 01:23:07 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2010-02-24 22:36:59 0 dc-h--w- c:\windows\ie8
2010-02-24 22:33:53 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-10 16:02:28 0 d-----w- c:\program files\iPod
==================== Find3M ====================
2010-03-03 12:26:08 3072 ----a-w- c:\windows\system32\systray.exe
2010-03-03 12:26:08 3072 ----a-w- c:\windows\system32\dllcache\systray.exe
2010-03-03 12:26:08 15360 ----a-w- c:\windows\taskman.exe
2010-03-03 12:26:08 15360 ----a-w- c:\windows\system32\dllcache\taskman.exe
2010-01-07 16:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00:21 133120 ----a-w- c:\windows\system32\dllcache\extmgr.dll
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-11 08:38:55 69120 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-12-09 05:53:44 726528 ----a-w- c:\windows\system32\dllcache\jscript.dll
2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-05 18:32:27 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2008-02-03 22:43:03 168 --sha-r- c:\windows\system32\B5D7B751F3.sys
2008-02-03 22:43:10 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-05-12 22:14:31 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051220080513\index.dat
============= FINISH: 21:16:35.03 ===============
Hi,
i still have more then 1 iexplore.exe running with 1 page 1 tab
In IE 8 there will be two iexplore.exe instances running if you have one tab open. When you have two tabs there will be three iexplore.exe instances. Each opened tab adds one more.
Anyway, shall wait for those Kaspersky results before further steps :)
hi
kaspersky took about 7.5 hours but came back clean i also got the fatal error blue screen again during 1st kasper scan other than that all is gud..:bigthumb:
Good. Sounds like it's time for the final steps then :)
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK
Please download OTC (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.
Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Run Secunia vulnerability check here (http://secunia.com/vulnerability_scanning/online/) and fix its findings.
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
hi
i would like to thank u for your time,all steps given above have been done at the moment all seems to be ok if any problems occure i will post back once again thanks for your time and effort :bigthumb:. by the way wot did we find on there, and if so wot caused it?:red:
You're welcome :)
Mostly just leftovers were found. Of possible causers can be read here (http://forums.spybot.info/showthread.php?t=279).
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.