View Full Version : Search results being redirected, could not post to spybot forum from infected pc
I haven't had many computer issues in the past so this is the first time I've had to come to a forum for help so please be patient with me as I am not exactly computer savvy. I have just recently started having problems with search results being redirected, not all searches but most and it seems to be getting worse. I just recently installed Mcafee Antivirus and to my suprise the problem seems to have gotten worse. I installed Malwarebytes antimalware as well as spybot search and destroy and performed a scan with both before finding these forums, scans have not changed the performance issues. I attempted to follow the steps in the FAQ before starting this post, downloaded ERUNT but when I go to check system registry only I get an error message that the file does not exist and asks if I want to create it? I also went to post to this forum from the infected pc and keep getting an error message that internet explorer cannot display the webpage but I have other tabs open that are still functioning fine. Please let me know if I need to include any additional details, like I said this is new to me, I just want to get these issues fixed and try to prevent in the future. Appreciate any assistance!!
DDS (Ver_10-11-10.01) - NTFSx86
Run by Teresa at 20:41:59.34 on Tue 11/16/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1203 [GMT -6:00]
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Teresa\Local Settings\Temporary Internet Files\Content.IE5\P7ZBO9HT\dds[1].scr
============== Pseudo HJT Report ===============
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: @Û - No File
BHO: rsion - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101105221642.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: ¸?Û - No File
BHO: ø@Û - No File
BHO: ˆ?Û - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_ActiveX.exe -update activex
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exe
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [EPSON Stylus CX7800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAFA.EXE /P26 "EPSON Stylus CX7800 Series" /O6 "USB001" /M "Stylus CX7800"
mRun: [EPSON Stylus CX7800 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAFA.EXE /P35 "EPSON Stylus CX7800 Series (Copy 1)" /O6 "USB001" /M "Stylus CX7800"
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
dRun: [ohewekyr] c:\windows\temp\wgejfberh\teurduqtsbl.exe
StartupFolder: c:\docume~1\teresa\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://site.ebrary.com.library.icc.edu/lib/illcencol/support/plugins/ebraryRdr.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by102w.bay102.mail.live.com/mail/resources/MsnPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141084118537
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-11-5 386840]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-11-5 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-11-5 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-11-5 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-11-5 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-11-5 271480]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-11-5 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-11-5 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-11-5 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-11-5 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-11-5 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-11-5 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-11-5 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-11-5 88544]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-11-5 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-11-5 84264]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2005-8-16 14336]
=============== Created Last 30 ================
2010-11-13 02:08:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-13 02:08:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-11-13 02:04:23 -------- d-----w- c:\docume~1\teresa\applic~1\Malwarebytes
2010-11-13 02:04:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-13 02:04:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-13 02:04:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-13 02:04:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-06 02:58:24 -------- d-----w- c:\windows\system32\Adobe
==================== Find3M ====================
2010-10-14 03:28:54 141792 ----a-w- c:\windows\system32\mfevtps.exe
2010-10-08 02:03:12 5852 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-10-08 02:03:10 104 --sh--r- c:\windows\system32\4BC96202A9.sys
2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600JS-75NCB1 rev.10.02E01 -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-17
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A982446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a988504]; MOV EAX, [0x8a988580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A9B2AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A9B47E8]
\Driver\atapi[0x8AA17350] -> IRP_MJ_CREATE -> 0x8A982446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-17 -> \??\IDE#DiskWDC_WD1600JS-75NCB1_____________________10.02E01#5&2510770d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A982292
user != kernel MBR !!!
sectors 312499998 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
============= FINISH: 20:45:02.47 ===============
Hello tbinder and :welcome:
My name is JonTom
Malware Logs can sometimes take a lot of time to research and interpret.
Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
PLEASE NOTE: If you do not reply after 5 days your thread will be closed.
please be patient with me as I am not exactly computer savvy Don't worry. If there is anything you do not understand or are unsure about just ask - its what I am here for.
When you ran DDS were two logs produced? You posted DDS.txt (the main log) but there should also have been a second log created called attach.txt. If you have the attach.txt please post it in your next reply.
Before we do any fixing I would like to see the results of an ARK scan.
could not post to spybot forum from infected pc If you cannot establish a stable connection from the infected machine, please download the required tools using a clean (uninfected) system and transfer them to the infected machine, either by burning them to disk or by using a flash drive (USB memory stick).
If you choose to use a USB stick, please run the following program to minimise the chances of cross-infection:
Please download Flash Disinfector
Click here (http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe) to download Flash Disinfector and save the file (called Flash_Disinfector.exe) to your desktop.
Double click on the Flash_Disinfector.exe icon to run the program and follow any prompts that may appear.
The program may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so if prompted.
Wait until Flash disinfector has finished scanning and then exit the program.
Reboot your computer.
Once you have done this, please do the following:
Please scan your system with GMER
http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).
Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent.
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in your reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries
Please post the GMER log in your next reply. If you encounter any difficulties getting the scan to complete come back and let me know.
Ok, I hope I have done this correctly, I am attaching the dds log that I initially left off. Below is the GMER text after the scan completed. I should also tell you that my husband, in an attempt to help, downloaded and scanned with ccleaner, thought you would probably need to know moving forward. I told him no more helping, I hope that doesn't cause any issues and if it does I apologize. Please let me know if I haven't included what you need or if I have pasted/attached incorrectly. Thanks again, Teresa
Below is the first portion of the GMER text, wouldn't fit all in one post, rest to follow.
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-19 20:30:35
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort1 WDC_WD1600JS-75NCB1 rev.10.02E01
Running: gmer.exe; Driver: C:\DOCUME~1\Teresa\LOCALS~1\Temp\uftdqpob.sys
---- System - GMER 1.0.15 ----
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9E970E0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9E970F4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9E97120]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9E97176]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9E970CC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9E970A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9E970B8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9E9710A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9E9714C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9E97136]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9E971A0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9E9718C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9E97160]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP B9E97164 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B1FE6 7 Bytes JMP B9E9717A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2DF4 5 Bytes JMP B9E97190 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805C05DA 5 Bytes JMP B9E97150 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB3FA 5 Bytes JMP B9E970A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB686 5 Bytes JMP B9E970BC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D2982 5 Bytes JMP B9E971A4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D3A 7 Bytes JMP B9E9713A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231EA 7 Bytes JMP B9E9710E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237C8 5 Bytes JMP B9E970E4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C64 7 Bytes JMP B9E970F8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E34 7 Bytes JMP B9E97124 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624BA6 5 Bytes JMP B9E970D0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xBA3E3760]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\svchost.exe[304] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00DE0000
.text C:\WINDOWS\system32\svchost.exe[304] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00DE0FDB
.text C:\WINDOWS\system32\svchost.exe[304] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DE0011
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DD0FEF
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DD0F8B
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DD0F9C
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DD0080
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DD0FC3
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DD0FD4
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DD00CC
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DD0F7A
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DD0F44
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DD0F69
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DD0102
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DD0065
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DD0014
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DD00A5
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DD0040
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DD002F
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DD00DD
.text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DC0FE5
.text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DC0087
.text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DC002C
.text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DC0011
.text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DC006C
.text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DC0000
.text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00DC0FCA
.text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [FC, 88]
.text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DC0051
.text C:\WINDOWS\system32\svchost.exe[304] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DB0042
.text C:\WINDOWS\system32\svchost.exe[304] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DB0FB7
.text C:\WINDOWS\system32\svchost.exe[304] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DB0027
.text C:\WINDOWS\system32\svchost.exe[304] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DB0000
.text C:\WINDOWS\system32\svchost.exe[304] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DB0FC8
.text C:\WINDOWS\system32\svchost.exe[304] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DB0FE3
.text C:\WINDOWS\system32\svchost.exe[304] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00DA0000
.text C:\WINDOWS\system32\svchost.exe[304] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00DA001B
.text C:\WINDOWS\system32\svchost.exe[304] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00DA0FDB
.text C:\WINDOWS\system32\svchost.exe[304] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00DA002C
.text C:\WINDOWS\system32\svchost.exe[448] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[448] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BC001B
.text C:\WINDOWS\system32\svchost.exe[448] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BC0FE5
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB000A
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB0FA5
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB009A
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB0FC0
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB007D
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB005B
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB0F77
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB0F94
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB00F5
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB00E4
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB0F37
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB006C
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB001B
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB00B5
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB0036
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB0FE5
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB0F66
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BA0FB9
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BA0F72
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BA0FCA
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BA0F8D
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BA002F
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BA0FA8
.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D2003D
.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D2002C
.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D20FC6
.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D20FE3
.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D2001B
.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D20000
.text C:\WINDOWS\system32\svchost.exe[448] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[448] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\system32\svchost.exe[448] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00BD0025
.text C:\WINDOWS\system32\svchost.exe[448] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00BD0036
.text C:\WINDOWS\system32\svchost.exe[448] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D10000
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[664] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[664] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\explorer.exe[784] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D4000A
.text C:\WINDOWS\explorer.exe[784] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A
.text C:\WINDOWS\explorer.exe[784] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D3000C
.text C:\WINDOWS\explorer.exe[784] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002D0FDB
.text C:\WINDOWS\explorer.exe[784] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002D0073
.text C:\WINDOWS\explorer.exe[784] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002D002C
.text C:\WINDOWS\explorer.exe[784] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002D001B
.text C:\WINDOWS\explorer.exe[784] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002D0062
.text C:\WINDOWS\explorer.exe[784] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002D0000
.text C:\WINDOWS\explorer.exe[784] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002D0FCA
.text C:\WINDOWS\explorer.exe[784] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4D, 88]
.text C:\WINDOWS\explorer.exe[784] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002D0051
.text C:\WINDOWS\explorer.exe[784] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002E0047
.text C:\WINDOWS\explorer.exe[784] msvcrt.dll!system 77C293C7 5 Bytes JMP 002E0FBC
.text C:\WINDOWS\explorer.exe[784] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002E0FD7
.text C:\WINDOWS\explorer.exe[784] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002E0000
.text C:\WINDOWS\explorer.exe[784] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002E002C
.text C:\WINDOWS\explorer.exe[784] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002E0011
.text C:\WINDOWS\system32\wuauclt.exe[844] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02B30FEF
.text C:\WINDOWS\system32\wuauclt.exe[844] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02B30025
.text C:\WINDOWS\system32\wuauclt.exe[844] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02B30014
.text C:\WINDOWS\system32\wuauclt.exe[844] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00FB000A
.text C:\WINDOWS\system32\wuauclt.exe[844] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00F9000C
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02B20000
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02B2006E
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02B20F79
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02B20F94
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02B20FA5
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02B20047
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02B20F43
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02B20095
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02B20EFC
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02B20F17
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02B20EE1
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02B20FB6
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02B2001B
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02B20F5E
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02B20036
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02B20FE5
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02B20F32
.text C:\WINDOWS\system32\wuauclt.exe[844] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02B0003D
.text C:\WINDOWS\system32\wuauclt.exe[844] msvcrt.dll!system 77C293C7 5 Bytes JMP 02B00FBC
.text C:\WINDOWS\system32\wuauclt.exe[844] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02B00011
.text C:\WINDOWS\system32\wuauclt.exe[844] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02B00FE3
.text C:\WINDOWS\system32\wuauclt.exe[844] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02B0002C
.text C:\WINDOWS\system32\wuauclt.exe[844] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02B00000
.text C:\WINDOWS\system32\wuauclt.exe[844] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02B10025
.text C:\WINDOWS\system32\wuauclt.exe[844] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02B10FAF
.text C:\WINDOWS\system32\wuauclt.exe[844] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02B10FDE
.text C:\WINDOWS\system32\wuauclt.exe[844] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02B10FEF
.text C:\WINDOWS\system32\wuauclt.exe[844] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02B10076
.text C:\WINDOWS\system32\wuauclt.exe[844] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02B1000A
.text C:\WINDOWS\system32\wuauclt.exe[844] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02B10065
.text C:\WINDOWS\system32\wuauclt.exe[844] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02B1004A
.text C:\WINDOWS\system32\wuauclt.exe[844] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02AE0000
.text C:\WINDOWS\system32\wuauclt.exe[844] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02AE0FEF
.text C:\WINDOWS\system32\wuauclt.exe[844] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02AE0FCA
.text C:\WINDOWS\system32\wuauclt.exe[844] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 02AE001B
.text C:\WINDOWS\system32\wuauclt.exe[844] WS2_32.dll!socket
.text C:\WINDOWS\system32\services.exe[1092] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\services.exe[1092] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BB002C
.text C:\WINDOWS\system32\services.exe[1092] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BB0011
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0F5C
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0F6D
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0047
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0036
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0FAF
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA0F2B
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA007D
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA0EEE
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA0EFF
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA0EDD
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0F9E
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA006C
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA0025
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA0F10
.text C:\WINDOWS\system32\services.exe[1092] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FE0025
.text C:\WINDOWS\system32\services.exe[1092] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FE005B
.text C:\WINDOWS\system32\services.exe[1092] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FE0FD4
.text C:\WINDOWS\system32\services.exe[1092] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\services.exe[1092] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FE0F94
.text C:\WINDOWS\system32\services.exe[1092] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\services.exe[1092] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FE0040
.text C:\WINDOWS\system32\services.exe[1092] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FE0FB9
.text C:\WINDOWS\system32\services.exe[1092] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FD0038
.text C:\WINDOWS\system32\services.exe[1092] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FD0FB7
.text C:\WINDOWS\system32\services.exe[1092] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FD000C
.text C:\WINDOWS\system32\services.exe[1092] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FD0FE3
.text C:\WINDOWS\system32\services.exe[1092] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FD0027
.text C:\WINDOWS\system32\services.exe[1092] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FD0FD2
.text C:\WINDOWS\system32\services.exe[1092] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00BC0FE5
.text C:\WINDOWS\system32\services.exe[1092] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00BC0FD4
.text C:\WINDOWS\system32\services.exe[1092] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00BC0FC3
.text C:\WINDOWS\system32\services.exe[1092] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00BC0014
.text C:\WINDOWS\system32\services.exe[1092] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\lsass.exe[1104] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00EA0000
.text C:\WINDOWS\system32\lsass.exe[1104] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00EA002C
.text C:\WINDOWS\system32\lsass.exe[1104] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EA001B
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E90000
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E90051
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E90F5C
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E90036
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E90F79
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E90FAF
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E9007D
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E90F41
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E900C4
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E900A9
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E900D5
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E90F94
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E90FE5
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E90062
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E90011
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E90FCA
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E90098
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 010F0FDE
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 010F0F9E
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 010F002F
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 010F0014
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 010F005B
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 010F0FEF
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 010F004A
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 010F0FB9
.text C:\WINDOWS\system32\lsass.exe[1104] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 010E0FB4
.text C:\WINDOWS\system32\lsass.exe[1104] msvcrt.dll!system 77C293C7 5 Bytes JMP 010E003F
.text C:\WINDOWS\system32\lsass.exe[1104] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 010E001D
.text C:\WINDOWS\system32\lsass.exe[1104] msvcrt.dll!_open 77C2F566 5 Bytes JMP 010E0000
.text C:\WINDOWS\system32\lsass.exe[1104] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 010E002E
.text C:\WINDOWS\system32\lsass.exe[1104] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 010E0FE3
.text C:\WINDOWS\system32\lsass.exe[1104] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EC000A
.text C:\WINDOWS\system32\lsass.exe[1104] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00EB0FEF
.text C:\WINDOWS\system32\lsass.exe[1104] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00EB0000
.text C:\WINDOWS\system32\lsass.exe[1104] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00EB0025
.text C:\WINDOWS\system32\lsass.exe[1104] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00EB0FD4
.text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02570FEF
.text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02570FC3
.text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02570FDE
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02560FEF
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0256007F
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02560F8A
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02560F9B
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02560058
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0256002C
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02560F4D
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02560F5E
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025600C4
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02560F21
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 025600D5
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02560047
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02560000
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02560F6F
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02560FC0
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02560011
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02560F3C
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 025B0FB9
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 025B0F68
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 025B0FCA
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 025B0FE5
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 025B0F79
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 025B0000
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 025B0025
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 025B0F9E
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 025A0F97
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!system 77C293C7 5 Bytes JMP 025A0022
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 025A0FBC
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_open 77C2F566 5 Bytes JMP 025A0000
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 025A0011
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 025A0FD7
.text C:\WINDOWS\system32\svchost.exe[1356] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02580000
.text C:\WINDOWS\system32\svchost.exe[1356] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0258001B
.text C:\WINDOWS\system32\svchost.exe[1356] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02580FE5
.text C:\WINDOWS\system32\svchost.exe[1356] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 02580036
.text C:\WINDOWS\system32\svchost.exe[1356] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02590000
.text C:\WINDOWS\system32\svchost.exe[1544] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F10FEF
.text C:\WINDOWS\system32\svchost.exe[1544] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F10014
.text C:\WINDOWS\system32\svchost.exe[1544] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F10FDE
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F00FEF
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F00F44
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F00F55
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F00F7C
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F00F8D
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F00FC3
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F00060
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F00F0E
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F0008C
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F00EF3
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F0009D
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F00FB2
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F0000A
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F00F29
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F00FDE
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F0002F
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F00071
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F50FD1
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F50F87
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F50022
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F50011
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F5004E
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F50000
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F50FAC
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [15, 89]
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F5003D
.text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F40F97
.text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F40022
.text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F40011
.text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F40000
.text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F40FBC
.text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F40FE3
.text C:\WINDOWS\system32\svchost.exe[1544] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00F20FEF
.text C:\WINDOWS\system32\svchost.exe[1544] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00F20FDE
.text C:\WINDOWS\system32\svchost.exe[1544] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00F20FC3
.text C:\WINDOWS\system32\svchost.exe[1544] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00F2001E
.text C:\WINDOWS\system32\svchost.exe[1544] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\System32\svchost.exe[1672] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 031D0FEF
.text C:\WINDOWS\System32\svchost.exe[1672] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 031D0FCD
.text C:\WINDOWS\System32\svchost.exe[1672] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 031D0FDE
.text C:\WINDOWS\System32\svchost.exe[1672] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00AB000A
.text C:\WINDOWS\System32\svchost.exe[1672] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A9000C
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 031C0FE5
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 031C0F55
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 031C0F70
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 031C0F97
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 031C004A
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 031C0FB2
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 031C008C
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 031C0F44
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 031C00B8
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 031C0F29
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 031C00DD
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 031C0039
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 031C0FD4
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 031C0065
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 031C0FC3
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 031C000A
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 031C00A7
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03210FCA
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03210062
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0321001B
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03210FE5
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03210051
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03210000
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03210FAF
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [41, 8B]
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03210036
.text C:\WINDOWS\System32\svchost.exe[1672] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00E5000A
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03200F7F
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!system 77C293C7 5 Bytes JMP 03200F90
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03200FC6
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03200000
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03200FAB
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03200FE3
.text C:\WINDOWS\System32\svchost.exe[1672] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 031E000A
.text C:\WINDOWS\System32\svchost.exe[1672] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 031E0FEF
.text C:\WINDOWS\System32\svchost.exe[1672] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 031E0FDE
.text C:\WINDOWS\System32\svchost.exe[1672] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 031E002F
.text C:\WINDOWS\System32\svchost.exe[1672] WS2_32.dll!socket 71AB4211 5 Bytes JMP 031F0FEF
.text C:\WINDOWS\system32\svchost.exe[1808] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A6000A
.text C:\WINDOWS\system32\svchost.exe[1808] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A60FDE
.text C:\WINDOWS\system32\svchost.exe[1808] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A60FEF
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A50000
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A5007F
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A50F8A
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A50062
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A50FA5
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A50FD1
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A500BC
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A500AB
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A500F2
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A50F59
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A50F3E
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A50FB6
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A50011
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A50090
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A5003D
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A5002C
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A500D7
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AA002C
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AA0047
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AA0FE5
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AA001B
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AA0F94
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AA000A
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AA0FAF
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CA, 88]
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AA0FC0
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A90053
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A90FBE
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A90027
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A90000
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A90038
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A90FEF
.text C:\WINDOWS\system32\svchost.exe[1808] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00A70FEF
.text C:\WINDOWS\system32\svchost.exe[1808] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00A70FD4
.text C:\WINDOWS\system32\svchost.exe[1808] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00A70FC3
.text C:\WINDOWS\system32\svchost.exe[1808] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00A70FB2
.text C:\WINDOWS\system32\svchost.exe[1808] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A80000
.text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C70FCA
.text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C7000A
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C60F88
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C6007D
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C6006C
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C6005B
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C60FB9
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C600AB
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C6009A
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C600E1
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C60F48
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C600FC
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C60040
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C60FD4
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C60F6D
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C60025
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C6000A
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C600C6
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 001B0040
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 001B000A
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 001B0F83
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 001B0F9E
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [3B, 88]
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\system32\svchost.exe[1972] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CE0F9C
.text C:\WINDOWS\system32\svchost.exe[1972] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CE0FB7
.text C:\WINDOWS\system32\svchost.exe[1972] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CE001D
.text C:\WINDOWS\system32\svchost.exe[1972] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\svchost.exe[1972] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CE0FC8
.text C:\WINDOWS\system32\svchost.exe[1972] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CE000C
.text C:\WINDOWS\system32\svchost.exe[1972] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00C8000A
.text C:\WINDOWS\system32\svchost.exe[1972] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00C8001B
.text C:\WINDOWS\system32\svchost.exe[1972] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00C80FE5
.text C:\WINDOWS\system32\svchost.exe[1972] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00C80036
.text C:\WINDOWS\system32\svchost.exe[1972] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C90000
.text C:\WINDOWS\system32\svchost.exe[1988] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00EB0FE5
.text C:\WINDOWS\system32\svchost.exe[1988] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00EB0FB9
.text C:\WINDOWS\system32\svchost.exe[1988] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EB0FCA
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EA0000
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EA0F92
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EA0FA3
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EA0FCA
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EA0087
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EA006C
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EA0F5F
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EA0F70
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EA0F30
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EA00D3
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EA00EE
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EA0FE5
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EA001B
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EA0F81
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EA0047
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EA0036
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EA00C2
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E9002C
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E90F9B
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E9001B
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E9000A
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E90062
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E90FE5
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E90047
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E90FC0
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E80033
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E80FB2
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E80FC3
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E80018
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E80FDE
.text C:\WINDOWS\system32\svchost.exe[1988] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E60FE5
.text C:\WINDOWS\system32\svchost.exe[1988] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E60FCA
.text C:\WINDOWS\system32\svchost.exe[1988] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E60000
.text C:\WINDOWS\system32\svchost.exe[1988] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00E60FA5
.text C:\WINDOWS\system32\svchost.exe[1988] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\dllhost.exe[3492] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 010B0FEF
.text C:\WINDOWS\system32\dllhost.exe[3492] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 010B0FD4
.text C:\WINDOWS\system32\dllhost.exe[3492] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 010B0000
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 010A0FEF
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010A0082
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 010A005D
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 010A0040
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 010A002F
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 010A0014
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010A0F55
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010A0F66
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010A0F33
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010A00C2
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010A00DD
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 010A0F8D
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 010A0FCA
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 010A0093
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 010A0FA8
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 010A0FB9
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010A0F44
.text C:\WINDOWS\system32\dllhost.exe[3492] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0FA8
.text C:\WINDOWS\system32\dllhost.exe[3492] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FC3
.text C:\WINDOWS\system32\dllhost.exe[3492] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0029
.text C:\WINDOWS\system32\dllhost.exe[3492] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\dllhost.exe[3492] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0FD4
.text C:\WINDOWS\system32\dllhost.exe[3492] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0018
.text C:\WINDOWS\system32\dllhost.exe[3492] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01090022
.text C:\WINDOWS\system32\dllhost.exe[3492] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0109004E
.text C:\WINDOWS\system32\dllhost.exe[3492] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01090011
.text C:\WINDOWS\system32\dllhost.exe[3492] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01090FDB
.text C:\WINDOWS\system32\dllhost.exe[3492] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01090F91
.text C:\WINDOWS\system32\dllhost.exe[3492] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01090000
.text C:\WINDOWS\system32\dllhost.exe[3492] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01090033
.text C:\WINDOWS\system32\dllhost.exe[3492] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01090FAC
.text C:\WINDOWS\system32\dllhost.exe[3492] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\dllhost.exe[3492] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FD0FDB
.text C:\WINDOWS\system32\dllhost.exe[3492] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FD0011
.text C:\WINDOWS\system32\dllhost.exe[3492] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00FD002C
.text C:\WINDOWS\system32\dllhost.exe[3492] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0000
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A543292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A543292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-4 8A543292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A543292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 8A543292
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \Device\Ide\IdeDeviceP1T0L0-17 -> \??\IDE#DiskWDC_WD1600JS-75NCB1_____________________10.02E01#5&2510770d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 312499744 (+255): rootkit-like behavior;
---- EOF - GMER 1.0.15 ----
Hello tbinder
Please let me know if I haven't included what you need or if I have pasted/attached incorrectly. You did everything perfectly :bigthumb:
I told him no more helping While it is always tempting to run scans and extra tools, please try to refrain from doing so as it can make spotting problems and log interpretation much more difficult.
Please do the following:
Please disable Spybot Teatimer
Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
On the left hand side, click "Tools", then click on the "Resident" icon in the list.
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active" box.
Click the "System Startup" icon in the List.
Uncheck the "TeaTimer" box and "OK" any prompts.
If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
Exit Spybot S&D when done.
Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216).
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes: Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
When I go to system startup I do not see anything called tea timer to uncheck? There are three columns of information, key, value and command line - I don't see tea timer in any of these areas? I also started getting error messages today that Mcafee couldn't update software with a suggestion to check my internet connection - connection is fine? Now what??
Hello tbinder
Now what?? Please make sure that the "Resident TeaTimer" box is Unchecked and everything should be fine. Once it is Unchecked go ahead and run ComboFix :)
To disable Mcafee do I just turn the firewall off or is there something else that also needs done. Do I need to disable anything else like the malwarebytes antimalware or spybot S&D, ccleaner? Do I do anything with those or anything else?
Hello tbinder
Do I need to disable anything else like the malwarebytes antimalware or spybot S&D, ccleaner? You do not need to disable MalwareBytes or ccleaner, and provided you disable Spybot's Teatimer all should be well.
To disable Mcafee do I just turn the firewall off or is there something else that also needs done. You need to disable the Firewall and the AntiVirus (if you have additional applications you can disable them also).
There is information provided in the ComboFix instructions to help you disable your security applications, and you can also refer to your User manual for additonal information.
As a general guide please try the following:
Double-click the McAfee icon in your taskbar (bottom right hand corner of the screen) to open MCAfee SecurityCenter
Click Advanced Menu (bottom)
Click Configure (left)
Click Computer & Files (top left)
In the right-hand space you can disable VirusScan and select for how long (as we do not know how long ComboFix will take to complete its scan you may have to leave McAfee permanently disabled and the re-enable it after the scan has completed)..
You should also be able to disable your Firewall and additional McAfee features from this page.
Once McAfee is disabled run ComboFix and post the log created.
Ok, I think I have disabled Mcafee correctly, not completely certain as I have never done that before. Started the scan and almost immediately had this message pop up, The Master Boot Record is infected!! Make sure your antivirus programs are disabled before clicking ok. Do I click ok, is this a sign that I haven't disabled properly? Just concerned me so I haven't clicked ok and logged in from my work laptop as it wouldn't allow me to post to the forum again. Please advise.
Hello tbinder
is this a sign that I haven't disabled properly? Please advise. I am aware of the mbr infection on your machine. You are not doing anything wrong :) The message you are receiving is not related to your not disabling your security software properly.
There is no need to worry tbinder. Everything you have described is normal. You may receive additional messages from ComboFix during the course of the scan. If this happens, don't be alarmed but allow ComboFix to run unhindered.
Here is the log, please let me know what I need to do next!! Thank you for taking the time to walk me through all of this!
ComboFix 10-11-22.04 - Teresa 11/22/2010 19:59:15.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1529 [GMT -6:00]
Running from: c:\documents and settings\Teresa\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
ADS - WINDOWS: deleted 72 bytes in 1 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-10-23 to 2010-11-23 )))))))))))))))))))))))))))))))
.
2010-11-17 02:32 . 2010-11-17 03:05 -------- d-----w- c:\program files\ERUNT
2010-11-14 06:52 . 2010-11-14 06:52 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-11-14 03:08 . 2010-11-14 03:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-13 02:08 . 2010-11-20 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-11-13 02:08 . 2010-11-13 02:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-13 02:04 . 2010-11-13 02:04 -------- d-----w- c:\documents and settings\Teresa\Application Data\Malwarebytes
2010-11-13 02:04 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-13 02:04 . 2010-11-13 02:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-13 02:04 . 2010-11-13 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-13 02:04 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-12 11:46 . 2010-11-12 11:46 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-11-12 10:40 . 2010-11-12 10:40 -------- d-sh--w- c:\documents and settings\Jeremy\IETldCache
2010-11-06 02:58 . 2010-11-06 02:58 -------- d-----w- c:\windows\system32\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 17:23 . 2005-08-16 10:18 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2005-08-16 10:18 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2005-08-16 10:18 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2005-08-16 10:18 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2005-08-16 10:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2005-08-16 10:18 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2005-08-16 10:18 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2005-08-16 10:18 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2005-08-16 10:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2005-08-16 10:18 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2006-02-16 00:06 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-21 00:18 5120 ----a-w- c:\windows\system32\xpsp4res.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-11-22 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-02-16 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-09 110592]
"EPSON Stylus CX7800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE" [2005-04-07 98304]
"EPSON Stylus CX7800 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE" [2005-04-07 98304]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
c:\documents and settings\Teresa\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcui_exe]
2010-09-30 18:10 1193848 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [11/5/2010 9:07 PM 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [11/5/2010 9:07 PM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [11/5/2010 9:07 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [11/5/2010 9:07 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [11/5/2010 9:07 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [11/5/2010 9:07 PM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [11/5/2010 9:07 PM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [11/5/2010 9:07 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [11/5/2010 9:07 PM 88544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/21/2010 6:45 PM 136176]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [11/5/2010 9:07 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [11/5/2010 9:07 PM 84264]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/16/2005 4:18 AM 14336]
--- Other Services/Drivers In Memory ---
*Deregistered* - mfeavfk01
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-11-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 19:21]
2010-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-22 00:45]
2010-11-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-22 00:45]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-SAClient - c:\program files\Insight\BBClient\Programs\RegCon.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\program files\NOS\bin\getPlus_Helper_3004.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-22 20:16
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1056)
c:\windows\system32\CLBCATQ.DLL
.
Completion time: 2010-11-22 20:18:52
ComboFix-quarantined-files.txt 2010-11-23 02:18
Pre-Run: 104,787,730,432 bytes free
Post-Run: 105,560,604,672 bytes free
- - End Of File - - C1124E3143B6D6B0EDDA2ED641A20DDD
Hello tbinder
Great job running ComboFix :bigthumb:
Thank you for taking the time to walk me through all of this! No problem at all. You are doing really well :)
Please do the following:
Please scan the following files
Please go to VirusTotal (http://www.virustotal.com/)
On the page you'll find a "Browse" button.
Click on the Browse button.
In the Choose File to Upload window which opens, copy and paste this into the File Name box.
c:\windows\system32\CLBCATQ.DLL
Next, click the Open button.
Then click the "Send File" button just below.
This will scan the file. Please be patient.
If you get a message saying File has already been analyzed: click Reanalyze file now.
Once scanned, copy and paste the link to the results page in your next reply.
Clean out your temporary files
Please download ATF Cleaner by Atribune by clicking here (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) and save the file (called ATF-Cleaner.exe) to your desktop.
Run the program by double clicking the ATF-Cleaner.exe icon located on your desktop.
Check the boxes to the left of the following:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional. If you want to remove everything check the "Select All" box.
Click on "Empty Selected" to begin cleaning.
Once the "Done Cleaning" message appears, click OK.
If you use Firefox, Click on the Firefox tab and repeat the above process.
When you have finished cleaning, click on the "Exit" button in the main menu.
MalwareBytes AntiMalware:
I can see that you have MBAM installed.
Double click on your MalwareBytes AntiMalware icon to launch the program.
Click on the "Update" tab and then on "Check for Updates".
The program will now install the latest Malware definition files.
Once complete, click on the "Scanner" tab, select "Perform Quick Scan"and then click on "Scan".
Once the program has scanned your computer, a log file will be created in Notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" <– Very Important.
When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
Come back here to this thread and Paste the log in your next reply.
Please update your Java
Click on "Start", then on "Control Panel".
Go to "Add or Remove Programs" and uninstall any previous versions of Java that you find (Java(TM) 6 Update 7).
Reboot your computer.
Next, download the latest version of Java by clicking here (http://java.sun.com/javase/downloads/index.jsp)
Scroll down the page until you reach "Java Platform Standard Edition".
Beneath this and to the right, you will see a button marked "Download JRE".
Click the "Download JRE" button.
Select the platform (Windows, in your case), multi language.
Accept the license agreement and click on "Continue".
You do not have to register if you do not want to (the registration step is optional).
Scroll down and click on the file called jre-6u22-windows-i586.exe located under "Windows Offline Installation".
Save the file to your desktop.
Do not select Run.
Double click on the saved file (jre-6u22-windows-i586.exe) to install the update.
Delete the downloaded installation file after completing the above procedure and reboot your system if not prompted to do so.
Please post the VirusTotal scan link and the MBAM log in your next reply.
Also, please provide a new DDS scan (I only need to see the DDS.txt log) and let me know how your machine is running now.
Hello, I have not forgotten about what I need to do, just haven't had time with Thanksgiving holiday! Plan on working on it tonight. Did try a search just to see what happened and had issues but I haven't followed the steps yet in the last post. Working on it.... will let you know when complete!
Ok, here goes - here is the link to the Virus Total Scan.
http://www.virustotal.com/file-scan/report.html?id=4d3095fd8431d0839b6ee785a979d005a1035368a152cdc705804e85b7673198-1291000791
Below is the MBAM log.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 5210
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
11/28/2010 9:33:30 PM
mbam-log-2010-11-28 (21-33-30).txt
Scan type: Quick scan
Objects scanned: 165810
Time elapsed: 8 minute(s), 32 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
And below the DDS log.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-11-27.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 2/26/2006 3:15:55 PM
System Uptime: 11/24/2010 1:11:24 PM (104 hours ago)
Motherboard: Dell Inc. | | 0WG261
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Microprocessor | 2992/800mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 144 GiB total, 98.099 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP934: 8/30/2010 11:50:55 PM - System Checkpoint
RP935: 9/1/2010 1:02:54 AM - System Checkpoint
RP936: 9/2/2010 1:14:54 AM - System Checkpoint
RP937: 9/3/2010 2:14:55 AM - System Checkpoint
RP938: 9/4/2010 2:25:54 AM - System Checkpoint
RP939: 9/5/2010 2:37:54 AM - System Checkpoint
RP940: 9/6/2010 2:49:54 AM - System Checkpoint
RP941: 9/7/2010 4:01:56 AM - System Checkpoint
RP942: 9/8/2010 4:13:54 AM - System Checkpoint
RP943: 9/9/2010 5:25:54 AM - System Checkpoint
RP944: 9/10/2010 6:07:36 AM - System Checkpoint
RP945: 9/11/2010 7:01:54 AM - System Checkpoint
RP946: 9/12/2010 7:37:59 AM - System Checkpoint
RP947: 9/13/2010 8:13:54 AM - System Checkpoint
RP948: 9/14/2010 3:00:16 AM - Software Distribution Service 3.0
RP949: 9/15/2010 3:00:42 AM - Software Distribution Service 3.0
RP950: 9/16/2010 3:03:45 AM - System Checkpoint
RP951: 9/17/2010 3:15:45 AM - System Checkpoint
RP952: 9/18/2010 3:27:45 AM - System Checkpoint
RP953: 9/19/2010 4:27:45 AM - System Checkpoint
RP954: 9/20/2010 5:39:46 AM - System Checkpoint
RP955: 9/21/2010 7:03:45 AM - System Checkpoint
RP956: 9/22/2010 8:03:45 AM - System Checkpoint
RP957: 9/23/2010 9:02:44 AM - System Checkpoint
RP958: 9/24/2010 10:32:40 AM - System Checkpoint
RP959: 9/25/2010 11:27:48 AM - System Checkpoint
RP960: 9/26/2010 4:20:33 PM - System Checkpoint
RP961: 9/27/2010 4:27:48 PM - System Checkpoint
RP962: 9/28/2010 5:43:39 PM - System Checkpoint
RP963: 9/29/2010 6:50:43 PM - System Checkpoint
RP964: 9/30/2010 3:00:15 AM - Software Distribution Service 3.0
RP965: 10/1/2010 3:26:43 AM - System Checkpoint
RP966: 10/2/2010 5:38:43 AM - System Checkpoint
RP967: 10/3/2010 7:02:43 AM - System Checkpoint
RP968: 10/4/2010 7:26:43 AM - System Checkpoint
RP969: 10/5/2010 8:26:43 AM - System Checkpoint
RP970: 10/6/2010 10:38:43 AM - System Checkpoint
RP971: 10/7/2010 3:00:15 AM - Software Distribution Service 3.0
RP972: 10/7/2010 9:08:32 PM - Software Distribution Service 3.0
RP973: 10/8/2010 9:36:31 PM - System Checkpoint
RP974: 10/9/2010 10:17:18 PM - System Checkpoint
RP975: 10/10/2010 11:08:31 PM - System Checkpoint
RP976: 10/11/2010 11:15:06 PM - System Checkpoint
RP977: 10/12/2010 11:39:04 PM - System Checkpoint
RP978: 10/14/2010 12:51:04 AM - System Checkpoint
RP979: 10/14/2010 3:00:57 AM - Software Distribution Service 3.0
RP980: 10/15/2010 6:14:26 AM - System Checkpoint
RP981: 10/16/2010 7:37:21 AM - System Checkpoint
RP982: 10/17/2010 7:55:45 AM - System Checkpoint
RP983: 10/18/2010 8:48:11 AM - System Checkpoint
RP984: 10/19/2010 5:42:44 PM - System Checkpoint
RP985: 10/20/2010 6:43:45 PM - System Checkpoint
RP986: 10/21/2010 8:06:23 PM - System Checkpoint
RP987: 10/22/2010 9:27:37 PM - System Checkpoint
RP988: 10/23/2010 9:36:51 PM - System Checkpoint
RP989: 10/24/2010 10:09:42 PM - System Checkpoint
RP990: 10/25/2010 10:31:45 PM - System Checkpoint
RP991: 10/26/2010 11:43:45 PM - System Checkpoint
RP992: 10/27/2010 11:55:45 PM - System Checkpoint
RP993: 10/29/2010 12:19:45 AM - System Checkpoint
RP994: 10/30/2010 12:31:45 AM - System Checkpoint
RP995: 10/31/2010 1:46:28 AM - System Checkpoint
RP996: 11/1/2010 1:55:45 AM - System Checkpoint
RP997: 11/2/2010 3:07:45 AM - System Checkpoint
RP998: 11/3/2010 4:19:45 AM - System Checkpoint
RP999: 11/4/2010 6:33:39 AM - System Checkpoint
RP1000: 11/5/2010 7:43:45 AM - System Checkpoint
RP1001: 11/6/2010 8:38:16 AM - System Checkpoint
RP1002: 11/7/2010 11:00:51 AM - System Checkpoint
RP1003: 11/8/2010 12:12:58 PM - System Checkpoint
RP1004: 11/9/2010 12:13:16 PM - System Checkpoint
RP1005: 11/10/2010 1:21:34 PM - System Checkpoint
RP1006: 11/11/2010 3:00:31 AM - Software Distribution Service 3.0
RP1007: 11/12/2010 6:07:56 AM - System Checkpoint
RP1008: 11/13/2010 6:19:47 AM - System Checkpoint
RP1009: 11/14/2010 6:33:26 AM - System Checkpoint
RP1010: 11/15/2010 7:21:25 AM - System Checkpoint
RP1011: 11/16/2010 8:03:50 AM - System Checkpoint
RP1012: 11/17/2010 8:41:29 AM - System Checkpoint
RP1013: 11/18/2010 8:53:23 AM - System Checkpoint
RP1014: 11/19/2010 9:41:24 AM - System Checkpoint
RP1015: 11/20/2010 9:51:34 AM - System Checkpoint
RP1016: 11/21/2010 11:23:55 AM - System Checkpoint
RP1017: 11/24/2010 1:27:37 PM - System Checkpoint
RP1018: 11/25/2010 1:51:48 PM - System Checkpoint
RP1019: 11/26/2010 3:01:34 PM - System Checkpoint
RP1020: 11/27/2010 3:15:32 PM - System Checkpoint
RP1021: 11/28/2010 4:16:32 PM - System Checkpoint
RP1022: 11/28/2010 9:35:14 PM - Removed Java(TM) 6 Update 7
RP1023: 11/28/2010 9:40:20 PM - Installed Java(TM) 6 Update 22
==== Installed Programs ======================
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.2
Adobe Shockwave Player 11.5
AOLIcon
Apple Software Update
ArcSoft PhotoImpression 5
ATI Control Panel
ATI Display Driver
CCleaner
ColorSelectStudio
Consumer Complete Care Services Agreement
Corel Paint Shop Pro X
Corel Photo Album 6
Dell Digital Jukebox Driver
Dell Driver Download Manager
Dell Driver Reset Tool
Dell Game Console
Dell Support Center (Support Software)
Dell System Restore
DellSupport
Digital Content Portal
EducateU
ELIcon
EPSON CX 7800 Guide
EPSON Printer Software
EPSON Scan
ERUNT 1.1j
ESPNMotion
GemMaster Mystic
getPlus(R)_ocx
Google Toolbar for Internet Explorer
Google Update Helper
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) 537EP V9x DF PCI Modem
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
IrfanView (remove only)
Java Auto Updater
Java(TM) 6 Update 22
Learn2 Player (Uninstall Only)
LimeWire 4.14.8
Malwarebytes' Anti-Malware
McAfee Total Protection
MCU
Mickey Mouse Toddler
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Basic Edition 2003
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007 Trial
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Modem Event Monitor
Modem Helper
Modem On Hold
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Musicmatch for Windows Media Player
Musicmatch® Jukebox
Otto
PowerDVD 5.5
Qualxserve Service Agreement
RealPlayer Basic
Scientific-Atlanta WebSTAR 2000 series Cable Modem
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB2288953)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sonic DLA
Sonic Encoders
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Spybot - Search & Destroy
The Book of Pooh
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Outlook 2007 Junk Email Filter (KB2443839)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Verizon High Speed Internet
Viewpoint Media Player
WebFldrs XP
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Presentation Foundation
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB908250
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
Winnie the Pooh Toddler Deluxe
XML Paper Specification Shared Components Pack 1.0
==== Event Viewer Messages From Past Week ========
11/24/2010 1:12:05 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
11/23/2010 9:18:47 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service mcmscsvc with arguments "" in order to run the server: {DDC6C82A-BCD6-480F-BAE7-9F406F687A53}
11/22/2010 7:58:33 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service mcmscsvc with arguments "" in order to run the server: {26608B46-476A-4BF1-9CC6-AFEA28EBBC17}
11/22/2010 7:58:25 PM, error: Service Control Manager [7022] - The McAfee VirusScan Announcer service hung on starting.
11/22/2010 7:56:58 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service mcmscsvc with arguments "" in order to run the server: {9B3BEB4E-1C5E-4A5F-BB36-2F6587DD34E2}
11/21/2010 1:56:01 PM, error: SideBySide [61] - Syntax error in manifest or policy file "C:\Program Files\Apple Software Update\Plugins\MSIInstallPlugin.dll.Manifest" on line 2. The required attribute version is missing from element assemblyIdentity.
11/21/2010 1:56:01 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Apple Software Update\Plugins\MSIInstallPlugin.dll.Manifest. Reference error message: The operation completed successfully. .
11/21/2010 1:56:01 PM, error: SideBySide [58] - Syntax error in manifest or policy file "C:\Program Files\Apple Software Update\Plugins\MSIInstallPlugin.dll.Manifest" on line 2.
11/21/2010 1:56:00 PM, error: SideBySide [61] - Syntax error in manifest or policy file "C:\Program Files\Apple Software Update\Plugins\EXEInstallPlugin.dll.Manifest" on line 2. The required attribute version is missing from element assemblyIdentity.
11/21/2010 1:56:00 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Apple Software Update\Plugins\EXEInstallPlugin.dll.Manifest. Reference error message: The operation completed successfully. .
11/21/2010 1:56:00 PM, error: SideBySide [58] - Syntax error in manifest or policy file "C:\Program Files\Apple Software Update\Plugins\EXEInstallPlugin.dll.Manifest" on line 2.
==== End Of File ===========================
I did a search and it appears that the searches are no longer being redirected so that's a good sign. Is there anything else I need to do moving forward, what can I do to prevent this issue in the future? At what point can I enable Mcafee again? Appreciate all of the help so far!!:thanks:
Hello tbinder
Thank you for the logs. That file is clean.
the searches are no longer being redirected so that's a good sign So far so good!
At what point can I enable Mcafee again? You can enable McAfee after the Online scan we are abuot to run.
Please work your way through the follwing steps:
P2P Programs:
P2P programs are a major source of Malware infections.
From your log I see you have LimeWire 4.14.8. We do not pass judgment on file-sharing, however we must inform you that engaging in this activity and having this kind of software installed on your system will always make you more susceptible to Malware infections.
The use of P2P programs may be contributing to your current situation, and you would certainly be doing yourself a favour by removing them.
If you wish to keep the program(s), please do not use them until your computer is cleaned.
Information regarding the risk of using these programs can be found from here (http://malwareremoval.com/p2pindex.php) and here. (http://www.internetworldstats.com/articles/art053.htm)
It is strongly recommend that you uninstall any P2P programs you have on your system.
To do this, Click on "Start" then on "Control Panel" and then on "Add or remove programs".
A list of currently installed programs will be displayed.
Find the "LimeWire 4.14.8" program, click on it once and then click on the "Remove" button.
If you are prompted to re-boot your computer to complete the uninstall please do so.
PLEASE NOTE:
Even if you are using a P2P program that is deemed safe, it is only the program that is safe. Any files that you receive using a "safe" P2P program may be infected with Malware. The malware writers use P2P file-sharing as a major conduit to spread infected files.
Foistware
I can see from your log that you have Viewpoint Media Player installed.
Viewpoint Media Player is considered as foistware rather than malware since it is installed without user's approval but doesn't spy or do anything "bad".
It is recommended that you remove Viewpoint products. However, this choice is up to you.
To remove these programs, click "Start" and then on "Control Panel" and then on "Add or Remove Programs".
Select Viewpoint Media Player and click on "Remove".
Please run the following scan
Note: You will need to use Internet Explorer for this scan.
Note for Vista/Windows 7 Users: ESET is compatible but Internet Explorer must be run as Administrator. To do this, right-click on your Internet Explorer icon and select "Run as Administrator".
Please disable your real time security programs before performing the scan.
Scan your system with Eset Online Scanner (http://www.eset.com/onlinescan/)
Place a check mark in the box YES, I accept the Terms Of Use.
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps).
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Push the "Start" button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Once you have the ESET log re-engage your McAfee.
Please post the ESET log in your next reply along a new DDS log taken after the ESET scan (I need to see the DDS.txt - you posted the attach.txt last time).
Also, please let me know how your machine is running now.
I apologize for not responding, I am working on this and will try to complete tomorrow!
Good Morning,
JonTom is away , do you still need help ? How are things running now ?
Ok, removed limewire, I think I did it right. Below is the log from eset, machine seems to be running much better, have not had any redirects.
C:\Qoobox\Quarantine\MBR_HardDisk0.mbr Win32/Olmarik.ADA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1008\A0088395.dll Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1008\A0088398.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1008\A0088399.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1008\A0088400.DLL a variant of Win32/Toolbar.MyWebSearch.A application cleaned by deleting - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1008\A0088402.DLL Win32/Toolbar.MyWebSearch.B application cleaned by deleting - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1008\A0088403.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1008\A0088404.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1008\A0088405.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1008\A0088407.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1008\A0088410.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1008\A0088411.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
==== End Of File ===========================
New DDS log:
DDS (Ver_10-11-27.01) - NTFSx86
Run by Teresa at 20:01:32.86 on Wed 12/08/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1299 [GMT -6:00]
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Teresa\Desktop\dds.scr
============== Pseudo HJT Report ===============
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: �@Û - No File
BHO: rsion - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101105221642.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: ¸?Û - No File
BHO: ø@Û - No File
BHO: ˆ?Û - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exe
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [EPSON Stylus CX7800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAFA.EXE /P26 "EPSON Stylus CX7800 Series" /O6 "USB001" /M "Stylus CX7800"
mRun: [EPSON Stylus CX7800 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAFA.EXE /P35 "EPSON Stylus CX7800 Series (Copy 1)" /O6 "USB001" /M "Stylus CX7800"
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\teresa\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://site.ebrary.com.library.icc.edu/lib/illcencol/support/plugins/ebraryRdr.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by102w.bay102.mail.live.com/mail/resources/MsnPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141084118537
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
============= SERVICES / DRIVERS ===============
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-11-5 386840]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-11-5 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-11-5 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-11-5 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-11-5 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-11-5 271480]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-11-5 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-11-5 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-11-5 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-11-5 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-11-5 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-11-5 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-11-5 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-11-5 88544]
S2 0115631290643078mcinstcleanup;McAfee Application Installer Cleanup (0115631290643078);c:\windows\temp\011563~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\011563~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-21 136176]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-11-5 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-11-5 84264]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2005-8-16 14336]
=============== Created Last 30 ================
2010-12-08 03:43:52 -------- d-----w- c:\program files\ESET
2010-11-29 03:40:40 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-29 03:40:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-23 07:50:00 -------- d-----w- c:\docume~1\teresa\locals~1\applic~1\Temp
2010-11-22 02:36:03 -------- d-sha-r- C:\cmdcons
2010-11-22 02:31:56 98816 ----a-w- c:\windows\sed.exe
2010-11-22 02:31:56 89088 ----a-w- c:\windows\MBR.exe
2010-11-22 02:31:56 256512 ----a-w- c:\windows\PEV.exe
2010-11-22 02:31:56 161792 ----a-w- c:\windows\SWREG.exe
2010-11-17 04:01:31 -------- d-----w- c:\program files\CCleaner
2010-11-13 02:08:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-13 02:08:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-11-13 02:04:23 -------- d-----w- c:\docume~1\teresa\applic~1\Malwarebytes
2010-11-13 02:04:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-13 02:04:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-13 02:04:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-13 02:04:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
==================== Find3M ====================
2010-10-14 03:28:54 141792 ----a-w- c:\windows\system32\mfevtps.exe
2010-10-08 02:03:12 5852 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-10-08 02:03:10 104 --sh--r- c:\windows\system32\4BC96202A9.sys
2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
============= FINISH: 20:03:03.12 ===============
I'm going to go ahead and enable Mcafee, how can I prevent future issues? Do you recommend I run anything regularly to stay on top of things?
Thanks for your help, I really appreciate it and am thankful I didn't have to pay someone to come and look at it!
Hi,
All ESET found where bad entries in your System Restore Program, we are going to flush it all out, it also found an entry in the backup folder of what Combofix removed, we will take care of that in a bit.
You have a few funny entries on your DDS log, Lets do this.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
System Restore is a component of Microsoft's Windows Me, Windows XP, Windows Vista and Windows 7 operating systems that allows for the rolling back of system files, registry keys, installed programs, etc., to a previous state in the event of malfunctioning or failure. Old restore points can be a source of re-infection.
Please follow the steps below to create a clean restore point:
Click Start > Run > copy and paste the following into the run box:
%SystemRoot%\System32\restore\rstrui.exe
Press OK. Choose Create a Restore Point then click Next.
Name it (something you'll remember) and click Create.
When the confirmation screen shows the restore point has been created click Close.
Then remove all previous Restore Points
Click Start > Run > copy and paste the following into the run box:
cleanmgr
Choose to scan drive C:\ (if C:\ is your main drive).
At the top, click on More Options tab. Click the Clean up... button in the System Restore box.
Click on the Yes button.
When finished, click on Cancel button to exit.
OTL by OldTimer
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
Ok, pc seems to be acting up again, very slow connecting to the internet and I continue to get error messages from Mcafee that it can't update my software and to check my internet connection or contact their technical support, what would be causing this? Here are the logs you requested.
OTL TEXT:
OTL logfile created on: 12/12/2010 9:31:57 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Teresa\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 71.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.31 Gb Total Space | 104.04 Gb Free Space | 72.09% Space Free | Partition Type: NTFS
Computer Name: BINDER | User Name: Teresa | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\Teresa\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe (McAfee, Inc.)
PRC - C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - c:\Program Files\McAfee.com\Agent\mcupdate.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
PRC - C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
PRC - C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
PRC - C:\Program Files\Real\RealPlayer\realplay.exe (RealNetworks, Inc.)
PRC - C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe (Musicmatch, Inc.)
PRC - C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe (Corel, Inc.)
PRC - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIAFA.EXE (SEIKO EPSON CORPORATION)
PRC - C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\Teresa\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
========== Win32 Services (SafeList) ==========
SRV - (nosGetPlusHelper) getPlus(R) -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll File not found
SRV - (0115631290643078mcinstcleanup) McAfee Application Installer Cleanup (0115631290643078) -- C:\WINDOWS\TEMP\011563~1.EXE File not found
SRV - (mfefire) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe (McAfee, Inc.)
SRV - (mfevtp) -- C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)
SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (McShield) -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe ()
SRV - (MSK80Service) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McProxy) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McNASvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McNaiAnn) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (mcmscsvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McMPFSvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McAfee SiteAdvisor Service) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.)
SRV - (DSBrokerService) -- C:\Program Files\DellSupport\brkrsvc.exe ()
========== Driver Services (SafeList) ==========
DRV - (wanatw) WAN Miniport (ATW) -- C:\WINDOWS\System32\DRIVERS\wanatw4.sys File not found
DRV - (catchme) -- C:\DOCUME~1\Teresa\LOCALS~1\Temp\catchme.sys File not found
DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfefirek) -- C:\WINDOWS\system32\drivers\mfefirek.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfeapfk) -- C:\WINDOWS\system32\drivers\mfeapfk.sys (McAfee, Inc.)
DRV - (mfendiskmp) -- C:\WINDOWS\system32\drivers\mfendisk.sys (McAfee, Inc.)
DRV - (mfendisk) -- C:\WINDOWS\system32\drivers\mfendisk.sys (McAfee, Inc.)
DRV - (mferkdet) -- C:\WINDOWS\system32\drivers\mferkdet.sys (McAfee, Inc.)
DRV - (mfetdi2k) -- C:\WINDOWS\system32\drivers\mfetdi2k.sys (McAfee, Inc.)
DRV - (cfwids) -- C:\WINDOWS\system32\drivers\cfwids.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows (R) Server 2003 DDK provider)
DRV - (iviVD) -- C:\WINDOWS\system32\DRIVERS\iviVD.sys (InterVideo)
DRV - (BVRPMPR5) -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS (Avanquest Software)
DRV - (dsunidrv) -- C:\WINDOWS\system32\drivers\dsunidrv.sys (Gteko Ltd.)
DRV - (DSproct) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys (Gteko Ltd.)
DRV - (ASCTRM) -- C:\WINDOWS\System32\drivers\asctrm.sys (Windows (R) 2000 DDK provider)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (STHDA) High Definition Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (tfsnudfa) -- C:\WINDOWS\system32\dla\tfsnudfa.sys (Sonic Solutions)
DRV - (tfsnudf) -- C:\WINDOWS\system32\dla\tfsnudf.sys (Sonic Solutions)
DRV - (tfsnifs) -- C:\WINDOWS\system32\dla\tfsnifs.sys (Sonic Solutions)
DRV - (tfsncofs) -- C:\WINDOWS\system32\dla\tfsncofs.sys (Sonic Solutions)
DRV - (tfsnboio) -- C:\WINDOWS\system32\dla\tfsnboio.sys (Sonic Solutions)
DRV - (tfsnopio) -- C:\WINDOWS\system32\dla\tfsnopio.sys (Sonic Solutions)
DRV - (tfsnpool) -- C:\WINDOWS\system32\dla\tfsnpool.sys (Sonic Solutions)
DRV - (tfsndrct) -- C:\WINDOWS\system32\dla\tfsndrct.sys (Sonic Solutions)
DRV - (tfsndres) -- C:\WINDOWS\system32\dla\tfsndres.sys (Sonic Solutions)
DRV - (drvmcdb) -- C:\WINDOWS\system32\drivers\drvmcdb.sys (Sonic Solutions)
DRV - (drvnddm) -- C:\WINDOWS\system32\drivers\drvnddm.sys (Sonic Solutions)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (sscdbhk5) -- C:\WINDOWS\system32\drivers\sscdbhk5.sys (Sonic Solutions)
DRV - (ssrtln) -- C:\WINDOWS\system32\drivers\ssrtln.sys (Sonic Solutions)
DRV - (IntelC53) -- C:\WINDOWS\system32\drivers\IntelC53.sys (Intel Corporation)
DRV - (USBCM) -- C:\WINDOWS\system32\drivers\Sacm2A.sys ( )
DRV - (IntelC52) -- C:\WINDOWS\system32\drivers\IntelC52.sys (Intel Corporation)
DRV - (IntelC51) -- C:\WINDOWS\system32\drivers\IntelC51.sys (Intel Corporation)
DRV - (mohfilt) -- C:\WINDOWS\system32\drivers\mohfilt.sys (Intel Corporation)
DRV - (pfc) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
DRV - (Sparrow) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (ql12160) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1080) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (ql1280) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (dac2w2k) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (mraid35x) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (asc) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (asc3550) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (CmdIde) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/12/11 16:58:55 | 000,000,000 | ---D | M]
O1 HOSTS File: ([2010/11/22 20:16:13 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - �@Û - No CLSID value found.
O2 - BHO: (no name) - ˆ?Û - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\Mcafee\SystemCore\ScriptSn.20101105221642.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (no name) - ¸?Û - No CLSID value found.
O2 - BHO: (no name) - ø@Û - No CLSID value found.
O2 - BHO: (no name) - rsion - No CLSID value found.
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe (Corel, Inc.)
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [EPSON Stylus CX7800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [ISUSPM Startup] c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MimBoot] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mimboot.exe (Musicmatch, Inc.)
O4 - HKLM..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe (Musicmatch, Inc.)
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKCU..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
O4 - HKCU..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\Teresa\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} http://site.ebrary.com.library.icc.edu/lib/illcencol/support/plugins/ebraryRdr.cab (Infotl Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photos.walmart.com/WalmartActivia.cab (Snapfish Activia)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://by102w.bay102.mail.live.com/mail/resources/MsnPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141084118537 (WUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab (FujifilmUploader Class)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://www.adobe.com/products/acrobat/nos/gp.cab (get_atlcom Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Teresa\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Teresa\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 04:43:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/11/19 19:58:53 | 000,000,000 | R--D | M] - C:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2010/12/12 21:30:36 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Teresa\Desktop\OTL.exe
[2010/12/07 21:43:52 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/12/07 20:51:31 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/11/28 21:41:39 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/11/28 21:41:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/11/28 21:41:14 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/11/28 21:40:40 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/11/28 21:40:40 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/11/28 21:40:40 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/11/28 21:40:40 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/11/28 21:40:40 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/11/28 21:22:31 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Teresa\Desktop\ATF-Cleaner.exe
[2010/11/23 01:50:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Teresa\Local Settings\Application Data\Temp
[2010/11/22 20:18:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/11/21 20:36:03 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/11/21 20:31:56 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/11/21 20:31:56 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/11/21 20:31:56 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/11/21 20:31:56 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/11/21 20:31:02 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/11/21 18:50:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/11/21 18:45:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2010/11/19 19:58:53 | 000,000,000 | R--D | C] -- C:\autorun.inf
[2010/11/19 19:57:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Teresa\Application Data\U3
[2010/11/16 22:06:57 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Teresa\Recent
[2010/11/16 22:01:31 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/11/16 21:54:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/11/16 21:06:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/11/16 20:32:02 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/11/13 21:08:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/11/13 10:21:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2006/02/27 16:46:52 | 000,015,429 | R--- | C] ( ) -- C:\WINDOWS\System32\drivers\Sacm2A.sys
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2010/12/12 21:30:39 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Teresa\Desktop\OTL.exe
[2010/12/12 20:55:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/12/12 13:56:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/12/12 01:55:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/12/11 16:54:04 | 000,001,595 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Total Protection.lnk
[2010/12/11 16:53:32 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/12/11 16:53:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/12/11 16:53:27 | 2145,538,048 | -HS- | M] () -- C:\hiberfil.sys
[2010/12/08 20:12:54 | 000,000,325 | RHS- | M] () -- C:\boot.ini
[2010/11/30 21:03:05 | 000,037,888 | ---- | M] () -- C:\Documents and Settings\Teresa\My Documents\HU300_Unit Seven_TeresaBinder.doc
[2010/11/30 20:19:18 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Teresa\Desktop\Microsoft Office Word 2003.lnk
[2010/11/29 20:56:27 | 002,211,799 | ---- | M] () -- C:\Documents and Settings\Teresa\My Documents\hunter manual.pdf
[2010/11/28 21:44:33 | 000,630,272 | ---- | M] () -- C:\Documents and Settings\Teresa\Desktop\dds.scr
[2010/11/28 21:40:25 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/11/28 21:40:25 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/11/28 21:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/11/28 21:40:24 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/11/28 21:40:24 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/11/28 21:22:31 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Teresa\Desktop\ATF-Cleaner.exe
[2010/11/22 20:16:13 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/11/22 19:48:55 | 003,913,898 | R--- | M] () -- C:\Documents and Settings\Teresa\Desktop\ComboFix.exe
[2010/11/21 20:27:03 | 000,000,209 | ---- | M] () -- C:\Boot.bak
[2010/11/19 20:04:39 | 000,000,251 | ---- | M] () -- C:\Documents and Settings\Teresa\Desktop\Shortcut to gmer.lnk
[2010/11/19 19:51:16 | 000,132,597 | ---- | M] () -- C:\Documents and Settings\Teresa\Desktop\Flash_Disinfector.exe
[2010/11/16 22:17:53 | 000,000,164 | ---- | M] () -- C:\Documents and Settings\Teresa\My Documents\cc_20101116_221748.reg
[2010/11/16 22:17:27 | 000,001,654 | ---- | M] () -- C:\Documents and Settings\Teresa\My Documents\cc_20101116_221715 b.reg
[2010/11/16 22:16:45 | 000,283,588 | ---- | M] () -- C:\Documents and Settings\Teresa\My Documents\cc_20101116_221427.reg
[2010/11/16 22:01:32 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2010/11/16 21:15:56 | 000,050,176 | ---- | M] () -- C:\Documents and Settings\Teresa\My Documents\DDS.doc
[2010/11/16 21:05:23 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\Teresa\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/11/16 21:05:21 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Teresa\Desktop\NTREGOPT.lnk
[2010/11/16 21:05:21 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Teresa\Desktop\ERUNT.lnk
[2010/11/16 20:56:46 | 000,005,006 | ---- | M] () -- C:\Documents and Settings\Teresa\My Documents\Attach 11-16-10.zip
[2010/11/13 21:23:38 | 000,425,401 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20101116-050859.backup
[2010/11/13 19:06:55 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/11/13 06:24:24 | 000,009,566 | ---- | M] () -- C:\WINDOWS\wininit.ini
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
========== Files Created - No Company Name ==========
[2010/11/30 20:41:07 | 000,037,888 | ---- | C] () -- C:\Documents and Settings\Teresa\My Documents\HU300_Unit Seven_TeresaBinder.doc
[2010/11/29 20:56:27 | 002,211,799 | ---- | C] () -- C:\Documents and Settings\Teresa\My Documents\hunter manual.pdf
[2010/11/28 21:44:33 | 000,630,272 | ---- | C] () -- C:\Documents and Settings\Teresa\Desktop\dds.scr
[2010/11/21 20:36:09 | 000,000,209 | ---- | C] () -- C:\Boot.bak
[2010/11/21 20:36:04 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2010/11/21 20:31:56 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/11/21 20:31:56 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/11/21 20:31:56 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/11/21 20:31:56 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/11/21 20:31:56 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/11/21 20:29:57 | 003,913,898 | R--- | C] () -- C:\Documents and Settings\Teresa\Desktop\ComboFix.exe
[2010/11/21 18:45:54 | 000,000,886 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/11/21 18:45:54 | 000,000,882 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/11/19 20:04:39 | 000,000,251 | ---- | C] () -- C:\Documents and Settings\Teresa\Desktop\Shortcut to gmer.lnk
[2010/11/19 20:02:54 | 000,132,597 | ---- | C] () -- C:\Documents and Settings\Teresa\Desktop\Flash_Disinfector.exe
[2010/11/16 22:17:50 | 000,000,164 | ---- | C] () -- C:\Documents and Settings\Teresa\My Documents\cc_20101116_221748.reg
[2010/11/16 22:17:24 | 000,001,654 | ---- | C] () -- C:\Documents and Settings\Teresa\My Documents\cc_20101116_221715 b.reg
[2010/11/16 22:14:34 | 000,283,588 | ---- | C] () -- C:\Documents and Settings\Teresa\My Documents\cc_20101116_221427.reg
[2010/11/16 22:01:32 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2010/11/16 21:15:55 | 000,050,176 | ---- | C] () -- C:\Documents and Settings\Teresa\My Documents\DDS.doc
[2010/11/16 20:56:46 | 000,005,006 | ---- | C] () -- C:\Documents and Settings\Teresa\My Documents\Attach 11-16-10.zip
[2010/11/16 20:32:31 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\Teresa\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/11/16 20:32:02 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\Teresa\Desktop\NTREGOPT.lnk
[2010/11/16 20:32:02 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Teresa\Desktop\ERUNT.lnk
[2010/01/17 13:31:22 | 000,015,872 | ---- | C] () -- C:\Documents and Settings\Teresa\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/27 10:43:46 | 000,003,607 | ---- | C] () -- C:\WINDOWS\disney.ini
[2008/08/26 20:39:54 | 000,000,125 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2008/08/23 15:45:22 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Teresa\Application Data\CopyToGo.dat
[2006/03/02 20:19:13 | 000,005,852 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/03/02 20:19:13 | 000,000,104 | RHS- | C] () -- C:\WINDOWS\System32\4BC96202A9.sys
[2006/02/27 16:46:52 | 000,053,693 | R--- | C] () -- C:\WINDOWS\UNDPX2A.sys
[2006/02/26 17:14:45 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/02/26 15:26:32 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2006/02/26 15:24:30 | 000,000,044 | ---- | C] () -- C:\WINDOWS\EPCX7800.ini
[2006/02/26 15:16:28 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\Teresa\Local Settings\Application Data\fusioncache.dat
[2006/02/15 18:46:26 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/02/15 18:34:08 | 000,009,566 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/02/15 18:31:21 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/02/15 18:07:12 | 000,000,392 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/08/16 04:37:24 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/08/16 04:33:38 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/08/05 14:01:54 | 000,239,104 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/05/04 19:54:50 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
========== LOP Check ==========
[2005/08/16 20:54:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DIGStream
[2008/08/26 20:46:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
[2008/08/26 20:40:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SlySoft
[2008/07/22 19:01:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2010/11/17 19:56:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/08/01 13:25:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Teresa\Application Data\com.Shutterfly.ExpressUploader
[2006/02/26 15:36:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Teresa\Application Data\Leadertech
[2006/12/13 20:42:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Teresa\Application Data\Snapfish
========== Purity Check ==========
========== Alternate Data Streams ==========
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
< End of report >
And here is OTL Extra's:
OTL Extras logfile created on: 12/12/2010 9:31:57 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Teresa\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 71.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.31 Gb Total Space | 104.04 Gb Free Space | 72.09% Space Free | Partition Type: NTFS
Computer Name: BINDER | User Name: Teresa | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
========== System Restore Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- File not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- File not found
"C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" = C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe:*:Enabled:McAfee Shared Service Host -- (McAfee, Inc.)
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00EE8A81-4652-4672-BAD6-8D8CAC891507}" = Mickey Mouse Toddler
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{0F756CD9-4A1E-409B-B101-601DDC4C03AA}" = Qualxserve Service Agreement
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1A15507A-8551-4626-915D-3D5FA095CC1B}" = Corel Paint Shop Pro X
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java(TM) 6 Update 22
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = Modem On Hold
"{4667B940-BB01-428B-986E-A0CC46497BF7}" = ELIcon
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4C612230-5534-4DC3-B721-B802A83D55C3}" = The Book of Pooh
"{520E8334-F4F7-4DB5-AA74-E610CB19E59A}" = Winnie the Pooh Toddler Deluxe
"{55FA89BD-21D3-42F7-9249-C94C0094A83C}" = Apple Software Update
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.5
"{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}" = Digital Content Portal
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}" = Modem Event Monitor
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA}" = Intel(R) PROSet for Wired Connections
"{85D3CC30-8859-481A-9654-FD9B74310BEF}" = Musicmatch® Jukebox
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A9B8148-DDD7-448F-BD6C-358386D32354}" = Corel Photo Album 6
"{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A52BB7E2-1D7F-40E3-ADA9-BDF1E0B3A65A}" = ColorSelectStudio
"{A683A2C0-821C-486F-858C-FA634DB5E864}" = EducateU
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2988E9B-C73F-422C-AD4B-A66EBE257120}" = MCU
"{D433ABC3-0CD8-4BB0-B6A9-84501B4B47B7}" = ArcSoft PhotoImpression 5
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
"{E8C06CB3-5DB2-4689-B1DC-4A0220DEA96C}" = Consumer Complete Care Services Agreement
"{E93E5EF6-D361-481E-849D-F16EF5C78EBC}" = Musicmatch for Windows Media Player
"12133444-BF36-4d4e-B7FB-A3424C645DE4" = GemMaster Mystic
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"ATI Display Driver" = ATI Display Driver
"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
"CCleaner" = CCleaner
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"Dell Game Console" = Dell Game Console
"EmeraldQFE2" = Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
"EPSON Printer and Utilities" = EPSON Printer Software
"EPSON Scanner" = EPSON Scan
"ERUNT_is1" = ERUNT 1.1j
"ESET Online Scanner" = ESET Online Scanner v3
"ESPNMotion" = ESPNMotion
"getPlus(R)_ocx" = getPlus(R)_ocx
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Intel(R) 537EP V9x DF PCI Modem" = Intel(R) 537EP V9x DF PCI Modem
"IrfanView" = IrfanView (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSC" = McAfee Total Protection
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PROSet" = Intel(R) PRO Network Connections Drivers
"RealPlayer 6.0" = RealPlayer Basic
"Silent Package Run-Time Sample" = EPSON CX 7800 Guide
"StreetPlugin" = Learn2 Player (Uninstall Only)
"Verizon High Speed Internet_is1" = Verizon High Speed Internet
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WebSTAR DPC2100 Uninstall" = Scientific-Atlanta WebSTAR 2000 series Cable Modem
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"f031ef6ac137efc5" = Dell Driver Download Manager
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 12/12/2010 10:28:15 PM | Computer Name = BINDER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.
Error - 12/12/2010 10:28:15 PM | Computer Name = BINDER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.
Error - 12/12/2010 10:28:15 PM | Computer Name = BINDER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.
Error - 12/12/2010 10:28:26 PM | Computer Name = BINDER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.
Error - 12/12/2010 10:28:26 PM | Computer Name = BINDER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.
Error - 12/12/2010 11:00:03 PM | Computer Name = BINDER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established
Error - 12/12/2010 11:00:04 PM | Computer Name = BINDER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established
Error - 12/12/2010 11:25:48 PM | Computer Name = BINDER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.
Error - 12/12/2010 11:30:05 PM | Computer Name = BINDER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established
Error - 12/12/2010 11:30:06 PM | Computer Name = BINDER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established
[ System Events ]
Error - 12/6/2010 11:29:41 PM | Computer Name = BINDER | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service mcmscsvc with
arguments "" in order to run the server: {DDC6C82A-BCD6-480F-BAE7-9F406F687A53}
Error - 12/8/2010 10:07:56 PM | Computer Name = BINDER | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service mcmscsvc with
arguments "" in order to run the server: {9B3BEB4E-1C5E-4A5F-BB36-2F6587DD34E2}
Error - 12/8/2010 11:09:58 PM | Computer Name = BINDER | Source = DCOM | ID = 10010
Description = The server {3A185DDE-E020-4985-A8F2-E27CDC4A0F3A} did not register
with DCOM within the required timeout.
Error - 12/11/2010 6:56:56 PM | Computer Name = BINDER | Source = DCOM | ID = 10010
Description = The server {209500FC-6B45-4693-8871-6296C4843751} did not register
with DCOM within the required timeout.
Error - 12/12/2010 3:56:00 PM | Computer Name = BINDER | Source = SideBySide | ID = 16842813
Description = Syntax error in manifest or policy file "C:\Program Files\Apple Software
Update\Plugins\EXEInstallPlugin.dll.Manifest" on line 2. The required attribute
version is missing from element assemblyIdentity.
Error - 12/12/2010 3:56:00 PM | Computer Name = BINDER | Source = SideBySide | ID = 16842810
Description = Syntax error in manifest or policy file "C:\Program Files\Apple Software
Update\Plugins\EXEInstallPlugin.dll.Manifest" on line 2.
Error - 12/12/2010 3:56:00 PM | Computer Name = BINDER | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Apple Software
Update\Plugins\EXEInstallPlugin.dll.Manifest. Reference error message: The operation
completed successfully. .
Error - 12/12/2010 3:56:00 PM | Computer Name = BINDER | Source = SideBySide | ID = 16842813
Description = Syntax error in manifest or policy file "C:\Program Files\Apple Software
Update\Plugins\MSIInstallPlugin.dll.Manifest" on line 2. The required attribute
version is missing from element assemblyIdentity.
Error - 12/12/2010 3:56:00 PM | Computer Name = BINDER | Source = SideBySide | ID = 16842810
Description = Syntax error in manifest or policy file "C:\Program Files\Apple Software
Update\Plugins\MSIInstallPlugin.dll.Manifest" on line 2.
Error - 12/12/2010 3:56:00 PM | Computer Name = BINDER | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Apple Software
Update\Plugins\MSIInstallPlugin.dll.Manifest. Reference error message: The operation
completed successfully. .
< End of report >
Lets try this
Run OTL.exe
Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O2 - BHO: (no name) - �@Û - No CLSID value found.
O2 - BHO: (no name) - ˆ?Û - No CLSID value found.
O2 - BHO: (no name) - ¸?Û - No CLSID value found.
O2 - BHO: (no name) - ø@Û - No CLSID value found.
O2 - BHO: (no name) - rsion - No CLSID value found.
[2010/11/13 21:23:38 | 000,425,401 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20101116-050859.backup
:Services
:Reg
:Files
:Commands
[purity]
[emptytemp]
[RESETHOSTS]
[start explorer]
[Reboot]
Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
Then post the results of the log and a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
Yes, I apologize, haven't had much time to take care of this with the holidays. Will work on completing and posting the logs, appreciate all of the assistance this forum has provided already!
OK, just let me know if you will be away so I can keep this open for you otherwise the forum closes the thread if no response in 4 days
Have a nice Christmas
Due to inactivity, this thread will now be closed.
If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new DDS log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.