Search results being redirected, could not post to spybot forum from infected pc

T

tbinder

New member
I haven't had many computer issues in the past so this is the first time I've had to come to a forum for help so please be patient with me as I am not exactly computer savvy. I have just recently started having problems with search results being redirected, not all searches but most and it seems to be getting worse. I just recently installed Mcafee Antivirus and to my suprise the problem seems to have gotten worse. I installed Malwarebytes antimalware as well as spybot search and destroy and performed a scan with both before finding these forums, scans have not changed the performance issues. I attempted to follow the steps in the FAQ before starting this post, downloaded ERUNT but when I go to check system registry only I get an error message that the file does not exist and asks if I want to create it? I also went to post to this forum from the infected pc and keep getting an error message that internet explorer cannot display the webpage but I have other tabs open that are still functioning fine. Please let me know if I need to include any additional details, like I said this is new to me, I just want to get these issues fixed and try to prevent in the future. Appreciate any assistance!!

DDS (Ver_10-11-10.01) - NTFSx86
Run by Teresa at 20:41:59.34 on Tue 11/16/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1203 [GMT -6:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Teresa\Local Settings\Temporary Internet Files\Content.IE5\P7ZBO9HT\dds[1].scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: @Û - No File
BHO: rsion - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101105221642.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: ¸?Û - No File
BHO: ø@Û - No File
BHO: ˆ?Û - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_ActiveX.exe -update activex
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exe
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [EPSON Stylus CX7800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAFA.EXE /P26 "EPSON Stylus CX7800 Series" /O6 "USB001" /M "Stylus CX7800"
mRun: [EPSON Stylus CX7800 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAFA.EXE /P35 "EPSON Stylus CX7800 Series (Copy 1)" /O6 "USB001" /M "Stylus CX7800"
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
dRun: [ohewekyr] c:\windows\temp\wgejfberh\teurduqtsbl.exe
StartupFolder: c:\docume~1\teresa\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://site.ebrary.com.library.icc.edu/lib/illcencol/support/plugins/ebraryRdr.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by102w.bay102.mail.live.com/mail/resources/MsnPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141084118537
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-11-5 386840]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-11-5 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-11-5 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-11-5 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-11-5 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-11-5 271480]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-11-5 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-11-5 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-11-5 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-11-5 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-11-5 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-11-5 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-11-5 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-11-5 88544]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-11-5 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-11-5 84264]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2005-8-16 14336]

=============== Created Last 30 ================

2010-11-13 02:08:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-13 02:08:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-11-13 02:04:23 -------- d-----w- c:\docume~1\teresa\applic~1\Malwarebytes
2010-11-13 02:04:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-13 02:04:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-13 02:04:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-13 02:04:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-06 02:58:24 -------- d-----w- c:\windows\system32\Adobe

==================== Find3M ====================

2010-10-14 03:28:54 141792 ----a-w- c:\windows\system32\mfevtps.exe
2010-10-08 02:03:12 5852 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-10-08 02:03:10 104 --sh--r- c:\windows\system32\4BC96202A9.sys
2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600JS-75NCB1 rev.10.02E01 -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-17

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A982446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a988504]; MOV EAX, [0x8a988580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A9B2AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A9B47E8]
\Driver\atapi[0x8AA17350] -> IRP_MJ_CREATE -> 0x8A982446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-17 -> \??\IDE#DiskWDC_WD1600JS-75NCB1_____________________10.02E01#5&2510770d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A982292
user != kernel MBR !!!
sectors 312499998 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 20:45:02.47 ===============
 
Hello tbinder and :welcome:

My name is JonTom

  • Malware Logs can sometimes take a lot of time to research and interpret.
  • Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
  • Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
  • Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
  • PLEASE NOTE: If you do not reply after 5 days your thread will be closed.

please be patient with me as I am not exactly computer savvy
Click to expand...
Don't worry. If there is anything you do not understand or are unsure about just ask - its what I am here for.

When you ran DDS were two logs produced? You posted DDS.txt (the main log) but there should also have been a second log created called attach.txt. If you have the attach.txt please post it in your next reply.

Before we do any fixing I would like to see the results of an ARK scan.

could not post to spybot forum from infected pc
Click to expand...
If you cannot establish a stable connection from the infected machine, please download the required tools using a clean (uninfected) system and transfer them to the infected machine, either by burning them to disk or by using a flash drive (USB memory stick).

If you choose to use a USB stick, please run the following program to minimise the chances of cross-infection:

  1. Please download Flash Disinfector

    • Click here to download Flash Disinfector and save the file (called Flash_Disinfector.exe) to your desktop.
    • Double click on the Flash_Disinfector.exe icon to run the program and follow any prompts that may appear.
    • The program may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so if prompted.
    • Wait until Flash disinfector has finished scanning and then exit the program.
    • Reboot your computer.

    Once you have done this, please do the following:

  2. Please scan your system with GMER


    gmer_zip.gif

    Download GMER Rootkit Scanner from here or here.
    • Extract the contents of the zipped file to desktop.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent.
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
    • Save it where you can easily find it, such as your desktop, and post it in your reply.

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries

    Please post the GMER log in your next reply. If you encounter any difficulties getting the scan to complete come back and let me know.
 
response

Ok, I hope I have done this correctly, I am attaching the dds log that I initially left off. Below is the GMER text after the scan completed. I should also tell you that my husband, in an attempt to help, downloaded and scanned with ccleaner, thought you would probably need to know moving forward. I told him no more helping, I hope that doesn't cause any issues and if it does I apologize. Please let me know if I haven't included what you need or if I have pasted/attached incorrectly. Thanks again, Teresa

Below is the first portion of the GMER text, wouldn't fit all in one post, rest to follow.
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-19 20:30:35
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort1 WDC_WD1600JS-75NCB1 rev.10.02E01
Running: gmer.exe; Driver: C:\DOCUME~1\Teresa\LOCALS~1\Temp\uftdqpob.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9E970E0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9E970F4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9E97120]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9E97176]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9E970CC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9E970A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9E970B8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9E9710A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9E9714C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9E97136]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9E971A0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9E9718C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9E97160]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP B9E97164 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B1FE6 7 Bytes JMP B9E9717A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2DF4 5 Bytes JMP B9E97190 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805C05DA 5 Bytes JMP B9E97150 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB3FA 5 Bytes JMP B9E970A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB686 5 Bytes JMP B9E970BC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D2982 5 Bytes JMP B9E971A4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D3A 7 Bytes JMP B9E9713A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231EA 7 Bytes JMP B9E9710E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237C8 5 Bytes JMP B9E970E4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C64 7 Bytes JMP B9E970F8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E34 7 Bytes JMP B9E97124 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624BA6 5 Bytes JMP B9E970D0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xBA3E3760]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[304] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00DE0000
.text C:\WINDOWS\system32\svchost.exe[304] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00DE0FDB
.text C:\WINDOWS\system32\svchost.exe[304] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DE0011
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DD0FEF
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DD0F8B
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DD0F9C
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DD0080
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DD0FC3
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DD0FD4
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DD00CC
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DD0F7A
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DD0F44
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DD0F69
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DD0102
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DD0065
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DD0014
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DD00A5
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DD0040
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DD002F
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DD00DD
.text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DC0FE5
.text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DC0087
.text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DC002C
.text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DC0011
.text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DC006C
.text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DC0000
.text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00DC0FCA
.text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [FC, 88]
.text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DC0051
.text C:\WINDOWS\system32\svchost.exe[304] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DB0042
.text C:\WINDOWS\system32\svchost.exe[304] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DB0FB7
.text C:\WINDOWS\system32\svchost.exe[304] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DB0027
.text C:\WINDOWS\system32\svchost.exe[304] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DB0000
.text C:\WINDOWS\system32\svchost.exe[304] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DB0FC8
.text C:\WINDOWS\system32\svchost.exe[304] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DB0FE3
.text C:\WINDOWS\system32\svchost.exe[304] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00DA0000
.text C:\WINDOWS\system32\svchost.exe[304] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00DA001B
.text C:\WINDOWS\system32\svchost.exe[304] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00DA0FDB
.text C:\WINDOWS\system32\svchost.exe[304] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00DA002C
.text C:\WINDOWS\system32\svchost.exe[448] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[448] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BC001B
.text C:\WINDOWS\system32\svchost.exe[448] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BC0FE5
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB000A
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB0FA5
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB009A
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB0FC0
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB007D
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB005B
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB0F77
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB0F94
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB00F5
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB00E4
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB0F37
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB006C
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB001B
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB00B5
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB0036
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB0FE5
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB0F66
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BA0FB9
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BA0F72
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BA0FCA
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BA0F8D
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BA002F
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BA0FA8
.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D2003D
.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D2002C
.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D20FC6
.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D20FE3
.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D2001B
.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D20000
.text C:\WINDOWS\system32\svchost.exe[448] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[448] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\system32\svchost.exe[448] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00BD0025
.text C:\WINDOWS\system32\svchost.exe[448] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00BD0036
.text C:\WINDOWS\system32\svchost.exe[448] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D10000
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[664] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[664] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\explorer.exe[784] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D4000A
.text C:\WINDOWS\explorer.exe[784] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A
.text C:\WINDOWS\explorer.exe[784] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D3000C
.text C:\WINDOWS\explorer.exe[784] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002D0FDB
.text C:\WINDOWS\explorer.exe[784] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002D0073
.text C:\WINDOWS\explorer.exe[784] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002D002C
.text C:\WINDOWS\explorer.exe[784] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002D001B
.text C:\WINDOWS\explorer.exe[784] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002D0062
.text C:\WINDOWS\explorer.exe[784] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002D0000
.text C:\WINDOWS\explorer.exe[784] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002D0FCA
.text C:\WINDOWS\explorer.exe[784] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4D, 88]
.text C:\WINDOWS\explorer.exe[784] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002D0051
.text C:\WINDOWS\explorer.exe[784] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002E0047
.text C:\WINDOWS\explorer.exe[784] msvcrt.dll!system 77C293C7 5 Bytes JMP 002E0FBC
.text C:\WINDOWS\explorer.exe[784] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002E0FD7
.text C:\WINDOWS\explorer.exe[784] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002E0000
.text C:\WINDOWS\explorer.exe[784] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002E002C
.text C:\WINDOWS\explorer.exe[784] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002E0011
.text C:\WINDOWS\system32\wuauclt.exe[844] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02B30FEF
.text C:\WINDOWS\system32\wuauclt.exe[844] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02B30025
.text C:\WINDOWS\system32\wuauclt.exe[844] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02B30014
.text C:\WINDOWS\system32\wuauclt.exe[844] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00FB000A
.text C:\WINDOWS\system32\wuauclt.exe[844] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00F9000C
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02B20000
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02B2006E
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02B20F79
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02B20F94
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02B20FA5
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02B20047
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02B20F43
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02B20095
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02B20EFC
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02B20F17
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02B20EE1
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02B20FB6
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02B2001B
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02B20F5E
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02B20036
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02B20FE5
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02B20F32
.text C:\WINDOWS\system32\wuauclt.exe[844] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02B0003D
.text C:\WINDOWS\system32\wuauclt.exe[844] msvcrt.dll!system 77C293C7 5 Bytes JMP 02B00FBC
.text C:\WINDOWS\system32\wuauclt.exe[844] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02B00011
.text C:\WINDOWS\system32\wuauclt.exe[844] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02B00FE3
.text C:\WINDOWS\system32\wuauclt.exe[844] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02B0002C
.text C:\WINDOWS\system32\wuauclt.exe[844] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02B00000
.text C:\WINDOWS\system32\wuauclt.exe[844] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02B10025
.text C:\WINDOWS\system32\wuauclt.exe[844] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02B10FAF
.text C:\WINDOWS\system32\wuauclt.exe[844] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02B10FDE
.text C:\WINDOWS\system32\wuauclt.exe[844] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02B10FEF
.text C:\WINDOWS\system32\wuauclt.exe[844] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02B10076
.text C:\WINDOWS\system32\wuauclt.exe[844] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02B1000A
.text C:\WINDOWS\system32\wuauclt.exe[844] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02B10065
.text C:\WINDOWS\system32\wuauclt.exe[844] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02B1004A
.text C:\WINDOWS\system32\wuauclt.exe[844] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02AE0000
.text C:\WINDOWS\system32\wuauclt.exe[844] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02AE0FEF
.text C:\WINDOWS\system32\wuauclt.exe[844] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02AE0FCA
.text C:\WINDOWS\system32\wuauclt.exe[844] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 02AE001B
.text C:\WINDOWS\system32\wuauclt.exe[844] WS2_32.dll!socket
 
2nd portion of gmer text

.text C:\WINDOWS\system32\services.exe[1092] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\services.exe[1092] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BB002C
.text C:\WINDOWS\system32\services.exe[1092] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BB0011
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0F5C
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0F6D
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0047
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0036
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0FAF
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA0F2B
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA007D
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA0EEE
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA0EFF
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA0EDD
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0F9E
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA006C
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA0025
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA0F10
.text C:\WINDOWS\system32\services.exe[1092] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FE0025
.text C:\WINDOWS\system32\services.exe[1092] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FE005B
.text C:\WINDOWS\system32\services.exe[1092] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FE0FD4
.text C:\WINDOWS\system32\services.exe[1092] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\services.exe[1092] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FE0F94
.text C:\WINDOWS\system32\services.exe[1092] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\services.exe[1092] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FE0040
.text C:\WINDOWS\system32\services.exe[1092] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FE0FB9
.text C:\WINDOWS\system32\services.exe[1092] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FD0038
.text C:\WINDOWS\system32\services.exe[1092] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FD0FB7
.text C:\WINDOWS\system32\services.exe[1092] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FD000C
.text C:\WINDOWS\system32\services.exe[1092] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FD0FE3
.text C:\WINDOWS\system32\services.exe[1092] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FD0027
.text C:\WINDOWS\system32\services.exe[1092] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FD0FD2
.text C:\WINDOWS\system32\services.exe[1092] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00BC0FE5
.text C:\WINDOWS\system32\services.exe[1092] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00BC0FD4
.text C:\WINDOWS\system32\services.exe[1092] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00BC0FC3
.text C:\WINDOWS\system32\services.exe[1092] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00BC0014
.text C:\WINDOWS\system32\services.exe[1092] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\lsass.exe[1104] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00EA0000
.text C:\WINDOWS\system32\lsass.exe[1104] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00EA002C
.text C:\WINDOWS\system32\lsass.exe[1104] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EA001B
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E90000
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E90051
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E90F5C
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E90036
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E90F79
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E90FAF
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E9007D
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E90F41
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E900C4
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E900A9
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E900D5
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E90F94
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E90FE5
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E90062
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E90011
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E90FCA
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E90098
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 010F0FDE
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 010F0F9E
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 010F002F
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 010F0014
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 010F005B
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 010F0FEF
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 010F004A
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 010F0FB9
.text C:\WINDOWS\system32\lsass.exe[1104] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 010E0FB4
.text C:\WINDOWS\system32\lsass.exe[1104] msvcrt.dll!system 77C293C7 5 Bytes JMP 010E003F
.text C:\WINDOWS\system32\lsass.exe[1104] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 010E001D
.text C:\WINDOWS\system32\lsass.exe[1104] msvcrt.dll!_open 77C2F566 5 Bytes JMP 010E0000
.text C:\WINDOWS\system32\lsass.exe[1104] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 010E002E
.text C:\WINDOWS\system32\lsass.exe[1104] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 010E0FE3
.text C:\WINDOWS\system32\lsass.exe[1104] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EC000A
.text C:\WINDOWS\system32\lsass.exe[1104] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00EB0FEF
.text C:\WINDOWS\system32\lsass.exe[1104] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00EB0000
.text C:\WINDOWS\system32\lsass.exe[1104] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00EB0025
.text C:\WINDOWS\system32\lsass.exe[1104] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00EB0FD4
.text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02570FEF
.text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02570FC3
.text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02570FDE
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02560FEF
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0256007F
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02560F8A
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02560F9B
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02560058
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0256002C
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02560F4D
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02560F5E
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025600C4
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02560F21
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 025600D5
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02560047
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02560000
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02560F6F
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02560FC0
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02560011
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02560F3C
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 025B0FB9
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 025B0F68
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 025B0FCA
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 025B0FE5
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 025B0F79
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 025B0000
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 025B0025
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 025B0F9E
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 025A0F97
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!system 77C293C7 5 Bytes JMP 025A0022
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 025A0FBC
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_open 77C2F566 5 Bytes JMP 025A0000
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 025A0011
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 025A0FD7
.text C:\WINDOWS\system32\svchost.exe[1356] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02580000
.text C:\WINDOWS\system32\svchost.exe[1356] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0258001B
.text C:\WINDOWS\system32\svchost.exe[1356] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02580FE5
.text C:\WINDOWS\system32\svchost.exe[1356] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 02580036
.text C:\WINDOWS\system32\svchost.exe[1356] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02590000
.text C:\WINDOWS\system32\svchost.exe[1544] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F10FEF
.text C:\WINDOWS\system32\svchost.exe[1544] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F10014
.text C:\WINDOWS\system32\svchost.exe[1544] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F10FDE
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F00FEF
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F00F44
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F00F55
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F00F7C
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F00F8D
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F00FC3
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F00060
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F00F0E
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F0008C
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F00EF3
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F0009D
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F00FB2
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F0000A
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F00F29
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F00FDE
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F0002F
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F00071
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F50FD1
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F50F87
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F50022
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F50011
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F5004E
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F50000
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F50FAC
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [15, 89]
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F5003D
.text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F40F97
.text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F40022
.text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F40011
.text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F40000
.text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F40FBC
.text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F40FE3
.text C:\WINDOWS\system32\svchost.exe[1544] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00F20FEF
.text C:\WINDOWS\system32\svchost.exe[1544] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00F20FDE
.text C:\WINDOWS\system32\svchost.exe[1544] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00F20FC3
.text C:\WINDOWS\system32\svchost.exe[1544] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00F2001E
.text C:\WINDOWS\system32\svchost.exe[1544] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\System32\svchost.exe[1672] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 031D0FEF
.text C:\WINDOWS\System32\svchost.exe[1672] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 031D0FCD
.text C:\WINDOWS\System32\svchost.exe[1672] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 031D0FDE
.text C:\WINDOWS\System32\svchost.exe[1672] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00AB000A
.text C:\WINDOWS\System32\svchost.exe[1672] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A9000C
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 031C0FE5
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 031C0F55
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 031C0F70
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 031C0F97
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 031C004A
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 031C0FB2
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 031C008C
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 031C0F44
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 031C00B8
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 031C0F29
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 031C00DD
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 031C0039
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 031C0FD4
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 031C0065
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 031C0FC3
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 031C000A
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 031C00A7
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03210FCA
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03210062
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0321001B
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03210FE5
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03210051
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03210000
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03210FAF
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [41, 8B]
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03210036
.text C:\WINDOWS\System32\svchost.exe[1672] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00E5000A
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03200F7F
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!system 77C293C7 5 Bytes JMP 03200F90
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03200FC6
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03200000
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03200FAB
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03200FE3
.text C:\WINDOWS\System32\svchost.exe[1672] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 031E000A
.text C:\WINDOWS\System32\svchost.exe[1672] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 031E0FEF
.text C:\WINDOWS\System32\svchost.exe[1672] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 031E0FDE
.text C:\WINDOWS\System32\svchost.exe[1672] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 031E002F
.text C:\WINDOWS\System32\svchost.exe[1672] WS2_32.dll!socket 71AB4211 5 Bytes JMP 031F0FEF
.text C:\WINDOWS\system32\svchost.exe[1808] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A6000A
.text C:\WINDOWS\system32\svchost.exe[1808] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A60FDE
.text C:\WINDOWS\system32\svchost.exe[1808] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A60FEF
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A50000
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A5007F
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A50F8A
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A50062
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A50FA5
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A50FD1
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A500BC
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A500AB
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A500F2
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A50F59
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A50F3E
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A50FB6
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A50011
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A50090
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A5003D
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A5002C
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A500D7
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AA002C
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AA0047
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AA0FE5
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AA001B
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AA0F94
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AA000A
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AA0FAF
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CA, 88]
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AA0FC0
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A90053
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A90FBE
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A90027
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A90000
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A90038
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A90FEF
.text C:\WINDOWS\system32\svchost.exe[1808] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00A70FEF
.text C:\WINDOWS\system32\svchost.exe[1808] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00A70FD4
.text C:\WINDOWS\system32\svchost.exe[1808] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00A70FC3
.text C:\WINDOWS\system32\svchost.exe[1808] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00A70FB2
.text C:\WINDOWS\system32\svchost.exe[1808] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A80000
.text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C70FCA
.text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C7000A
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C60F88
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C6007D
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C6006C
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C6005B
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C60FB9
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C600AB
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C6009A
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C600E1
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C60F48
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C600FC
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C60040
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C60FD4
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C60F6D
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C60025
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C6000A
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C600C6
 
rest of gmer text

.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 001B0040
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 001B000A
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 001B0F83
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 001B0F9E
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [3B, 88]
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\system32\svchost.exe[1972] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CE0F9C
.text C:\WINDOWS\system32\svchost.exe[1972] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CE0FB7
.text C:\WINDOWS\system32\svchost.exe[1972] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CE001D
.text C:\WINDOWS\system32\svchost.exe[1972] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\svchost.exe[1972] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CE0FC8
.text C:\WINDOWS\system32\svchost.exe[1972] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CE000C
.text C:\WINDOWS\system32\svchost.exe[1972] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00C8000A
.text C:\WINDOWS\system32\svchost.exe[1972] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00C8001B
.text C:\WINDOWS\system32\svchost.exe[1972] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00C80FE5
.text C:\WINDOWS\system32\svchost.exe[1972] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00C80036
.text C:\WINDOWS\system32\svchost.exe[1972] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C90000
.text C:\WINDOWS\system32\svchost.exe[1988] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00EB0FE5
.text C:\WINDOWS\system32\svchost.exe[1988] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00EB0FB9
.text C:\WINDOWS\system32\svchost.exe[1988] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EB0FCA
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EA0000
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EA0F92
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EA0FA3
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EA0FCA
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EA0087
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EA006C
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EA0F5F
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EA0F70
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EA0F30
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EA00D3
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EA00EE
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EA0FE5
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EA001B
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EA0F81
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EA0047
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EA0036
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EA00C2
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E9002C
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E90F9B
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E9001B
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E9000A
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E90062
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E90FE5
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E90047
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E90FC0
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E80033
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E80FB2
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E80FC3
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E80018
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E80FDE
.text C:\WINDOWS\system32\svchost.exe[1988] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E60FE5
.text C:\WINDOWS\system32\svchost.exe[1988] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E60FCA
.text C:\WINDOWS\system32\svchost.exe[1988] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E60000
.text C:\WINDOWS\system32\svchost.exe[1988] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00E60FA5
.text C:\WINDOWS\system32\svchost.exe[1988] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\dllhost.exe[3492] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 010B0FEF
.text C:\WINDOWS\system32\dllhost.exe[3492] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 010B0FD4
.text C:\WINDOWS\system32\dllhost.exe[3492] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 010B0000
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 010A0FEF
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010A0082
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 010A005D
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 010A0040
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 010A002F
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 010A0014
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010A0F55
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010A0F66
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010A0F33
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010A00C2
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010A00DD
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 010A0F8D
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 010A0FCA
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 010A0093
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 010A0FA8
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 010A0FB9
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010A0F44
.text C:\WINDOWS\system32\dllhost.exe[3492] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0FA8
.text C:\WINDOWS\system32\dllhost.exe[3492] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FC3
.text C:\WINDOWS\system32\dllhost.exe[3492] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0029
.text C:\WINDOWS\system32\dllhost.exe[3492] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\dllhost.exe[3492] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0FD4
.text C:\WINDOWS\system32\dllhost.exe[3492] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0018
.text C:\WINDOWS\system32\dllhost.exe[3492] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01090022
.text C:\WINDOWS\system32\dllhost.exe[3492] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0109004E
.text C:\WINDOWS\system32\dllhost.exe[3492] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01090011
.text C:\WINDOWS\system32\dllhost.exe[3492] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01090FDB
.text C:\WINDOWS\system32\dllhost.exe[3492] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01090F91
.text C:\WINDOWS\system32\dllhost.exe[3492] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01090000
.text C:\WINDOWS\system32\dllhost.exe[3492] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01090033
.text C:\WINDOWS\system32\dllhost.exe[3492] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01090FAC
.text C:\WINDOWS\system32\dllhost.exe[3492] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\dllhost.exe[3492] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FD0FDB
.text C:\WINDOWS\system32\dllhost.exe[3492] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FD0011
.text C:\WINDOWS\system32\dllhost.exe[3492] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00FD002C
.text C:\WINDOWS\system32\dllhost.exe[3492] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A543292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A543292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-4 8A543292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A543292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 8A543292

AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \Device\Ide\IdeDeviceP1T0L0-17 -> \??\IDE#DiskWDC_WD1600JS-75NCB1_____________________10.02E01#5&2510770d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 312499744 (+255): rootkit-like behavior;

---- EOF - GMER 1.0.15 ----
 
Hello tbinder

Please let me know if I haven't included what you need or if I have pasted/attached incorrectly.
Click to expand...
You did everything perfectly :bigthumb:

I told him no more helping
Click to expand...
While it is always tempting to run scans and extra tools, please try to refrain from doing so as it can make spotting problems and log interpretation much more difficult.

Please do the following:


  1. Please disable Spybot Teatimer

    • Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
    • On the left hand side, click "Tools", then click on the "Resident" icon in the list.
    • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active" box.
    • Click the "System Startup" icon in the List.
    • Uncheck the "TeaTimer" box and "OK" any prompts.
    • If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
    • Exit Spybot S&D when done.

  2. Combofix

    • Download ComboFix from one of the following locations:

      Link 1
      Link 2

    • VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
    • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here .
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    RCUpdate1.png

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    RC2-1.png

    • Click on Yes, to continue scanning for malware.
    • When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
    • Notes: Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    • Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
 
When I go to system startup I do not see anything called tea timer to uncheck? There are three columns of information, key, value and command line - I don't see tea timer in any of these areas? I also started getting error messages today that Mcafee couldn't update software with a suggestion to check my internet connection - connection is fine? Now what??
 
Hello tbinder

Now what??
Click to expand...
Please make sure that the "Resident TeaTimer" box is Unchecked and everything should be fine. Once it is Unchecked go ahead and run ComboFix :)
 
Last edited:
To disable Mcafee do I just turn the firewall off or is there something else that also needs done. Do I need to disable anything else like the malwarebytes antimalware or spybot S&D, ccleaner? Do I do anything with those or anything else?
 
Hello tbinder

Do I need to disable anything else like the malwarebytes antimalware or spybot S&D, ccleaner?
Click to expand...
You do not need to disable MalwareBytes or ccleaner, and provided you disable Spybot's Teatimer all should be well.

To disable Mcafee do I just turn the firewall off or is there something else that also needs done.
Click to expand...
You need to disable the Firewall and the AntiVirus (if you have additional applications you can disable them also).

There is information provided in the ComboFix instructions to help you disable your security applications, and you can also refer to your User manual for additonal information.

As a general guide please try the following:


Double-click the McAfee icon in your taskbar (bottom right hand corner of the screen) to open MCAfee SecurityCenter

Click Advanced Menu (bottom)

Click Configure (left)

Click Computer & Files (top left)

In the right-hand space you can disable VirusScan and select for how long (as we do not know how long ComboFix will take to complete its scan you may have to leave McAfee permanently disabled and the re-enable it after the scan has completed)..

You should also be able to disable your Firewall and additional McAfee features from this page.

Once McAfee is disabled run ComboFix and post the log created.
 
Ok, I think I have disabled Mcafee correctly, not completely certain as I have never done that before. Started the scan and almost immediately had this message pop up, The Master Boot Record is infected!! Make sure your antivirus programs are disabled before clicking ok. Do I click ok, is this a sign that I haven't disabled properly? Just concerned me so I haven't clicked ok and logged in from my work laptop as it wouldn't allow me to post to the forum again. Please advise.
 
Hello tbinder

is this a sign that I haven't disabled properly? Please advise.
Click to expand...
I am aware of the mbr infection on your machine. You are not doing anything wrong :) The message you are receiving is not related to your not disabling your security software properly.

There is no need to worry tbinder. Everything you have described is normal. You may receive additional messages from ComboFix during the course of the scan. If this happens, don't be alarmed but allow ComboFix to run unhindered.
 
Combofix log

Here is the log, please let me know what I need to do next!! Thank you for taking the time to walk me through all of this!

ComboFix 10-11-22.04 - Teresa 11/22/2010 19:59:15.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1529 [GMT -6:00]
Running from: c:\documents and settings\Teresa\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
ADS - WINDOWS: deleted 72 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-10-23 to 2010-11-23 )))))))))))))))))))))))))))))))
.

2010-11-17 02:32 . 2010-11-17 03:05 -------- d-----w- c:\program files\ERUNT
2010-11-14 06:52 . 2010-11-14 06:52 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-11-14 03:08 . 2010-11-14 03:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-13 02:08 . 2010-11-20 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-11-13 02:08 . 2010-11-13 02:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-13 02:04 . 2010-11-13 02:04 -------- d-----w- c:\documents and settings\Teresa\Application Data\Malwarebytes
2010-11-13 02:04 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-13 02:04 . 2010-11-13 02:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-13 02:04 . 2010-11-13 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-13 02:04 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-12 11:46 . 2010-11-12 11:46 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-11-12 10:40 . 2010-11-12 10:40 -------- d-sh--w- c:\documents and settings\Jeremy\IETldCache
2010-11-06 02:58 . 2010-11-06 02:58 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 17:23 . 2005-08-16 10:18 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2005-08-16 10:18 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2005-08-16 10:18 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2005-08-16 10:18 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2005-08-16 10:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2005-08-16 10:18 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2005-08-16 10:18 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2005-08-16 10:18 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2005-08-16 10:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2005-08-16 10:18 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2006-02-16 00:06 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-21 00:18 5120 ----a-w- c:\windows\system32\xpsp4res.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-11-22 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-02-16 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-09 110592]
"EPSON Stylus CX7800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE" [2005-04-07 98304]
"EPSON Stylus CX7800 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE" [2005-04-07 98304]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

c:\documents and settings\Teresa\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcui_exe]
2010-09-30 18:10 1193848 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [11/5/2010 9:07 PM 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [11/5/2010 9:07 PM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [11/5/2010 9:07 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [11/5/2010 9:07 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [11/5/2010 9:07 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [11/5/2010 9:07 PM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [11/5/2010 9:07 PM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [11/5/2010 9:07 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [11/5/2010 9:07 PM 88544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/21/2010 6:45 PM 136176]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [11/5/2010 9:07 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [11/5/2010 9:07 PM 84264]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/16/2005 4:18 AM 14336]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-11-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 19:21]

2010-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-22 00:45]

2010-11-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-22 00:45]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SAClient - c:\program files\Insight\BBClient\Programs\RegCon.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\program files\NOS\bin\getPlus_Helper_3004.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-22 20:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1056)
c:\windows\system32\CLBCATQ.DLL
.
Completion time: 2010-11-22 20:18:52
ComboFix-quarantined-files.txt 2010-11-23 02:18

Pre-Run: 104,787,730,432 bytes free
Post-Run: 105,560,604,672 bytes free

- - End Of File - - C1124E3143B6D6B0EDDA2ED641A20DDD
 
Hello tbinder

Great job running ComboFix :bigthumb:

Thank you for taking the time to walk me through all of this!
Click to expand...
No problem at all. You are doing really well :)

Please do the following:

  1. Please scan the following files


    • On the page you'll find a "Browse" button.
    • Click on the Browse button.
    • In the Choose File to Upload window which opens, copy and paste this into the File Name box.


    c:\windows\system32\CLBCATQ.DLL

    • Next, click the Open button.
    • Then click the "Send File" button just below.
    • This will scan the file. Please be patient.
    • If you get a message saying File has already been analyzed: click Reanalyze file now.
    • Once scanned, copy and paste the link to the results page in your next reply.

  2. Clean out your temporary files

    • Please download ATF Cleaner by Atribune by clicking here and save the file (called ATF-Cleaner.exe) to your desktop.
    • Run the program by double clicking the ATF-Cleaner.exe icon located on your desktop.
    • Check the boxes to the left of the following:
    • Windows Temp
    • Current User Temp
    • All Users Temp
    • Temporary Internet Files
    • Java Cache
    • The rest are optional. If you want to remove everything check the "Select All" box.
    • Click on "Empty Selected" to begin cleaning.
    • Once the "Done Cleaning" message appears, click OK.
    • If you use Firefox, Click on the Firefox tab and repeat the above process.
    • When you have finished cleaning, click on the "Exit" button in the main menu.

  3. MalwareBytes AntiMalware:

    • I can see that you have MBAM installed.
    • Double click on your MalwareBytes AntiMalware icon to launch the program.
    • Click on the "Update" tab and then on "Check for Updates".
    • The program will now install the latest Malware definition files.
    • Once complete, click on the "Scanner" tab, select "Perform Quick Scan"and then click on "Scan".
    • Once the program has scanned your computer, a log file will be created in Notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.

    • If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" <– Very Important.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
    • The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
    • Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
    • Come back here to this thread and Paste the log in your next reply.

  4. Please update your Java

    • Click on "Start", then on "Control Panel".
    • Go to "Add or Remove Programs" and uninstall any previous versions of Java that you find (Java(TM) 6 Update 7).
    • Reboot your computer.
    • Next, download the latest version of Java by clicking here
    • Scroll down the page until you reach "Java Platform Standard Edition".
    • Beneath this and to the right, you will see a button marked "Download JRE".
    • Click the "Download JRE" button.
    • Select the platform (Windows, in your case), multi language.
    • Accept the license agreement and click on "Continue".
    • You do not have to register if you do not want to (the registration step is optional).
    • Scroll down and click on the file called jre-6u22-windows-i586.exe located under "Windows Offline Installation".
    • Save the file to your desktop.
    • Do not select Run.
    • Double click on the saved file (jre-6u22-windows-i586.exe) to install the update.
    • Delete the downloaded installation file after completing the above procedure and reboot your system if not prompted to do so.

    Please post the VirusTotal scan link and the MBAM log in your next reply.

    Also, please provide a new DDS scan (I only need to see the DDS.txt log) and let me know how your machine is running now.
 
Hello, I have not forgotten about what I need to do, just haven't had time with Thanksgiving holiday! Plan on working on it tonight. Did try a search just to see what happened and had issues but I haven't followed the steps yet in the last post. Working on it.... will let you know when complete!
 
Ok, here goes - here is the link to the Virus Total Scan.

http://www.virustotal.com/file-scan...05a1035368a152cdc705804e85b7673198-1291000791

Below is the MBAM log.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5210

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/28/2010 9:33:30 PM
mbam-log-2010-11-28 (21-33-30).txt

Scan type: Quick scan
Objects scanned: 165810
Time elapsed: 8 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


And below the DDS log.


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-27.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 2/26/2006 3:15:55 PM
System Uptime: 11/24/2010 1:11:24 PM (104 hours ago)

Motherboard: Dell Inc. | | 0WG261
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Microprocessor | 2992/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 144 GiB total, 98.099 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP934: 8/30/2010 11:50:55 PM - System Checkpoint
RP935: 9/1/2010 1:02:54 AM - System Checkpoint
RP936: 9/2/2010 1:14:54 AM - System Checkpoint
RP937: 9/3/2010 2:14:55 AM - System Checkpoint
RP938: 9/4/2010 2:25:54 AM - System Checkpoint
RP939: 9/5/2010 2:37:54 AM - System Checkpoint
RP940: 9/6/2010 2:49:54 AM - System Checkpoint
RP941: 9/7/2010 4:01:56 AM - System Checkpoint
RP942: 9/8/2010 4:13:54 AM - System Checkpoint
RP943: 9/9/2010 5:25:54 AM - System Checkpoint
RP944: 9/10/2010 6:07:36 AM - System Checkpoint
RP945: 9/11/2010 7:01:54 AM - System Checkpoint
RP946: 9/12/2010 7:37:59 AM - System Checkpoint
RP947: 9/13/2010 8:13:54 AM - System Checkpoint
RP948: 9/14/2010 3:00:16 AM - Software Distribution Service 3.0
RP949: 9/15/2010 3:00:42 AM - Software Distribution Service 3.0
RP950: 9/16/2010 3:03:45 AM - System Checkpoint
RP951: 9/17/2010 3:15:45 AM - System Checkpoint
RP952: 9/18/2010 3:27:45 AM - System Checkpoint
RP953: 9/19/2010 4:27:45 AM - System Checkpoint
RP954: 9/20/2010 5:39:46 AM - System Checkpoint
RP955: 9/21/2010 7:03:45 AM - System Checkpoint
RP956: 9/22/2010 8:03:45 AM - System Checkpoint
RP957: 9/23/2010 9:02:44 AM - System Checkpoint
RP958: 9/24/2010 10:32:40 AM - System Checkpoint
RP959: 9/25/2010 11:27:48 AM - System Checkpoint
RP960: 9/26/2010 4:20:33 PM - System Checkpoint
RP961: 9/27/2010 4:27:48 PM - System Checkpoint
RP962: 9/28/2010 5:43:39 PM - System Checkpoint
RP963: 9/29/2010 6:50:43 PM - System Checkpoint
RP964: 9/30/2010 3:00:15 AM - Software Distribution Service 3.0
RP965: 10/1/2010 3:26:43 AM - System Checkpoint
RP966: 10/2/2010 5:38:43 AM - System Checkpoint
RP967: 10/3/2010 7:02:43 AM - System Checkpoint
RP968: 10/4/2010 7:26:43 AM - System Checkpoint
RP969: 10/5/2010 8:26:43 AM - System Checkpoint
RP970: 10/6/2010 10:38:43 AM - System Checkpoint
RP971: 10/7/2010 3:00:15 AM - Software Distribution Service 3.0
RP972: 10/7/2010 9:08:32 PM - Software Distribution Service 3.0
RP973: 10/8/2010 9:36:31 PM - System Checkpoint
RP974: 10/9/2010 10:17:18 PM - System Checkpoint
RP975: 10/10/2010 11:08:31 PM - System Checkpoint
RP976: 10/11/2010 11:15:06 PM - System Checkpoint
RP977: 10/12/2010 11:39:04 PM - System Checkpoint
RP978: 10/14/2010 12:51:04 AM - System Checkpoint
RP979: 10/14/2010 3:00:57 AM - Software Distribution Service 3.0
RP980: 10/15/2010 6:14:26 AM - System Checkpoint
RP981: 10/16/2010 7:37:21 AM - System Checkpoint
RP982: 10/17/2010 7:55:45 AM - System Checkpoint
RP983: 10/18/2010 8:48:11 AM - System Checkpoint
RP984: 10/19/2010 5:42:44 PM - System Checkpoint
RP985: 10/20/2010 6:43:45 PM - System Checkpoint
RP986: 10/21/2010 8:06:23 PM - System Checkpoint
RP987: 10/22/2010 9:27:37 PM - System Checkpoint
RP988: 10/23/2010 9:36:51 PM - System Checkpoint
RP989: 10/24/2010 10:09:42 PM - System Checkpoint
RP990: 10/25/2010 10:31:45 PM - System Checkpoint
RP991: 10/26/2010 11:43:45 PM - System Checkpoint
RP992: 10/27/2010 11:55:45 PM - System Checkpoint
RP993: 10/29/2010 12:19:45 AM - System Checkpoint
RP994: 10/30/2010 12:31:45 AM - System Checkpoint
RP995: 10/31/2010 1:46:28 AM - System Checkpoint
RP996: 11/1/2010 1:55:45 AM - System Checkpoint
RP997: 11/2/2010 3:07:45 AM - System Checkpoint
RP998: 11/3/2010 4:19:45 AM - System Checkpoint
RP999: 11/4/2010 6:33:39 AM - System Checkpoint
RP1000: 11/5/2010 7:43:45 AM - System Checkpoint
RP1001: 11/6/2010 8:38:16 AM - System Checkpoint
RP1002: 11/7/2010 11:00:51 AM - System Checkpoint
RP1003: 11/8/2010 12:12:58 PM - System Checkpoint
RP1004: 11/9/2010 12:13:16 PM - System Checkpoint
RP1005: 11/10/2010 1:21:34 PM - System Checkpoint
RP1006: 11/11/2010 3:00:31 AM - Software Distribution Service 3.0
RP1007: 11/12/2010 6:07:56 AM - System Checkpoint
RP1008: 11/13/2010 6:19:47 AM - System Checkpoint
RP1009: 11/14/2010 6:33:26 AM - System Checkpoint
RP1010: 11/15/2010 7:21:25 AM - System Checkpoint
RP1011: 11/16/2010 8:03:50 AM - System Checkpoint
RP1012: 11/17/2010 8:41:29 AM - System Checkpoint
RP1013: 11/18/2010 8:53:23 AM - System Checkpoint
RP1014: 11/19/2010 9:41:24 AM - System Checkpoint
RP1015: 11/20/2010 9:51:34 AM - System Checkpoint
RP1016: 11/21/2010 11:23:55 AM - System Checkpoint
RP1017: 11/24/2010 1:27:37 PM - System Checkpoint
RP1018: 11/25/2010 1:51:48 PM - System Checkpoint
RP1019: 11/26/2010 3:01:34 PM - System Checkpoint
RP1020: 11/27/2010 3:15:32 PM - System Checkpoint
RP1021: 11/28/2010 4:16:32 PM - System Checkpoint
RP1022: 11/28/2010 9:35:14 PM - Removed Java(TM) 6 Update 7
RP1023: 11/28/2010 9:40:20 PM - Installed Java(TM) 6 Update 22

==== Installed Programs ======================

Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.2
Adobe Shockwave Player 11.5
AOLIcon
Apple Software Update
ArcSoft PhotoImpression 5
ATI Control Panel
ATI Display Driver
CCleaner
ColorSelectStudio
Consumer Complete Care Services Agreement
Corel Paint Shop Pro X
Corel Photo Album 6
Dell Digital Jukebox Driver
Dell Driver Download Manager
Dell Driver Reset Tool
Dell Game Console
Dell Support Center (Support Software)
Dell System Restore
DellSupport
Digital Content Portal
EducateU
ELIcon
EPSON CX 7800 Guide
EPSON Printer Software
EPSON Scan
ERUNT 1.1j
ESPNMotion
GemMaster Mystic
getPlus(R)_ocx
Google Toolbar for Internet Explorer
Google Update Helper
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) 537EP V9x DF PCI Modem
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
IrfanView (remove only)
Java Auto Updater
Java(TM) 6 Update 22
Learn2 Player (Uninstall Only)
LimeWire 4.14.8
Malwarebytes' Anti-Malware
McAfee Total Protection
MCU
Mickey Mouse Toddler
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Basic Edition 2003
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007 Trial
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Modem Event Monitor
Modem Helper
Modem On Hold
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Musicmatch for Windows Media Player
Musicmatch® Jukebox
Otto
PowerDVD 5.5
Qualxserve Service Agreement
RealPlayer Basic
Scientific-Atlanta WebSTAR 2000 series Cable Modem
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB2288953)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sonic DLA
Sonic Encoders
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Spybot - Search & Destroy
The Book of Pooh
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Outlook 2007 Junk Email Filter (KB2443839)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Verizon High Speed Internet
Viewpoint Media Player
WebFldrs XP
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Presentation Foundation
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB908250
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
Winnie the Pooh Toddler Deluxe
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

11/24/2010 1:12:05 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
11/23/2010 9:18:47 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service mcmscsvc with arguments "" in order to run the server: {DDC6C82A-BCD6-480F-BAE7-9F406F687A53}
11/22/2010 7:58:33 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service mcmscsvc with arguments "" in order to run the server: {26608B46-476A-4BF1-9CC6-AFEA28EBBC17}
11/22/2010 7:58:25 PM, error: Service Control Manager [7022] - The McAfee VirusScan Announcer service hung on starting.
11/22/2010 7:56:58 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service mcmscsvc with arguments "" in order to run the server: {9B3BEB4E-1C5E-4A5F-BB36-2F6587DD34E2}
11/21/2010 1:56:01 PM, error: SideBySide [61] - Syntax error in manifest or policy file "C:\Program Files\Apple Software Update\Plugins\MSIInstallPlugin.dll.Manifest" on line 2. The required attribute version is missing from element assemblyIdentity.
11/21/2010 1:56:01 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Apple Software Update\Plugins\MSIInstallPlugin.dll.Manifest. Reference error message: The operation completed successfully. .
11/21/2010 1:56:01 PM, error: SideBySide [58] - Syntax error in manifest or policy file "C:\Program Files\Apple Software Update\Plugins\MSIInstallPlugin.dll.Manifest" on line 2.
11/21/2010 1:56:00 PM, error: SideBySide [61] - Syntax error in manifest or policy file "C:\Program Files\Apple Software Update\Plugins\EXEInstallPlugin.dll.Manifest" on line 2. The required attribute version is missing from element assemblyIdentity.
11/21/2010 1:56:00 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Apple Software Update\Plugins\EXEInstallPlugin.dll.Manifest. Reference error message: The operation completed successfully. .
11/21/2010 1:56:00 PM, error: SideBySide [58] - Syntax error in manifest or policy file "C:\Program Files\Apple Software Update\Plugins\EXEInstallPlugin.dll.Manifest" on line 2.

==== End Of File ===========================

I did a search and it appears that the searches are no longer being redirected so that's a good sign. Is there anything else I need to do moving forward, what can I do to prevent this issue in the future? At what point can I enable Mcafee again? Appreciate all of the help so far!!:thanks:
 
Hello tbinder

Thank you for the logs. That file is clean.

the searches are no longer being redirected so that's a good sign
Click to expand...
So far so good!

At what point can I enable Mcafee again?
Click to expand...
You can enable McAfee after the Online scan we are abuot to run.

Please work your way through the follwing steps:

  1. P2P Programs:

    • P2P programs are a major source of Malware infections.
    • From your log I see you have LimeWire 4.14.8. We do not pass judgment on file-sharing, however we must inform you that engaging in this activity and having this kind of software installed on your system will always make you more susceptible to Malware infections.
    • The use of P2P programs may be contributing to your current situation, and you would certainly be doing yourself a favour by removing them.
    • If you wish to keep the program(s), please do not use them until your computer is cleaned.

    • Information regarding the risk of using these programs can be found from here and here.

    • It is strongly recommend that you uninstall any P2P programs you have on your system.

    • To do this, Click on "Start" then on "Control Panel" and then on "Add or remove programs".
    • A list of currently installed programs will be displayed.
    • Find the "LimeWire 4.14.8" program, click on it once and then click on the "Remove" button.
    • If you are prompted to re-boot your computer to complete the uninstall please do so.


      PLEASE NOTE:
    • Even if you are using a P2P program that is deemed safe, it is only the program that is safe. Any files that you receive using a "safe" P2P program may be infected with Malware. The malware writers use P2P file-sharing as a major conduit to spread infected files.

  2. Foistware

    • I can see from your log that you have Viewpoint Media Player installed.
    • Viewpoint Media Player is considered as foistware rather than malware since it is installed without user's approval but doesn't spy or do anything "bad".
    • It is recommended that you remove Viewpoint products. However, this choice is up to you.
    • To remove these programs, click "Start" and then on "Control Panel" and then on "Add or Remove Programs".
    • Select Viewpoint Media Player and click on "Remove".

  3. Please run the following scan

    • Note: You will need to use Internet Explorer for this scan.
    • Note for Vista/Windows 7 Users: ESET is compatible but Internet Explorer must be run as Administrator. To do this, right-click on your Internet Explorer icon and select "Run as Administrator".
    • Please disable your real time security programs before performing the scan.

    • Scan your system with Eset Online Scanner
    • Place a check mark in the box YES, I accept the Terms Of Use.
    • Click the
      esetOnline.png
      button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps).
    • Click on
      esetSmartInstall.png
      to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the
      esetSmartInstallDesktopIcon.png
      icon on your desktop.

    • Check
      esetAcceptTerms.png
    • Click the
      esetStart.png
      button.
    • Accept any security warnings from your browser.
    • Check
      esetScanArchives.png
    • Push the "Start" button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push
      esetListThreats.png
    • Push
      esetExport.png
      , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Push the
      esetBack.png
      button.
    • Push
      esetFinish.png

    Once you have the ESET log re-engage your McAfee.

    Please post the ESET log in your next reply along a new DDS log taken after the ESET scan (I need to see the DDS.txt - you posted the attach.txt last time).

    Also, please let me know how your machine is running now.
 
Good Morning,

JonTom is away , do you still need help ? How are things running now ?
 
You must log in or register to reply here.
Back
Top