Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zlob DNS changer


  • This topic is locked This topic is locked
12 replies to this topic

#1 SuzanneMarie

SuzanneMarie

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Location:Rhyl, North Wales
  • Local time:04:35 AM

Posted 23 January 2009 - 11:09 AM

My kids computer was acting strange, IE will not run at all it just keeps saying it has encountered a problem and needs to close, even when I try to run it with no add-ons. And McAfee's will not update on their pc, I have it installed on 3 pc's in the house and the other pc's update fine. When I try to go to the McAfee's web page on my kids pc I can't get to it at all(I'm using Firefox). I ran spybots and it found zlob dns changer so I removed the entries with spybots but I stil can't update McAfee's and IE is not working. Here is the Hijack this Log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:58:01, on 23/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\TBLMOUSE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Documents and Settings\Phillip\My Documents\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?sourceid=navcli...amp;source=iglk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.search.yahoo.com/search?fr=mcafee&p=%s
R3 - URLSearchHook: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmartRAM] C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe /m
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Ubisoft register.lnk.disabled
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1216771477156
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVC Download Control) - http://www.shockwave.com/content/davincico...d%20Control.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

--
End of file - 10346 bytes

BC AdBot (Login to Remove)

 


#2 SuzanneMarie

SuzanneMarie
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Location:Rhyl, North Wales
  • Local time:04:35 AM

Posted 24 January 2009 - 07:47 AM

Hello I am sorry to double post, (I know you are busy). But I Installed SUPERantispyware and ran that and it detected these: Trojan.botnet/dropper, Rootkit.agent/gen-GAOPDX, Trojan DNS. Changer Codec, and Trojan DNS-Changer(hijacked dns). It removed all of them as far as I am aware, IE is back working properly again and McAfee is updating fine. Here is my latest Hijack this log file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:10, on 24/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\TBLMOUSE.EXE
C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Phillip\My Documents\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmartRAM] C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe /m
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: Wallperizer.lnk = C:\Program Files\Wallperizer\Wallperizer.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Wallperizer.lnk = C:\Program Files\Wallperizer\Wallperizer.exe (User 'Default user')
O4 - .DEFAULT Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe (User 'Default user')
O4 - Startup: Wallperizer.lnk = C:\Program Files\Wallperizer\Wallperizer.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1216771477156
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVC Download Control) - http://www.shockwave.com/content/davincico...d%20Control.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

--
End of file - 12308 bytes

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:12:35 AM

Posted 04 February 2009 - 02:50 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 SuzanneMarie

SuzanneMarie
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Location:Rhyl, North Wales
  • Local time:04:35 AM

Posted 04 February 2009 - 10:46 AM

Hi thanks for the help. I don't have all the symptoms I that I posted earlier. Internet Explorer is working fine again and McAfee is able to update, but there is something strange happening when I do a search with Google in firefox(i haven't tried it with IE)I click on a link that it returns in the serach and it takes me to the site ok. the strange thing happens when I click back, to go back a page to the search results it doesn't take me back to the google search results page, it takes me to a random serach engines page(with the results I was looking for) :) This may have nothing to do with the infection I don't know...it's just strange :thumbup2:
Any way here is the results of the scan you asked me to do.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Michael at 15:24:57.98 on 04/02/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.894.441 [GMT 0:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\TBLMOUSE.EXE
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Michael\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/ig?hl=en
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {1392B8D2-5C05-419F-A8F6-B9F15A596612} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Aim6]
uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO
uRun: [Google Update] "c:\documents and settings\michael\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [atwtusb] atwtusb.exe beta
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SmartRAM] c:\program files\iobit\advanced windowscare v2\MemCleaner.exe /m
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\michael\startm~1\programs\startup\wallpe~1.lnk - c:\program files\wallperizer\Wallperizer.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v2\WG111v2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1216771477156
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://download.shockwave.com/pub/otoy/OTOYAX.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} - hxxp://www.shockwave.com/content/davincicode/sis/DVC%20Download%20Control.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michael\applic~1\mozilla\firefox\profiles\5rfjxi8k.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?hl=en
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\components\iamfamous.dll
FF - plugin: c:\documents and settings\michael\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\gametap\bin\release\npgametaptool.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll

============= SERVICES / DRIVERS ===============

R1 aiptektp;HyperPen;c:\windows\system32\drivers\aiptektp.sys [2008-10-29 22272]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-7-22 207656]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-5 206096]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-7-22 358736]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-7-22 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-7-22 605512]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-7-22 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-7-22 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-7-22 40488]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 a016bus;Sony Ericsson Device A016 driver (WDM);c:\windows\system32\drivers\a016bus.sys [2008-12-3 83880]
S3 a016mdfl;Sony Ericsson Device A016 USB WMC Modeme Filter;c:\windows\system32\drivers\a016mdfl.sys [2008-12-3 15016]
S3 a016mdm;Sony Ericsson Device A016 USB WMC Modem Driver;c:\windows\system32\drivers\a016mdm.sys [2008-12-3 110504]
S3 a016mgmt;Sony Ericsson Device A016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\a016mgmt.sys [2008-12-3 104488]
S3 a016obex;Sony Ericsson Device A016 USB WMC OBEX Interface;c:\windows\system32\drivers\a016obex.sys [2008-12-3 100648]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-7-22 34152]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2006-3-27 167808]
S4 fasttrak;fasttrak; [x]
S4 iteraid;iteraid; [x]
S4 Si3112r;Si3112r; [x]
S4 viasraid;viasraid; [x]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-02-01 17:32 13 a------- C:\fldate
2009-02-01 11:16 <DIR> --d----- c:\program files\Apophysis 2.0
2009-01-24 12:13 <DIR> --d----- c:\program files\ASIO4ALL v2
2009-01-24 12:13 225,280 a------- c:\windows\system32\rewire.dll
2009-01-24 12:13 <DIR> --d----- c:\program files\VstPlugins
2009-01-24 12:12 1,294,336 a------- c:\windows\system32\vorbis.acm
2009-01-24 12:10 <DIR> --d----- c:\program files\Image-Line
2009-01-23 20:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-23 20:25 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-23 20:25 <DIR> --d----- c:\docume~1\michael\applic~1\SUPERAntiSpyware.com
2009-01-22 18:49 1,613,730 a------- C:\DOPE - Die Motherbleeper Die.mp3
2009-01-17 11:03 35,382 a------- c:\windows\scunin.dat
2009-01-17 11:03 94,208 a------- c:\windows\ScUnin.exe
2009-01-17 11:03 967 a------- c:\windows\ScUnin.pif
2009-01-16 20:39 1,917,586 a------- C:\Ebay.mp3
2009-01-16 20:33 3,312,882 a------- C:\Your Fat.mp3
2009-01-13 16:42 <DIR> --d----- c:\program files\Shockwave.com
2009-01-13 16:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SonyPicturesGames
2009-01-12 19:27 <DIR> --d----- c:\program files\Starcraft
2009-01-12 18:57 2,329,683 a------- C:\Kanye West - Gold Digger.mp3
2009-01-12 16:51 <DIR> --d----- c:\program files\GameSpy Arcade
2009-01-12 16:43 <DIR> --d----- c:\program files\Xplosiv
2009-01-12 16:43 767 a------- c:\windows\Thps3.INI
2009-01-11 17:12 <DIR> --d----- c:\program files\Microsoft
2009-01-11 17:11 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-01-11 12:39 <DIR> --d----- c:\program files\Turtix Rescue Adventure
2009-01-10 00:02 <DIR> --d----- c:\program files\Immortal Defense
2009-01-06 21:04 1,121,993 a------- C:\Bounce - System Of A Down.mp3
2009-01-06 08:18 268 a---h--- C:\sqmdata00.sqm
2009-01-06 08:18 244 a---h--- C:\sqmnoopt00.sqm

==================== Find3M ====================

2008-12-11 10:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-07 16:32 1,322 a------- c:\docume~1\michael\applic~1\wklnhst.dat
2008-12-02 22:37 49,480 a------- c:\windows\system32\sirenacm.dll
2008-11-21 21:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 21:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 21:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 21:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 21:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 21:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-09 01:21 107,888 a------- c:\windows\system32\CmdLineExt.dll
2001-09-28 16:00 164,864 -------- c:\program files\UNWISE.EXE
2008-07-23 01:13 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008072320080724\index.dat

============= FINISH: 15:25:34.93 ===============

Attached Files



#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:35 AM

Posted 04 February 2009 - 11:53 AM

Hello.

Let's see what we can do.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable McAfee:
  • Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
    Right-click it -> chose Exit.
  • A popup will warn that protection will now be disabled. Click on Yes to disable the Antivirus guard.
Download and Run SmitFraudFix
You can find complete instructions for running SmitFraudFix in the link below:
http://www.bleepingcomputer.com/forums/t/17258/how-to-remove-the-smitfraud-generic-zlob-quicknavigate-virtual-maid/
  • Please download SmitFraudFix by S!Ri to your desktop.
  • Boot your computer into Safe Mode before we can run this tool. Do not use the MsConfig method.
  • Double click the icon to run it.
  • Select Option 2 by typing 2 and hitting Enter.
  • The scan will progress. Answer Yes to any prompts you receive. This will include running disk cleanup and removing infected files.
  • The tool will restart your computer.
  • Upon reboot, a log file located at C:\rapport.txt will open. Copy its contents into your next reply.
Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

Please post back with:
-the SmitFraudFix log
-the GMER scan log
-a new DDS.txt log

With Regards,
The Panda

#6 SuzanneMarie

SuzanneMarie
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Location:Rhyl, North Wales
  • Local time:04:35 AM

Posted 04 February 2009 - 07:44 PM

It doesn't seem to be redirecting my searches at the moment..... :thumbup2:
Thanks I did as you asked here are the logs....

SmitFraudFix v2.392

Scan done at 23:54:00.95, 04/02/2009
Run from C:\Documents and Settings\Michael\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
...

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{43FC2A32-9FF1-490B-9FBB-F6AAC3C2CF76}: DhcpNameServer=85.255.115.36,85.255.112.83
HKLM\SYSTEM\CCS\Services\Tcpip\..\{FA8B6021-F731-4F92-8ED1-001123DE759C}: DhcpNameServer=208.67.222.222 208.67.220.220
HKLM\SYSTEM\CS1\Services\Tcpip\..\{43FC2A32-9FF1-490B-9FBB-F6AAC3C2CF76}: DhcpNameServer=85.255.115.36,85.255.112.83
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FA8B6021-F731-4F92-8ED1-001123DE759C}: DhcpNameServer=208.67.222.222 208.67.220.220
HKLM\SYSTEM\CS3\Services\Tcpip\..\{43FC2A32-9FF1-490B-9FBB-F6AAC3C2CF76}: DhcpNameServer=85.255.115.36,85.255.112.83
HKLM\SYSTEM\CS3\Services\Tcpip\..\{FA8B6021-F731-4F92-8ED1-001123DE759C}: DhcpNameServer=208.67.222.222 208.67.220.220
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=208.67.222.222 208.67.220.220
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=208.67.222.222 208.67.220.220
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=208.67.222.222 208.67.220.220


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-05 00:31:49
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEE7E9F20]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEE67E9CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xEE67EA61]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEE67E978]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEE67E98C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xEE67EA75]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xEE67EAA1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xEE67EB0F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xEE67EAF9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEE67EA0A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xEE67EB3B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xEE67EA4D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEE67E950]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEE67E964]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEE67E9DE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xEE67EB77]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xEE67EAE3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xEE67EACD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xEE67EA8B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xEE67EB63]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xEE67EB4F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEE67E9B6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEE67E9A2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xEE67EAB7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEE67EA39]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xEE67EB25]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEE67EA20]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEE67E9F4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwYieldExecution 8050223C 7 Bytes JMP EE67E9F8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8056E2FC 5 Bytes JMP EE67E9CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A7500 7 Bytes JMP EE67EA0E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8316 5 Bytes JMP EE67EA24 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA94 7 Bytes JMP EE67E9E2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C1322 5 Bytes JMP EE67E954 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C15AE 5 Bytes JMP EE67E968 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805C3DE0 5 Bytes JMP EE67E9A6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73F6 7 Bytes JMP EE67E990 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805C74AC 5 Bytes JMP EE67E97C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805C79B6 1 Byte [ E9 ]
PAGE ntkrnlpa.exe!ZwSetContextThread + 2 805C79B8 3 Bytes [ 6F, 0B, 6E ]
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CB6 5 Bytes JMP EE67EA3D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 8061854A 7 Bytes JMP EE67EAD1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80618898 7 Bytes JMP EE67EABB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80618BC2 7 Bytes JMP EE67EB29 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80619460 7 Bytes JMP EE67EAE7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80619D34 7 Bytes JMP EE67EA8F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8061A312 5 Bytes JMP EE67EA65 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7A2 7 Bytes JMP EE67EA79 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A972 7 Bytes JMP EE67EAA5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB52 7 Bytes JMP EE67EB13 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8061ADBC 7 Bytes JMP EE67EAFD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 8061B6E4 5 Bytes JMP EE67EA51 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 8061BA0A 7 Bytes JMP EE67EB7B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8061BCCA 5 Bytes JMP EE67EB53 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8061C3BE 5 Bytes JMP EE67EB67 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 8061C4D8 5 Bytes JMP EE67EB3F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B80F61
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B80056
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B80F72
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B80025
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B80FA8
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B8008E
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B80F46
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B80F21
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B800BA
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B80F10
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B80F8D
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B80FD4
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B80071
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B80014
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B80FC3
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B8009F
.text C:\WINDOWS\system32\svchost.exe[320] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B7001B
.text C:\WINDOWS\system32\svchost.exe[320] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B70F68
.text C:\WINDOWS\system32\svchost.exe[320] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B70FCA
.text C:\WINDOWS\system32\svchost.exe[320] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B70FE5
.text C:\WINDOWS\system32\svchost.exe[320] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B70F83
.text C:\WINDOWS\system32\svchost.exe[320] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[320] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00B70F94
.text C:\WINDOWS\system32\svchost.exe[320] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ D7, 88 ]
.text C:\WINDOWS\system32\svchost.exe[320] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B70FAF
.text C:\WINDOWS\system32\svchost.exe[388] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B10FEF
.text C:\WINDOWS\system32\svchost.exe[388] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B100AB
.text C:\WINDOWS\system32\svchost.exe[388] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B1009A
.text C:\WINDOWS\system32\svchost.exe[388] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B1007F
.text C:\WINDOWS\system32\svchost.exe[388] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B10062
.text C:\WINDOWS\system32\svchost.exe[388] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B10047
.text C:\WINDOWS\system32\svchost.exe[388] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B10F85
.text C:\WINDOWS\system32\svchost.exe[388] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B100CD
.text C:\WINDOWS\system32\svchost.exe[388] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B1010D
.text C:\WINDOWS\system32\svchost.exe[388] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B100E8
.text C:\WINDOWS\system32\svchost.exe[388] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B1011E
.text C:\WINDOWS\system32\svchost.exe[388] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B10FB6
.text C:\WINDOWS\system32\svchost.exe[388] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B10014
.text C:\WINDOWS\system32\svchost.exe[388] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B100BC
.text C:\WINDOWS\system32\svchost.exe[388] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B10036
.text C:\WINDOWS\system32\svchost.exe[388] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B10025
.text C:\WINDOWS\system32\svchost.exe[388] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B10F6A
.text C:\WINDOWS\system32\svchost.exe[388] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B00FB9
.text C:\WINDOWS\system32\svchost.exe[388] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B00051
.text C:\WINDOWS\system32\svchost.exe[388] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B00FD4
.text C:\WINDOWS\system32\svchost.exe[388] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B0000A
.text C:\WINDOWS\system32\svchost.exe[388] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B00036
.text C:\WINDOWS\system32\svchost.exe[388] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B00FEF
.text C:\WINDOWS\system32\svchost.exe[388] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00B00F94
.text C:\WINDOWS\system32\svchost.exe[388] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ D0, 88 ]
.text C:\WINDOWS\system32\svchost.exe[388] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B0001B
.text C:\WINDOWS\system32\svchost.exe[388] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AE0FE5
.text C:\WINDOWS\system32\services.exe[772] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[772] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0007006C
.text C:\WINDOWS\system32\services.exe[772] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F77
.text C:\WINDOWS\system32\services.exe[772] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070F94
.text C:\WINDOWS\system32\services.exe[772] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070FA5
.text C:\WINDOWS\system32\services.exe[772] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[772] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0007008E
.text C:\WINDOWS\system32\services.exe[772] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F52
.text C:\WINDOWS\system32\services.exe[772] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F13
.text C:\WINDOWS\system32\services.exe[772] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F24
.text C:\WINDOWS\system32\services.exe[772] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 000700BD
.text C:\WINDOWS\system32\services.exe[772] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[772] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[772] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 0007007D
.text C:\WINDOWS\system32\services.exe[772] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0007002F
.text C:\WINDOWS\system32\services.exe[772] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00070FDE
.text C:\WINDOWS\system32\services.exe[772] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00070F35
.text C:\WINDOWS\system32\services.exe[772] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00060FDE
.text C:\WINDOWS\system32\services.exe[772] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00060FAF
.text C:\WINDOWS\system32\services.exe[772] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0006002F
.text C:\WINDOWS\system32\services.exe[772] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0006000A
.text C:\WINDOWS\system32\services.exe[772] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00060062
.text C:\WINDOWS\system32\services.exe[772] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[772] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00060051
.text C:\WINDOWS\system32\services.exe[772] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00060040
.text C:\WINDOWS\system32\services.exe[772] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EC0054
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EC0F5F
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EC0F70
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EC0F8D
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EC0025
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EC0F18
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EC0F29
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EC0ED1
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EC0EE2
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00EC0EB6
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00EC0F9E
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00EC0FD4
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00EC0F44
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00EC000A
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00EC0FC3
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00EC0EFD
.text C:\WINDOWS\system32\lsass.exe[784] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00EB0FB2
.text C:\WINDOWS\system32\lsass.exe[784] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00EB0F97
.text C:\WINDOWS\system32\lsass.exe[784] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00EB0FC3
.text C:\WINDOWS\system32\lsass.exe[784] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00EB0FDE
.text C:\WINDOWS\system32\lsass.exe[784] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00EB004A
.text C:\WINDOWS\system32\lsass.exe[784] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00EB0FEF
.text C:\WINDOWS\system32\lsass.exe[784] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00EB002F
.text C:\WINDOWS\system32\lsass.exe[784] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00EB0014
.text C:\WINDOWS\system32\lsass.exe[784] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E90000
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F70F5F
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F70F70
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F70054
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F70F97
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F70FA8
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F70087
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F70076
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F700BD
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F700A2
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F700CE
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F70039
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F70000
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F70065
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F70FB9
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F70FCA
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F70F24
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F60FC3
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F6006C
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F60FD4
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F60FE5
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F60051
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F60000
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00F60040
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F6002F
.text C:\WINDOWS\system32\svchost.exe[944] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C70000
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C70075
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C70F80
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C70F91
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C70FA2
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C7004E
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C70092
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C70F4A
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C70F1E
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C70F2F
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C700C8
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C70FC7
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C70011
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C70F5B
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C7003D
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C70022
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C700AD
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00C60FC3
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00C60065
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00C60FDE
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00C60FA8
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00C6004A
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00C6002F
.text C:\WINDOWS\system32\svchost.exe[1016] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C40FEF
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0277000A
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02770F55
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02770F70
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0277004A
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02770F8D
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02770FC3
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02770076
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02770F3A
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02770F13
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 027700AC
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 02770EF8
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02770FA8
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02770FE5
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 02770065
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02770025
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 02770FD4
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 02770091
.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0275003D
.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02750F9B
.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02750022
.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02750011
.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02750FAC
.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02750000
.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 02750FBD
.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 95, 8A ]
.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0275004E
.text C:\WINDOWS\System32\svchost.exe[1056] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02730FEF
.text C:\WINDOWS\System32\svchost.exe[1056] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 0276000A
.text C:\WINDOWS\System32\svchost.exe[1056] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 02760FE5
.text C:\WINDOWS\System32\svchost.exe[1056] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 0276001B
.text C:\WINDOWS\System32\svchost.exe[1056] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 02760036
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00650089
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00650F94
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00650FAF
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0065006C
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00650040
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00650F5E
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00650F6F
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006500C8
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006500B7
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 006500E3
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0065005B
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00650FDE
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 0065009A
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00650025
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00650014
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00650F43
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00640FDE
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00640065
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0064002F
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00640014
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00640FA8
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00640FEF
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00640FC3
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 84, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0064004A
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0066000A
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0066005B
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00660040
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00660F66
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00660F83
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00660FB9
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00660F2B
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0066007D
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00660EFF
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00660F10
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00660EE4
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00660F9E
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00660FEF
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 0066006C
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0066001B
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00660FCA
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 0066008E
.text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00650036
.text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00650069
.text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0065001B
.text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00650FE5
.text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00650058
.text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00650FB6
.text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 85, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00650047
.text C:\WINDOWS\system32\svchost.exe[1160] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00630000
.text C:\WINDOWS\system32\SearchIndexer.exe[1248] kernel32.dll!WriteFile 7C810E17 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F20000
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F20047
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F20036
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F20F5C
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F2001B
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F20F8A
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F20F15
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F20F26
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F2008C
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F20EF3
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F200A7
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F20F79
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F20FE5
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F20F37
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F20FA5
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F20FCA
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F20F04
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F00025
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F00F94
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F00014
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F00FDE
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F00FA5
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F00FEF
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00F00047
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F00036
.text C:\WINDOWS\system32\svchost.exe[1252] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EE0000
.text C:\WINDOWS\system32\svchost.exe[1252] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00F10FEF
.text C:\WINDOWS\system32\svchost.exe[1252] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00F10FDE
.text C:\WINDOWS\system32\svchost.exe[1252] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00F10014
.text C:\WINDOWS\system32\svchost.exe[1252] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00F10FC3
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00660FE5
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00660F30
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00660F4B
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00660F66
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00660F83
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00660025
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00660054
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00660F02
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00660ECC
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00660EE7
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00660080
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00660F9E
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00660FD4
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00660F1F
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00660FB9
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0066000A
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00660065
.text C:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00650022
.text C:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00650F9B
.text C:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00650011
.text C:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00650FAC
.text C:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00650044
.text C:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00650033
.text C:\WINDOWS\system32\svchost.exe[1560] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0063000A
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F30000
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F30F9B
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F30090
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F30073
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F30062
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F30040
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F30F76
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F300BC
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F30F39
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F30F54
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F300ED
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F30051
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F30FE5
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F300AB
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F3001B
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F30FCA
.text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F30F65
.text C:\WINDOWS\System32\svchost.exe[1652] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F2001B
.text C:\WINDOWS\System32\svchost.exe[1652] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F20036
.text C:\WINDOWS\System32\svchost.exe[1652] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F20FD4
.text C:\WINDOWS\System32\svchost.exe[1652] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F20FE5
.text C:\WINDOWS\System32\svchost.exe[1652] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F20F79
.text C:\WINDOWS\System32\svchost.exe[1652] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F20000
.text C:\WINDOWS\System32\svchost.exe[1652] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00F20F94
.text C:\WINDOWS\System32\svchost.exe[1652] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 12, 89 ]
.text C:\WINDOWS\System32\svchost.exe[1652] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F20FAF
.text C:\WINDOWS\System32\svchost.exe[1652] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F00FE5
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1856] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041BF60 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1856] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041BFE0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A006C
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0051
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0040
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A002F
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FA8
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A009F
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A008E
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00DC
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00CB
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A00ED
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0F97
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0FDE
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A007D
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0FC3
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0014
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A00B0
.text C:\WINDOWS\Explorer.EXE[2516] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0029001B
.text C:\WINDOWS\Explorer.EXE[2516] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00290F94
.text C:\WINDOWS\Explorer.EXE[2516] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00290FCA
.text C:\WINDOWS\Explorer.EXE[2516] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00290000
.text C:\WINDOWS\Explorer.EXE[2516] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00290051
.text C:\WINDOWS\Explorer.EXE[2516] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00290FE5
.text C:\WINDOWS\Explorer.EXE[2516] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00290FAF
.text C:\WINDOWS\Explorer.EXE[2516] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 49, 88 ]
.text C:\WINDOWS\Explorer.EXE[2516] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00290036
.text C:\WINDOWS\Explorer.EXE[2516] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\Explorer.EXE[2516] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 002C000A
.text C:\WINDOWS\Explorer.EXE[2516] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 002C001B
.text C:\WINDOWS\Explorer.EXE[2516] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 002C0FCA
.text C:\WINDOWS\Explorer.EXE[2516] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C8000A
.text C:\WINDOWS\system32\dllhost.exe[3108] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A20FE5
.text C:\WINDOWS\system32\dllhost.exe[3108] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A20062
.text C:\WINDOWS\system32\dllhost.exe[3108] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A20F6D
.text C:\WINDOWS\system32\dllhost.exe[3108] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A20F88
.text C:\WINDOWS\system32\dllhost.exe[3108] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A20FAF
.text C:\WINDOWS\system32\dllhost.exe[3108] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A20036
.text C:\WINDOWS\system32\dllhost.exe[3108] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A2008E
.text C:\WINDOWS\system32\dllhost.exe[3108] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A2007D
.text C:\WINDOWS\system32\dllhost.exe[3108] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A20F1A
.text C:\WINDOWS\system32\dllhost.exe[3108] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A20F2B
.text C:\WINDOWS\system32\dllhost.exe[3108] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00A200C4
.text C:\WINDOWS\system32\dllhost.exe[3108] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00A20047
.text C:\WINDOWS\system32\dllhost.exe[3108] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00A20FD4
.text C:\WINDOWS\system32\dllhost.exe[3108] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00A20F52
.text C:\WINDOWS\system32\dllhost.exe[3108] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00A20025
.text C:\WINDOWS\system32\dllhost.exe[3108] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00A2000A
.text C:\WINDOWS\system32\dllhost.exe[3108] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00A200A9
.text C:\WINDOWS\system32\dllhost.exe[3108] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00A10FDB
.text C:\WINDOWS\system32\dllhost.exe[3108] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00A1006C
.text C:\WINDOWS\system32\dllhost.exe[3108] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00A1002C
.text C:\WINDOWS\system32\dllhost.exe[3108] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00A10011
.text C:\WINDOWS\system32\dllhost.exe[3108] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00A10FAF
.text C:\WINDOWS\system32\dllhost.exe[3108] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00A10000
.text C:\WINDOWS\system32\dllhost.exe[3108] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00A10047
.text C:\WINDOWS\system32\dllhost.exe[3108] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00A10FC0
.text C:\WINDOWS\system32\dllhost.exe[3108] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A70000

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat BAAB6D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\ati2mtag\Device2@DALRULE_ADAPTERBANDWIDTH\1ODEENUM 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001583bb5946
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001583bb5946@001edc1e1358 0x77 0xF9 0x18 0xBB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001583bb5946@00192c4490b4 0xAF 0x9D 0x67 0x5E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001583bb5946@001edc2785c5 0xF3 0x2E 0x5B 0x1C ...
Reg HKLM\SYSTEM\ControlSet003\Services\ati2mtag\Device2@DALRULE_ADAPTERBANDWIDTH\1ODEENUM 0
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001583bb5946
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001583bb5946@001edc1e1358 0x77 0xF9 0x18 0xBB ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001583bb5946@00192c4490b4 0xAF 0x9D 0x67 0x5E ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001583bb5946@001edc2785c5 0xF3 0x2E 0x5B 0x1C ...
Reg HKLM\SOFTWARE\Classes\CLSID\{0A04E0F8-DC88-B943-2C7B-226A2C7B226A}\AuxUserType\2
Reg HKLM\SOFTWARE\Classes\CLSID\{0A04E0F8-DC88-B943-2C7B-226A2C7B226A}\AuxUserType\2@ Picture
Reg HKLM\SOFTWARE\Classes\CLSID\{0A04E0F8-DC88-B943-2C7B-226A2C7B226A}\Conversion\Readable
Reg HKLM\SOFTWARE\Classes\CLSID\{0A04E0F8-DC88-B943-2C7B-226A2C7B226A}\Conversion\Readable\Main
Reg HKLM\SOFTWARE\Classes\CLSID\{0A04E0F8-DC88-B943-2C7B-226A2C7B226A}\Conversion\Readable\Main@
Reg HKLM\SOFTWARE\Classes\CLSID\{0A04E0F8-DC88-B943-2C7B-226A2C7B226A}\DataFormats\DefaultFile
Reg HKLM\SOFTWARE\Classes\CLSID\{0A04E0F8-DC88-B943-2C7B-226A2C7B226A}\DataFormats\DefaultFile@ 14
Reg HKLM\SOFTWARE\Classes\CLSID\{0A04E0F8-DC88-B943-2C7B-226A2C7B226A}\DataFormats\GetSet
Reg HKLM\SOFTWARE\Classes\CLSID\{0A04E0F8-DC88-B943-2C7B-226A2C7B226A}\DataFormats\GetSet\0
Reg HKLM\SOFTWARE\Classes\CLSID\{0A04E0F8-DC88-B943-2C7B-226A2C7B226A}\DataFormats\GetSet\0@ 14,1,64,3
Reg HKLM\SOFTWARE\Classes\CLSID\{0A04E0F8-DC88-B943-2C7B-226A2C7B226A}\InprocServer32@ ole32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{0A04E0F8-DC88-B943-2C7B-226A2C7B226A}\MiscStatus@ 536
Reg HKLM\SOFTWARE\Classes\CLSID\{0A04E0F8-DC88-B943-2C7B-226A2C7B226A}\ProgID@ StaticEnhancedMetafile

---- EOF - GMER 1.0.14 ----


DDS (Ver_09-02-01.01) - NTFSx86
Run by Michael at 0:33:50.95 on 05/02/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.894.446 [GMT 0:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TBLMOUSE.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Michael\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/ig?hl=en
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {1392B8D2-5C05-419F-A8F6-B9F15A596612} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Aim6]
uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO
uRun: [Google Update] "c:\documents and settings\michael\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [atwtusb] atwtusb.exe beta
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SmartRAM] c:\program files\iobit\advanced windowscare v2\MemCleaner.exe /m
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\michael\startm~1\programs\startup\wallpe~1.lnk - c:\program files\wallperizer\Wallperizer.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v2\WG111v2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700}
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501}
DPF: {5D6F45B3-9043-443D-A792-115447494D24}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {ABB660B6-6694-407B-950A-EDBA5A159722}
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48}
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michael\applic~1\mozilla\firefox\profiles\5rfjxi8k.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?hl=en
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\components\iamfamous.dll
FF - plugin: c:\documents and settings\michael\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\gametap\bin\release\npgametaptool.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll

============= SERVICES / DRIVERS ===============

R1 aiptektp;HyperPen;c:\windows\system32\drivers\aiptektp.sys [2008-10-29 22272]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-7-22 207656]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-5 206096]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-7-22 358736]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-7-22 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-7-22 605512]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-7-22 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-7-22 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-7-22 40488]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2006-3-27 167808]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 a016bus;Sony Ericsson Device A016 driver (WDM);c:\windows\system32\drivers\a016bus.sys [2008-12-3 83880]
S3 a016mdfl;Sony Ericsson Device A016 USB WMC Modeme Filter;c:\windows\system32\drivers\a016mdfl.sys [2008-12-3 15016]
S3 a016mdm;Sony Ericsson Device A016 USB WMC Modem Driver;c:\windows\system32\drivers\a016mdm.sys [2008-12-3 110504]
S3 a016mgmt;Sony Ericsson Device A016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\a016mgmt.sys [2008-12-3 104488]
S3 a016obex;Sony Ericsson Device A016 USB WMC OBEX Interface;c:\windows\system32\drivers\a016obex.sys [2008-12-3 100648]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-7-22 34152]
S4 fasttrak;fasttrak; [x]
S4 iteraid;iteraid; [x]
S4 Si3112r;Si3112r; [x]
S4 viasraid;viasraid; [x]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-02-05 00:15 250 a------- c:\windows\gmer.ini
2009-02-04 23:54 2,494 a------- c:\windows\system32\tmp.reg
2009-02-01 17:32 13 a------- C:\fldate
2009-02-01 11:16 <DIR> --d----- c:\program files\Apophysis 2.0
2009-01-24 12:13 <DIR> --d----- c:\program files\ASIO4ALL v2
2009-01-24 12:13 225,280 a------- c:\windows\system32\rewire.dll
2009-01-24 12:13 <DIR> --d----- c:\program files\VstPlugins
2009-01-24 12:12 1,294,336 a------- c:\windows\system32\vorbis.acm
2009-01-24 12:10 <DIR> --d----- c:\program files\Image-Line
2009-01-23 20:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-23 20:25 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-23 20:25 <DIR> --d----- c:\docume~1\michael\applic~1\SUPERAntiSpyware.com
2009-01-22 18:49 1,613,730 a------- C:\DOPE - Die Motherbleeper Die.mp3
2009-01-17 11:03 35,382 a------- c:\windows\scunin.dat
2009-01-17 11:03 94,208 a------- c:\windows\ScUnin.exe
2009-01-17 11:03 967 a------- c:\windows\ScUnin.pif
2009-01-16 20:39 1,917,586 a------- C:\Ebay.mp3
2009-01-16 20:33 3,312,882 a------- C:\Your Fat.mp3
2009-01-13 16:42 <DIR> --d----- c:\program files\Shockwave.com
2009-01-13 16:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SonyPicturesGames
2009-01-12 19:27 <DIR> --d----- c:\program files\Starcraft
2009-01-12 18:57 2,329,683 a------- C:\Kanye West - Gold Digger.mp3
2009-01-12 16:51 <DIR> --d----- c:\program files\GameSpy Arcade
2009-01-12 16:43 <DIR> --d----- c:\program files\Xplosiv
2009-01-12 16:43 767 a------- c:\windows\Thps3.INI
2009-01-11 17:12 <DIR> --d----- c:\program files\Microsoft
2009-01-11 17:11 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-01-11 12:39 <DIR> --d----- c:\program files\Turtix Rescue Adventure
2009-01-10 00:02 <DIR> --d----- c:\program files\Immortal Defense
2009-01-06 21:04 1,121,993 a------- C:\Bounce - System Of A Down.mp3
2009-01-06 08:18 268 a---h--- C:\sqmdata00.sqm
2009-01-06 08:18 244 a---h--- C:\sqmnoopt00.sqm

==================== Find3M ====================

2008-12-11 10:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-07 16:32 1,322 a------- c:\docume~1\michael\applic~1\wklnhst.dat
2008-12-02 22:37 49,480 a------- c:\windows\system32\sirenacm.dll
2008-11-21 21:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 21:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 21:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 21:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 21:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 21:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-09 01:21 107,888 a------- c:\windows\system32\CmdLineExt.dll
2001-09-28 16:00 164,864 -------- c:\program files\UNWISE.EXE
2008-07-23 01:13 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008072320080724\index.dat

============= FINISH: 0:34:17.65 ===============

Edited by SuzanneMarie, 04 February 2009 - 07:53 PM.


#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:35 AM

Posted 04 February 2009 - 08:31 PM

Hello.

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.

Do not use the NTREGOPT that comes with the installation package.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. If you are using Windows Vista, right click the icon and select "Run As Administrator." Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

Apply Registry Script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{43FC2A32-9FF1-490B-9FBB-F6AAC3C2CF76}]
    "DhcpNameServer"="208.67.222.222, 208.67.220.220"
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.reg
  • Hit OK.
When done properly, the icon should look like Posted Image.

Double click fix.reg and answer Yes to the prompts. You should recieve the message that the entries have been successfully merged. If not, post back with the error message.

Delete fix.reg after use.
--
Take a new SmitFraudFix log. Open the program in normal mode and select Scanning.
--
With Regards,
The Panda

#8 SuzanneMarie

SuzanneMarie
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Location:Rhyl, North Wales
  • Local time:04:35 AM

Posted 06 February 2009 - 07:21 AM

Thanks.. here is the new log you asked for...

SmitFraudFix v2.392

Scan done at 12:16:05.50, 06/02/2009
Run from C:\Documents and Settings\Michael\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\TBLMOUSE.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Michael


C:\DOCUME~1\Michael\LOCALS~1\Temp


C:\Documents and Settings\Michael\Application Data


Start Menu


C:\DOCUME~1\Michael\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


RK



DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 208.67.222.222
DNS Server Search Order: 208.67.220.220

Description: NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter - Packet Scheduler Miniport
DNS Server Search Order: 208.67.222.222
DNS Server Search Order: 208.67.220.220

HKLM\SYSTEM\CCS\Services\Tcpip\..\{43FC2A32-9FF1-490B-9FBB-F6AAC3C2CF76}: DhcpNameServer=208.67.222.222, 208.67.220.220
HKLM\SYSTEM\CCS\Services\Tcpip\..\{FA8B6021-F731-4F92-8ED1-001123DE759C}: DhcpNameServer=208.67.222.222 208.67.220.220
HKLM\SYSTEM\CS1\Services\Tcpip\..\{43FC2A32-9FF1-490B-9FBB-F6AAC3C2CF76}: DhcpNameServer=208.67.222.222, 208.67.220.220
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FA8B6021-F731-4F92-8ED1-001123DE759C}: DhcpNameServer=208.67.222.222 208.67.220.220
HKLM\SYSTEM\CS3\Services\Tcpip\..\{43FC2A32-9FF1-490B-9FBB-F6AAC3C2CF76}: DhcpNameServer=85.255.115.36,85.255.112.83
HKLM\SYSTEM\CS3\Services\Tcpip\..\{FA8B6021-F731-4F92-8ED1-001123DE759C}: DhcpNameServer=208.67.222.222 208.67.220.220
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=208.67.222.222 208.67.220.220
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=208.67.222.222 208.67.220.220
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=208.67.222.222 208.67.220.220


Scanning for wininet.dll infection


End

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:35 AM

Posted 06 February 2009 - 08:15 AM

Hello.

Looks good. Let's get an online scan to see if we missed anything.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Also take a new DDS.txt.

Please tell me of any issues at the moment.

With Regards,
The Panda

#10 SuzanneMarie

SuzanneMarie
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Location:Rhyl, North Wales
  • Local time:04:35 AM

Posted 06 February 2009 - 10:44 PM

Thanks, I did the scan no problem here is the report and the new dds log

Scanning Report
Saturday, February 07, 2009 02:00:43 - 03:33:18

Computer name: KIDSCOMPUTER
Scanning type: Scan system for malware, rootkits
Target: C:\
Result: 7 malware found
Rootkit.Win32.TDSS.eyj (virus)

* C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS\IAMFAMOUS.DLL (Renamed & Submitted)

Trojan-Downloader.Win32.Agent (virus)

* System

Trojan-Downloader.Win32.Agent.aqfi (virus)

* C:\PROGRAM FILES\FAIRWAY SOLITAIRE\FAIRWAYSOLITAIRE.EXE

Trojan-Downloader.Win32.Agent.ashb (virus)

* C:\PROGRAM FILES\ELF BOWLING HAWAIIAN VACATION\ELFBOWLING.EXE

W32/Packed_Mew.C (virus)

* C:\DOCUMENTS AND SETTINGS\SAMANTHA\MY DOCUMENTS\MY RECEIVED FILES\PZTRAIN.EXE (Submitted)
* C:\DOCUMENTS AND SETTINGS\PHILLIP\MY DOCUMENTS\OTHER\PZTRAIN.EXE (Submitted)

W32/Zlob.gen123 (virus)

* C:\RECYCLER\S-1-5-21-790525478-1343024091-682003330-1003\DC5\AGENT.OMZ.FIX.EXE (Submitted)

Statistics
Scanned:

* Files: 58104
* System: 5667
* Not scanned: 21

Actions:

* Disinfected: 0
* Renamed: 1
* Deleted: 0
* None: 6
* Submitted: 4

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\TEMP\MCAFEE_33EDGK0NU88YFGZ
* C:\WINDOWS\TEMP\MCAFEE_QOZHQIAM6RHWJOG
* C:\WINDOWS\TEMP\MCMSC_B6S3ABGYWQNVUW6
* C:\WINDOWS\TEMP\MCMSC_D5HRT7W7JQO5F2E
* C:\WINDOWS\TEMP\MCMSC_DEUBV1IKYICLG4G
* C:\WINDOWS\TEMP\MCMSC_IBRLIXR6CFGKCIV
* C:\WINDOWS\TEMP\MCMSC_L56MBMWWYNPAXNV
* C:\WINDOWS\TEMP\MCMSC_W9GYPNY7PPWHDQS
* C:\WINDOWS\TEMP\SQLITE_BMHLHGWRDWLHVGB
* C:\WINDOWS\TEMP\SQLITE_KTTSAX7V7ENRWAW
* C:\WINDOWS\TEMP\SQLITE_LU2DLEHFKKNEEYG
* C:\WINDOWS\TEMP\SQLITE_PJJBIHRH7ZEGM0G
* C:\WINDOWS\TEMP\SQLITE_QYECBEVRUYF1409
* C:\WINDOWS\TEMP\SQLITE_RHB1M5XSEBOOHQW
* C:\WINDOWS\TEMP\SQLITE_XJWBMJAH9J1KAGN
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Options
Scanning engines:

* F-Secure USS: 3.0.0
* F-Secure Hydra: 3.6.8511, 2009-02-06
* F-Secure AVP: 7.0.171, 2009-02-06
* F-Secure Pegasus: 1.20.0, 1970-00-01
* F-Secure Blacklight: 0.0.0

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics



DDS (Ver_09-01-07.01) - NTFSx86
Run by Michael at 3:39:43.73 on 07/02/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.894.450 [GMT 0:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\TBLMOUSE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Michael\My Documents\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/ig?hl=en
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {1392B8D2-5C05-419F-A8F6-B9F15A596612} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Aim6]
uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO
uRun: [Google Update] "c:\documents and settings\michael\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [atwtusb] atwtusb.exe beta
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SmartRAM] c:\program files\iobit\advanced windowscare v2\MemCleaner.exe /m
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\michael\startm~1\programs\startup\erunt autobackup.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\michael\startm~1\programs\startup\wallpe~1.lnk - c:\program files\wallperizer\Wallperizer.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v2\WG111v2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michael\applic~1\mozilla\firefox\profiles\5rfjxi8k.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?hl=en
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\components\iamfamous.dll
FF - plugin: c:\documents and settings\michael\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\gametap\bin\release\npgametaptool.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll

============= SERVICES / DRIVERS ===============

R1 aiptektp;HyperPen;c:\windows\system32\drivers\aiptektp.sys [2008-10-29 22272]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-7-22 207656]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-7-22 605512]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-7-22 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-7-22 35240]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-7-22 34152]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-7-22 40488]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2006-3-27 167808]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-5 206096]
R4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-7-22 358736]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-7-22 144704]
S3 a016bus;Sony Ericsson Device A016 driver (WDM);c:\windows\system32\drivers\a016bus.sys [2008-12-3 83880]
S3 a016mdfl;Sony Ericsson Device A016 USB WMC Modeme Filter;c:\windows\system32\drivers\a016mdfl.sys [2008-12-3 15016]
S3 a016mdm;Sony Ericsson Device A016 USB WMC Modem Driver;c:\windows\system32\drivers\a016mdm.sys [2008-12-3 110504]
S3 a016mgmt;Sony Ericsson Device A016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\a016mgmt.sys [2008-12-3 104488]
S3 a016obex;Sony Ericsson Device A016 USB WMC OBEX Interface;c:\windows\system32\drivers\a016obex.sys [2008-12-3 100648]
S4 fasttrak;fasttrak; [x]
S4 iteraid;iteraid; [x]
S4 Si3112r;Si3112r; [x]
S4 viasraid;viasraid; [x]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-02-07 01:54 <DIR> --d----- C:\fsaua.data
2009-02-07 01:17 27,136 a--sh--- C:\Thumbs.db
2009-02-05 00:15 250 a------- c:\windows\gmer.ini
2009-02-04 23:54 2,494 a------- c:\windows\system32\tmp.reg
2009-02-01 17:32 13 a------- C:\fldate
2009-02-01 11:16 <DIR> --d----- c:\program files\Apophysis 2.0
2009-01-24 12:13 <DIR> --d----- c:\program files\ASIO4ALL v2
2009-01-24 12:13 225,280 a------- c:\windows\system32\rewire.dll
2009-01-24 12:13 <DIR> --d----- c:\program files\VstPlugins
2009-01-24 12:12 1,294,336 a------- c:\windows\system32\vorbis.acm
2009-01-24 12:10 <DIR> --d----- c:\program files\Image-Line
2009-01-23 20:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-23 20:25 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-23 20:25 <DIR> --d----- c:\docume~1\michael\applic~1\SUPERAntiSpyware.com
2009-01-22 18:49 1,613,730 a------- C:\DOPE - Die Motherbleeper Die.mp3
2009-01-17 11:03 35,382 a------- c:\windows\scunin.dat
2009-01-17 11:03 94,208 a------- c:\windows\ScUnin.exe
2009-01-17 11:03 967 a------- c:\windows\ScUnin.pif
2009-01-16 20:39 1,917,586 a------- C:\Ebay.mp3
2009-01-16 20:33 3,312,882 a------- C:\Your Fat.mp3
2009-01-13 16:42 <DIR> --d----- c:\program files\Shockwave.com
2009-01-13 16:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SonyPicturesGames
2009-01-12 19:27 <DIR> --d----- c:\program files\Starcraft
2009-01-12 18:57 2,329,683 a------- C:\Kanye West - Gold Digger.mp3
2009-01-12 16:51 <DIR> --d----- c:\program files\GameSpy Arcade
2009-01-12 16:43 <DIR> --d----- c:\program files\Xplosiv
2009-01-12 16:43 767 a------- c:\windows\Thps3.INI
2009-01-11 17:12 <DIR> --d----- c:\program files\Microsoft
2009-01-11 17:11 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-01-11 12:39 <DIR> --d----- c:\program files\Turtix Rescue Adventure
2009-01-10 00:02 <DIR> --d----- c:\program files\Immortal Defense

==================== Find3M ====================

2008-12-11 10:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-07 16:32 1,322 a------- c:\docume~1\michael\applic~1\wklnhst.dat
2008-12-02 22:37 49,480 a------- c:\windows\system32\sirenacm.dll
2008-11-21 21:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 21:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 21:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 21:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 21:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 21:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2001-09-28 16:00 164,864 -------- c:\program files\UNWISE.EXE
2008-07-23 01:13 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008072320080724\index.dat

============= FINISH: 3:40:23.42 ===============

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:35 AM

Posted 07 February 2009 - 10:25 AM

Hello.

Looks good.

Please delete this files:
c:\program files\fairway solitaire\fairwaysolitaire.exe
c:\program files\elf bowling hawaiian vacation\elfbowling.exe
c:\documents and settings\samantha\my documents\my received files\pztrain.exe
c:\documents and settings\phillip\my documents\other\pztrain.exe

Download and Run OTCleanIt
This program will remove the tools we have used.
  • Download OTCleanIt by OldTimer to your desktop.
  • Double click OTCleanIt.exe to start the program.
  • Click the big CleanUp! button.
  • When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.
Delete the file after use, if it did not delete itself.

Set New System Restore Point
Now you should set a Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, tools cannot access it to delete these bad files, which sometimes can reinfect your system. Setting a new restore point after cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click System Restore.
  • Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name then click Create.
  • Then, click on Start > Run and type:
    cleanmgr
  • Click OK > More Options tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#12 SuzanneMarie

SuzanneMarie
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Location:Rhyl, North Wales
  • Local time:04:35 AM

Posted 08 February 2009 - 03:47 AM

I have no more questions or concerns...thank you very much for your help. :thumbup2:

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:35 AM

Posted 08 February 2009 - 11:50 AM

Welcome :thumbup2: .

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users