Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google/Search Engines Hi-Jacked


  • This topic is locked This topic is locked
15 replies to this topic

#1 llj68

llj68

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 01 February 2009 - 12:38 PM

Hi,

I have been sent over here from the "I think I'm infected..." forum by Quietman7.

Topic referenced is here: http://www.bleepingcomputer.com/forums/t/199385/hi-jacked-googlesearch-engines/ ~ OB

I am having issues with redirects when using any search engine (google, yahoo, msn). While the issue has improved somewhat with what we have done so far (I'm no longer getting porn sites)--it's still not fixed and I'm still having the problems with redirects to various sales, search or other junk sites. While the content of the search results looks OK in the body---when you look at the link they are sending you to, it doesn't match up (I end up with moxiesearch, toseeka, monstermarketplace, searchexplorer, find-more-here, etc.). This is what we have done so far:

McAfee Virus Scan - full
Spybot - scanned
Ad-Aware - full scan
Malwarebytes - quick scan and full scan
AFT Cleaner - done
SuperAntispyware scan - complete scan
Gooredfix log - done
Kaspersky Webscanner - full scan

When I did the Super Antispyware & Kaspersky scans--nothing was found. When I did the other scans, a few adware tracking cookies were found and removed.

I do not have a log from Kaspersky because it found nothing. O items detected.

I use Mozilla for my web browser and have (I think) the most current update.

One question I have is whether or not I should just restore my system from a ghost I did on 12/17. I had a new hard drive installed and ghosted it once I updated it. I will not lose any data as I exclusively use an external hard drive for all my documents, photos, checkbook, etc.. I am also concerned about the safety of paying bills online until this is resolved. Opinions?

Per Quietman7's instructions, here are my DDS/Hijack This logs:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Lisa at 12:16:17.84 on Sun 02/01/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.193 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\Documents and Settings\Lisa\Desktop\dds.scr

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
mDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
mStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/apps/vso/en-us/vso9/default.asp?affid=105-36&dtag=9tt6p61
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6261\SiteAdv.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6261\SiteAdv.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [MSKAGENTEXE] c:\progra~1\mcafee\spamki~1\mskagent.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: []
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Adobe Reader Speed Launch.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Microsoft Office.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Quicken Scheduled Updates.lnk.disabled
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,96/mcinsctl.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://zone.msn.com/bingame/dsh2/default/DinerDash2.1.0.0.68.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://comcast.oberon-media.com/online2/luxor_amun_rising/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6261\SiteAdv.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lisa\applic~1\mozilla\firefox\profiles\w7t4d3di.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - component: c:\program files\siteadvisor\6261\ff\components\FFHook.dll
FF - plugin: c:\documents and settings\lisa\application data\mozilla\firefox\profiles\w7t4d3di.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-30 64160]
R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2004-11-10 138801]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-3-30 201320]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2004-11-10 46800]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-5-2 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-3-30 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-3-30 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-3-30 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-3-30 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-3-30 40488]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-3-30 33832]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]

=============== Created Last 30 ================

2009-01-31 14:59 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-31 14:58 --d----- c:\program files\SUPERAntiSpyware
2009-01-31 14:58 --d----- c:\docume~1\lisa\applic~1\SUPERAntiSpyware.com
2009-01-30 20:33 --d----- c:\docume~1\lisa\applic~1\Malwarebytes
2009-01-30 20:33 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-30 20:33 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-30 20:32 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-30 20:32 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-30 20:15 15,688 a------- c:\windows\system32\lsdelete.exe
2009-01-30 19:35 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-01-30 19:32 -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-30 19:32 --d----- c:\program files\Lavasoft
2009-01-30 14:37 --d----- c:\docume~1\lisa\applic~1\Pharaohs Secret
2009-01-28 23:00 --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-28 23:00 --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-28 23:00 --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-28 23:00 --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-05 08:39 --d----- c:\docume~1\alluse~1\applic~1\Shockwave

==================== Find3M ====================

2008-12-14 10:33 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-12 12:33 3,060,224 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 06:57 333,184 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 06:57 333,184 -------- c:\windows\system32\dllcache\srv.sys
2008-12-09 11:21 99,965 a------- c:\windows\UninstallFirefox.exe
2008-12-09 11:21 2,654 a------- c:\windows\mozver.dat

============= FINISH: 12:17:30.46 ===============



Also per instructions, I am attaching my "Attach.txt" file from the recent DDS scan. Please advise when convenient.

Also, just an FYI, I'm almost completely computer illiterate but I can follow instructions. Tell me which buttons to push and I'm fine--just have no idea what I'm doing. Sorry!!

Thanks for your help!!!!

Lisa

Attached Files


Edited by Orange Blossom, 02 February 2009 - 12:00 AM.


BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:48 PM

Posted 08 February 2009 - 05:22 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable McAfee:
  • Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
    Right-click it -> chose Exit.
  • A popup will warn that protection will now be disabled. Click on Yes to disable the Antivirus guard.
Download and Run ComboFix
If you have already run ComboFix, delete your copy and download a new one. If the computer in question is unable to download ComboFix, transfer it using a removable media (CDs, flash drive).

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 llj68

llj68
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 08 February 2009 - 07:03 PM

Hi Panda-

Thank you SO much for your reply and help. Per instructions, I have downloaded and run the scans requested. The following are the logs from Combofix & GMER

Not sure if you need this info or not, but when Combofix started, it deleted two files. They were: windows\IE4\IE4errorlog.txt and windows\system32\wdmaud.sys

The google issue seems to have been resolved. I did a couple of searches with known results and had the correct results pop up. I am also no longer getting the "waiting for 7.7.7." when I search.

Please advise if the logs look OK. I have to admit, after reading some of the posts on the forums here, I'm nervous about backdoors or key loggers or whatever.

The other question is...should I delete DDS, DDS log, Attach, SuperAntispyware, Gooredfix, Goored log, GooredFx Backups, Catchme, AFT Cleaner, Ad Aware, GMER, GMER log, Combofix, Combofix log & Malware Bytes? Please advise which should be deleted and which should be kept.

Finally, should I run a program like Ad-Aware in conjunction with McAfee Security Center? I am not really wanting to have this problem again--especially since I run with a firewall, etc., and have no idea how I got it in the first place.

The only update to my system (that I'm aware of) was an automatic update from Firefox to the latest version (3.0.6). Windows has been wanting to update but I have been saying no to the prompt until I got this situation under control. Should I run the update now?

Again, thank you!!!

Lisa

PS: When I tried to install the Recovery Console, it wouldn't do it correctly.

Combofix Log:

ComboFix 09-02-08.01 - Lisa 2009-02-08 18:07:30.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.294 [GMT -5:00]
Running from: c:\documents and settings\Lisa\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Lisa\Application Data\.#
c:\documents and settings\Lisa\Application Data\.#\MBX@22C@A141D0.###
c:\documents and settings\Lisa\Application Data\.#\MBX@22C@A14200.###
c:\documents and settings\Lisa\Application Data\.#\MBX@22C@A14230.###
c:\documents and settings\Lisa\Application Data\.#\MBX@B9C@A141D0.###
c:\documents and settings\Lisa\Application Data\.#\MBX@B9C@A14200.###
c:\documents and settings\Lisa\Application Data\.#\MBX@B9C@A14230.###
c:\documents and settings\Lisa\Application Data\.#\MBX@EF4@A141D0.###
c:\documents and settings\Lisa\Application Data\.#\MBX@EF4@A14200.###
c:\documents and settings\Lisa\Application Data\.#\MBX@EF4@A14230.###
c:\documents and settings\Lisa\Application Data\.#\MBX@F98@A141D0.###
c:\documents and settings\Lisa\Application Data\.#\MBX@F98@A14200.###
c:\documents and settings\Lisa\Application Data\.#\MBX@F98@A14230.###
c:\windows\IE4 Error Log.txt
c:\windows\system32\wdmaud.sys

.
((((((((((((((((((((((((( Files Created from 2009-01-08 to 2009-02-08 )))))))))))))))))))))))))))))))
.

2009-02-08 09:43 . 2009-02-08 09:43 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-08 09:43 . 2009-02-08 09:43 1,409 --a------ c:\windows\QTFont.for
2009-01-31 14:59 . 2009-01-31 14:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-31 14:58 . 2009-01-31 14:58 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-31 14:58 . 2009-01-31 14:58 <DIR> d-------- c:\documents and settings\Lisa\Application Data\SUPERAntiSpyware.com
2009-01-30 20:33 . 2009-01-30 20:33 <DIR> d-------- c:\documents and settings\Lisa\Application Data\Malwarebytes
2009-01-30 20:33 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-30 20:33 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-30 20:32 . 2009-01-30 20:33 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-30 20:32 . 2009-01-30 20:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-30 20:15 . 2009-01-30 19:34 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-01-30 19:35 . 2009-01-30 19:35 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-01-30 19:35 . 2009-01-30 19:34 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-01-30 19:32 . 2009-01-30 19:32 <DIR> d-------- c:\program files\Lavasoft
2009-01-30 19:32 . 2009-01-30 19:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-30 19:32 . 2009-01-30 19:32 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-30 14:37 . 2009-01-30 16:07 <DIR> d-------- c:\documents and settings\Lisa\Application Data\Pharaohs Secret
2009-01-28 23:00 . 2009-01-28 23:00 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-28 23:00 . 2009-01-28 23:00 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-28 23:00 . 2009-01-28 23:00 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-28 23:00 . 2009-01-28 23:00 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-17 09:21 . 2009-01-17 09:21 <DIR> d-------- c:\documents and settings\Joe\Application Data\SiteAdvisor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-01 16:55 --------- d-----w c:\documents and settings\Lisa\Application Data\AdobeUM
2009-01-31 19:58 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-31 01:17 --------- d-----w c:\program files\Shockwave.com
2009-01-30 19:37 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-29 05:02 --------- d-----w c:\program files\Quicken
2009-01-29 03:58 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-17 14:01 --------- d-----w c:\program files\McAfee
2009-01-16 19:02 --------- d-----w c:\documents and settings\All Users\Application Data\Shockwave
2009-01-04 21:11 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-12-31 00:51 --------- d-----w c:\program files\Common Files\SWF Studio
2008-12-29 13:10 --------- d-----w c:\documents and settings\Lisa\Application Data\PlayFirst
2008-12-29 13:10 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2008-12-18 19:04 --------- d-----w c:\documents and settings\All Users\Application Data\Playrix Entertainment
2008-12-14 16:45 --------- d--h--w c:\documents and settings\Joe\Application Data\Gtek
2008-12-14 16:45 --------- d-----w c:\documents and settings\All Users\Application Data\Dell
2008-12-14 15:33 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-14 15:33 --------- d-----w c:\program files\Java
2008-12-13 19:11 --------- d-----w c:\documents and settings\All Users\Application Data\GameHouse
2008-12-13 15:07 --------- d--h--w c:\documents and settings\Lisa\Application Data\Gtek
2008-12-13 15:07 --------- d--h--w c:\documents and settings\Kailey\Application Data\Gtek
2008-12-13 15:06 --------- d-----w c:\program files\DellSupport
2008-12-13 01:20 --------- d-----w c:\documents and settings\Lisa\Application Data\Move Networks
2008-12-12 17:33 3,060,224 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 11:57 333,184 ------w c:\windows\system32\dllcache\srv.sys
2008-12-10 00:14 --------- d-----w c:\documents and settings\Lisa\Application Data\Oberon Games
2008-12-10 00:14 --------- d-----w c:\documents and settings\All Users\Application Data\Oberon Games
2008-12-09 19:20 --------- d-----w c:\program files\Starry Night Backyard
2008-12-09 16:39 --------- d-----w c:\program files\windirstat
2008-12-09 16:27 --------- d-----w c:\program files\Ontrack
2008-12-09 16:27 --------- d-----w c:\documents and settings\Lisa\Application Data\Ontrack
2008-12-09 16:21 99,965 ----a-w c:\windows\UninstallFirefox.exe
2008-12-09 16:06 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-09 16:02 --------- d-----w c:\program files\PowerQuest
2008-12-09 15:54 --------- d-----w c:\documents and settings\Kailey\Application Data\SiteAdvisor
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-14 136600]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-30 509784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2007-07-01 1757]
Microsoft Office.lnk.disabled [2005-01-25 1730]
Quicken Scheduled Updates.lnk.disabled [2005-01-25 675]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= wdmaud.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2005-06-24 14:16 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2005-03-15 07:58 53248 c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2005-03-15 07:58 135168 c:\progra~1\MUSICM~1\MUSICM~3\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-07-28 06:16 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a--c--- 2004-01-07 02:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SoundMAXPnP"=c:\program files\Analog Devices\Core\smax4pnp.exe
"dla"=c:\windows\system32\dla\tfswctrl.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"DVDTray"=c:\program files\Ahead\ODD Toolkit\DVDTray.exe
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
"SiteAdvisor"=c:\program files\SiteAdvisor\6253\SiteAdv.exe
"WinampAgent"="c:\program files\Winamp\Winampa.exe"
"CanonMyPrinter"=c:\program files\Canon\MyPrinter\BJMyPrt.exe /logon
"Norton Ghost 9.0"=c:\program files\Symantec\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-30 64160]
R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2004-11-10 138801]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2004-11-10 46800]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-02-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-30 19:34]

2008-05-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-06-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-02-08 c:\windows\Tasks\MSK_ABImport_Daily_Lisa.job
- c:\program files\McAfee\MSK\AbImpSch.dll [2007-11-26 09:45]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MSKAGENTEXE - c:\progra~1\mcafee\SPAMKI~1\mskagent.exe
MSConfigStartUp-DellSupport - c:\program files\Dell Support\DSAgnt.exe


.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/apps/vso/en-us/vso9/default.asp?affid=105-36&dtag=9tt6p61
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
FF - ProfilePath - c:\documents and settings\Lisa\Application Data\Mozilla\Firefox\Profiles\w7t4d3di.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - component: c:\program files\SiteAdvisor\6261\FF\components\FFHook.dll
FF - plugin: c:\documents and settings\Lisa\Application Data\Mozilla\Firefox\Profiles\w7t4d3di.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-08 18:10:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\igfxdev.dll

- - - - - - - > 'winlogon.exe'(3896)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-02-08 18:12:37
ComboFix-quarantined-files.txt 2009-02-08 23:11:20

Pre-Run: 143,436,324,864 bytes free
Post-Run: 143,650,877,440 bytes free

210 --- E O F --- 2009-01-15 13:22:13




GMER Log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-08 18:37:24
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF858887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF8588C10]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEE3559AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEE355958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEE35596C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xEE355A57]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xEE355A83]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xEE355AF1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xEE355ADB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEE3559EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xEE355B1D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xEE355A2D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEE355930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEE355944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEE3559BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xEE355B59]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xEE355AC5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xEE355AAF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xEE355A6D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xEE355B45]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xEE355B31]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEE355996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEE355982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEE355A19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xEE355B07]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEE355A00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEE3559D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!ZwYieldExecution 804F8B8D 7 Bytes JMP EE3559D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80567D7B 5 Bytes JMP EE355A31 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056B183 7 Bytes JMP EE355AB3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056BDCD 5 Bytes JMP EE355986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 8056EC39 7 Bytes JMP EE355B5D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 8056EF30 7 Bytes JMP EE355AF5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056FC78 5 Bytes JMP EE3559AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80571F71 5 Bytes JMP EE355A04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 805723EC 7 Bytes JMP EE3559EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 80572D86 5 Bytes JMP EE355934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80573135 7 Bytes JMP EE3559C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 8057FC04 7 Bytes JMP EE355ADF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 80581F0E 7 Bytes JMP EE355970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805847CC 5 Bytes JMP EE355A1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058C892 5 Bytes JMP EE355948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 80590EA2 5 Bytes JMP EE355B21 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80593B38 7 Bytes JMP EE355A87 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 805951C2 7 Bytes JMP EE355A5B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B0B34 5 Bytes JMP EE35595C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062C493 5 Bytes JMP EE35599A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064C0D2 5 Bytes JMP EE355B35 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064C3A7 7 Bytes JMP EE355B0B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064CC74 7 Bytes JMP EE355AC9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064D0B9 7 Bytes JMP EE355A71 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064D5AE 5 Bytes JMP EE355B49 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\wuauclt.exe[372] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[372] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001B0078
.text C:\WINDOWS\system32\wuauclt.exe[372] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001B0067
.text C:\WINDOWS\system32\wuauclt.exe[372] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001B0040
.text C:\WINDOWS\system32\wuauclt.exe[372] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001B0F83
.text C:\WINDOWS\system32\wuauclt.exe[372] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\wuauclt.exe[372] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001B0F3C
.text C:\WINDOWS\system32\wuauclt.exe[372] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001B0F4D
.text C:\WINDOWS\system32\wuauclt.exe[372] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001B0F21
.text C:\WINDOWS\system32\wuauclt.exe[372] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001B00BA
.text C:\WINDOWS\system32\wuauclt.exe[372] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 001B0F10
.text C:\WINDOWS\system32\wuauclt.exe[372] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 001B0F9E
.text C:\WINDOWS\system32\wuauclt.exe[372] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\system32\wuauclt.exe[372] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 001B0F5E
.text C:\WINDOWS\system32\wuauclt.exe[372] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 001B0FAF
.text C:\WINDOWS\system32\wuauclt.exe[372] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 001B000A
.text C:\WINDOWS\system32\wuauclt.exe[372] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 001B009F
.text C:\WINDOWS\system32\wuauclt.exe[372] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 002A0F9E
.text C:\WINDOWS\system32\wuauclt.exe[372] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 002A0F79
.text C:\WINDOWS\system32\wuauclt.exe[372] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 002A0FB9
.text C:\WINDOWS\system32\wuauclt.exe[372] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 002A0FCA
.text C:\WINDOWS\system32\wuauclt.exe[372] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 002A0036
.text C:\WINDOWS\system32\wuauclt.exe[372] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 002A0025
.text C:\WINDOWS\system32\wuauclt.exe[372] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\system32\wuauclt.exe[372] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 002A000A
.text C:\WINDOWS\system32\wuauclt.exe[372] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 003C0FEF
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00070F70
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070F8B
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00070F9C
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00070096
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00070F44
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000700CC
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 000700BB
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 000700E7
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00070F5F
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00070F33
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00060FD4
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00060F83
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00060FE5
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0006001B
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 0006004A
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00060FA8
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00060FB9
.text C:\WINDOWS\system32\services.exe[832] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00B70F79
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00B7006E
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00B70F94
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00B70FA5
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00B70047
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00B70F43
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00B70F5E
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00B700C1
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00B700A6
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00B700E6
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00B70FC0
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00B70089
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00B7002C
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00B70011
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00B70F32
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00B60036
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00B60FB6
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00B60FE5
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00B6001B
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00B60073
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00B60062
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00B6000A
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00B60051
.text C:\WINDOWS\system32\lsass.exe[844] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00B40000
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!VirtualProtectEx 7C801A5D 1 Byte [ E9 ]
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!VirtualProtectEx + 2 7C801A5F 3 Bytes [ F4, 47, 84 ]
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00C80F72
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00C80F83
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00C80F94
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00C80036
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00C80F29
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00C80F3A
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00C80EE2
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00C80EF3
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00C8008C
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00C80FAF
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00C80014
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00C80071
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00C80FCA
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00C80025
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00C80F0E
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00C7003D
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00C70FAF
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00C7002C
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00C70011
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00C70FC0
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00C70FD1
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00C70000
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00C70062
.text C:\WINDOWS\system32\svchost.exe[1020] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00C50000
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00B6005B
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00B60F66
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00B60F81
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00B6004A
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00B60FB9
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00B60093
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00B60F4B
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00B600BF
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00B60F26
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00B60F0B
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00B60FA8
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00B6000A
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00B6006C
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00B60FCA
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00B6001B
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00B600AE
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00B50FC7
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00B50047
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00B50022
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00B50011
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00B50F8A
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00B50F9B
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00B50000
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00B50FB6
.text C:\WINDOWS\system32\svchost.exe[1100] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00B30000
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01FA0FEF
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01FA00A7
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01FA008C
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01FA006F
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01FA0FB2
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01FA0FD4
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01FA0F7A
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01FA0F8B
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01FA0109
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01FA00EE
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 01FA0F4B
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 01FA0FC3
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 01FA0014
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 01FA00C2
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 01FA0040
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 01FA0025
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 01FA00DD
.text C:\WINDOWS\System32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01F80FEF
.text C:\WINDOWS\System32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01F80F8A
.text C:\WINDOWS\System32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01F80040
.text C:\WINDOWS\System32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 01F80025
.text C:\WINDOWS\System32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01F80FA5
.text C:\WINDOWS\System32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01F80051
.text C:\WINDOWS\System32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01F8000A
.text C:\WINDOWS\System32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01F80FD4
.text C:\WINDOWS\System32\svchost.exe[1196] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 011B0FEF
.text C:\WINDOWS\System32\svchost.exe[1196] WININET.dll!InternetOpenW 771BAED5 5 Bytes JMP 011C0FDE
.text C:\WINDOWS\System32\svchost.exe[1196] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 011C0FEF
.text C:\WINDOWS\System32\svchost.exe[1196] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 011C0FC3
.text C:\WINDOWS\System32\svchost.exe[1196] WININET.dll!InternetOpenUrlW 771D5B4A 5 Bytes JMP 011C0FB2
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00880FEF
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0088005D
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00880F72
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00880F83
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00880036
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0088000A
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 0088007F
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0088006E
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008800C6
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008800AB
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 008800D7
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00880025
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00880FDE
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00880F43
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00880FA8
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00880FC3
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 0088009A
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 0087000A
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00870F68
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00870FB9
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00870FCA
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00870F83
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00870025
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00870FE5
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00870F9E
.text C:\WINDOWS\system32\svchost.exe[1264] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00850000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1296] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1296] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 009D0000
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 009D0F88
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 009D0FA3
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 009D007D
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 009D0FCA
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 009D0051
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009D00C4
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009D00B3
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009D00F3
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009D0F5A
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 009D0F3F
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 009D006C
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 009D0025
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 009D00A2
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 009D0040
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 009D0FEF
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 009D0F6B
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 009C0FC3
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 009C0F75
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 009C0FD4
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 009C0F86
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 009C0F97
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 009C0000
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 009C0FB2
.text C:\WINDOWS\system32\svchost.exe[1316] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 009A0FEF
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00950000
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00950F44
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00950039
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00950F5F
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00950F7C
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00950FB2
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 0095006F
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0095005E
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00950EF1
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00950F0C
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00950EE0
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00950F97
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00950FEF
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00950F33
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00950FC3
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00950FD4
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00950080
.text C:\WINDOWS\system32\svchost.exe[1392] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 0080002F
.text C:\WINDOWS\system32\svchost.exe[1392] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00800F9E
.text C:\WINDOWS\system32\svchost.exe[1392] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00800014
.text C:\WINDOWS\system32\svchost.exe[1392] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00800FD4
.text C:\WINDOWS\system32\svchost.exe[1392] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00800FAF
.text C:\WINDOWS\system32\svchost.exe[1392] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00800051
.text C:\WINDOWS\system32\svchost.exe[1392] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00800FE5
.text C:\WINDOWS\system32\svchost.exe[1392] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00800040
.text C:\WINDOWS\system32\svchost.exe[1392] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 007D000A
.text C:\WINDOWS\system32\svchost.exe[1392] WININET.dll!InternetOpenW 771BAED5 5 Bytes JMP 007E001B
.text C:\WINDOWS\system32\svchost.exe[1392] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 007E0000
.text C:\WINDOWS\system32\svchost.exe[1392] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 007E002C
.text C:\WINDOWS\system32\svchost.exe[1392] WININET.dll!InternetOpenUrlW 771D5B4A 5 Bytes JMP 007E0FE5
.text C:\WINDOWS\explorer.exe[2664] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\explorer.exe[2664] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001A0098
.text C:\WINDOWS\explorer.exe[2664] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001A0FA3
.text C:\WINDOWS\explorer.exe[2664] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001A007D
.text C:\WINDOWS\explorer.exe[2664] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001A006C
.text C:\WINDOWS\explorer.exe[2664] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001A002C
.text C:\WINDOWS\explorer.exe[2664] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001A0F7E
.text C:\WINDOWS\explorer.exe[2664] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001A00C6
.text C:\WINDOWS\explorer.exe[2664] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001A00F2
.text C:\WINDOWS\explorer.exe[2664] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001A0F59
.text C:\WINDOWS\explorer.exe[2664] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 001A0F3E
.text C:\WINDOWS\explorer.exe[2664] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 001A0051
.text C:\WINDOWS\explorer.exe[2664] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 001A000A
.text C:\WINDOWS\explorer.exe[2664] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 001A00A9
.text C:\WINDOWS\explorer.exe[2664] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 001A0FCA
.text C:\WINDOWS\explorer.exe[2664] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 001A001B
.text C:\WINDOWS\explorer.exe[2664] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 001A00D7
.text C:\WINDOWS\explorer.exe[2664] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00280FAF
.text C:\WINDOWS\explorer.exe[2664] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00280051
.text C:\WINDOWS\explorer.exe[2664] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0028000A
.text C:\WINDOWS\explorer.exe[2664] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00280FD4
.text C:\WINDOWS\explorer.exe[2664] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00280036
.text C:\WINDOWS\explorer.exe[2664] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00280F94
.text C:\WINDOWS\explorer.exe[2664] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00280FE5
.text C:\WINDOWS\explorer.exe[2664] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 0028001B
.text C:\WINDOWS\explorer.exe[2664] WININET.dll!InternetOpenW 771BAED5 5 Bytes JMP 002B0FD4
.text C:\WINDOWS\explorer.exe[2664] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\explorer.exe[2664] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 002B0000
.text C:\WINDOWS\explorer.exe[2664] WININET.dll!InternetOpenUrlW 771D5B4A 5 Bytes JMP 002B0FA3
.text C:\WINDOWS\explorer.exe[2664] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00B20000

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.14 ----

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:48 PM

Posted 08 February 2009 - 07:22 PM

Hello Lisa.

Glad we are making some progress.

The other question is...should I delete DDS, DDS log, Attach, SuperAntispyware, Gooredfix, Goored log, GooredFx Backups, Catchme, AFT Cleaner, Ad Aware, GMER, GMER log, Combofix, Combofix log & Malware Bytes? Please advise which should be deleted and which should be kept.

We will remove all of those when we are done.

Finally, should I run a program like Ad-Aware in conjunction with McAfee Security Center?

That is a good idea, though SpyBot is good already.

Should I run the update now?

Yes.

Apply Registry Script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=-
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.reg
  • Hit OK.
When done properly, the icon should look like Posted Image.

Double click fix.reg and answer Yes to the prompts. You should recieve the message that the entries have been successfully merged. If not, post back with the error message.

Delete fix.reg after use.

Install From Windows Updates
Whenever a security problem in its software is found, Microsoft will create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malware being installed on your computer.

Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please reboot and repeat this process until there are no more updates to install.

Take a new DDS log.

Any issues at the moment?

With Regards,
The Panda

#5 llj68

llj68
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 08 February 2009 - 10:23 PM

Hi Panda--

OK--I've done the fix.reg and then deleted when complete. No problems.

I have installed the windows updates--didn't install 7.0 as I do not use IE at all. (Except when I was looking for new updates--it wouldn't accept mozilla.)

The following is my new dds log. Did you want the "attach" log also? The instructions say not to attach it unless specifically asked to do so.

No problems now. I am amazed at how quickly it is running again! Didn't realize it had slowed so much.

Should I delete those programs now or perform any other clean up?

Also-I download some games occasionally from shockwave. Generally I play for a week or so and then uninstall them. Are those safe (as I thought they were) or could that be where all this mess started from in the first place?

Thank you so much for your help!!

Lisa


DDS (Ver_09-02-01.01) - NTFSx86
Run by Lisa at 22:18:25.03 on Sun 02/08/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.146 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Lisa\Desktop\dds.scr

============== Pseudo HJT Report ===============

mStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/apps/vso/en-us/vso9/default.asp?affid=105-36&dtag=9tt6p61
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6261\SiteAdv.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6261\SiteAdv.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Adobe Reader Speed Launch.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Microsoft Office.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Quicken Scheduled Updates.lnk.disabled
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,96/mcinsctl.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://zone.msn.com/bingame/dsh2/default/DinerDash2.1.0.0.68.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://comcast.oberon-media.com/online2/luxor_amun_rising/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6261\SiteAdv.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lisa\applic~1\mozilla\firefox\profiles\w7t4d3di.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - component: c:\program files\siteadvisor\6261\ff\components\FFHook.dll
FF - plugin: c:\documents and settings\lisa\application data\mozilla\firefox\profiles\w7t4d3di.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-30 64160]
R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2004-11-10 138801]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-3-30 201320]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2004-11-10 46800]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-5-2 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-3-30 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-3-30 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-3-30 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-3-30 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-3-30 40488]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-3-30 33832]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]

=============== Created Last 30 ================

2009-02-08 20:33 <DIR> --d----- c:\windows\LastGood.Tmp
2009-02-08 20:29 <DIR> --d----- c:\windows\system32\scripting
2009-02-08 20:29 <DIR> --d----- c:\windows\l2schemas
2009-02-08 20:29 <DIR> --d----- c:\windows\system32\en
2009-02-08 20:29 <DIR> --d----- c:\windows\system32\bits
2009-02-08 20:26 <DIR> --d----- c:\windows\ServicePackFiles
2009-02-08 20:24 <DIR> --d----- c:\windows\network diagnostic
2009-02-08 20:18 <DIR> --d----- c:\windows\EHome
2009-02-08 18:16 250 a------- c:\windows\gmer.ini
2009-02-08 18:05 161,792 a------- c:\windows\SWREG.exe
2009-02-08 18:05 98,816 a------- c:\windows\sed.exe
2009-02-08 09:43 54,156 a---h--- c:\windows\QTFont.qfn
2009-02-08 09:43 1,409 a------- c:\windows\QTFont.for
2009-01-31 14:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-31 14:58 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-31 14:58 <DIR> --d----- c:\docume~1\lisa\applic~1\SUPERAntiSpyware.com
2009-01-30 20:33 <DIR> --d----- c:\docume~1\lisa\applic~1\Malwarebytes
2009-01-30 20:33 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-30 20:33 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-30 20:32 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-30 20:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-30 20:15 15,688 a------- c:\windows\system32\lsdelete.exe
2009-01-30 19:35 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-01-30 19:32 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-30 19:32 <DIR> --d----- c:\program files\Lavasoft
2009-01-30 14:37 <DIR> --d----- c:\docume~1\lisa\applic~1\Pharaohs Secret
2009-01-28 23:00 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-28 23:00 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-28 23:00 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-28 23:00 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)

==================== Find3M ====================

2009-02-08 20:32 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-14 10:33 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-12 12:01 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-09 11:21 99,965 a------- c:\windows\UninstallFirefox.exe
2008-12-09 11:21 2,654 a------- c:\windows\mozver.dat

============= FINISH: 22:19:27.79 ===============

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:48 PM

Posted 09 February 2009 - 08:24 AM

Hello.

Looking pretty good. No Attach.txt needed.

Also-I download some games occasionally from shockwave. Generally I play for a week or so and then uninstall them. Are those safe (as I thought they were) or could that be where all this mess started from in the first place?

The ones from Shockwave are safe. Just be careful what you download.

Please uninstall these old versions of Java using Add/Remove Programs:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03

Should I delete those programs now or perform any other clean up?

If all goes, well, we should be clearing out next round.


Run ATF Cleaner again before running this scan.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.


#7 llj68

llj68
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 09 February 2009 - 09:01 PM

Hi Panda--

I deleted the old Java versions as instructed. Should I be checking each time Java updates to make sure the older versions are deleted?

Question---I have an old program--Dynomite Deluxe 2.70 that I have tried time and again to remove using Add/Remove Programs. It comes up with a "parsing failed: Unable to open file deluxe\install.log. Any way I can remove this unused program (easily!!). Please advise, if you have a moment.

Ran the ATF cleaner

Ran the F-Secure Scan--report follows.

Google & other search engines appear to be running well. (YAY!!)

Again--I can't thank you enough for all your help. You have no idea how much I appreciate it.

Lisa


Scanning Report
Monday, February 09, 2009 20:13:56 - 20:55:48

Computer name: D9TT6P61
Scanning type: Scan system for malware, rootkits
Target: C:\
Result: 1 malware found
TrackingCookie.2o7 (spyware)

* System

Statistics
Scanned:

* Files: 37209
* System: 3299
* Not scanned: 17

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 1
* Submitted: 0

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\TEMP\MCAFEE_GLYWMQJ2LV1KO7L
* C:\WINDOWS\TEMP\MCMSC_CHEYPCH0WCQPFKC
* C:\WINDOWS\TEMP\MCMSC_DCRYZX6WDJGQQDD
* C:\WINDOWS\TEMP\MCMSC_QI84EVBBUORFXWI
* C:\WINDOWS\TEMP\MCMSC_SYPFJPOCWNVS2G4
* C:\WINDOWS\TEMP\SQLITE_9R2SDOAZOHKGUQH
* C:\WINDOWS\TEMP\SQLITE_ECKJKAG4HVJHIZX
* C:\WINDOWS\TEMP\SQLITE_RLC3BXUXNPFHFMV
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\DOCUMENTS AND SETTINGS\LISA\LOCAL SETTINGS\TEMP\SQLITE_UYKZLSF05QSF527
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\LAVASOFT\AD-AWARE\MINIMESSAGE\2

Options
Scanning engines:

* F-Secure USS: 3.0.0
* F-Secure Hydra: 3.6.8511, 2009-02-09
* F-Secure AVP: 7.0.171, 2009-02-09
* F-Secure Pegasus: 1.20.0, 1969-11-31
* F-Secure Blacklight: 0.0.0

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Copyright © 1998-2007 Product support |Send virus sample to F-Secure

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:48 PM

Posted 10 February 2009 - 08:18 AM

Hello.

F-Secure scan logs look good.

I have an old program--Dynomite Deluxe 2.70 that I have tried time and again to remove using Add/Remove Programs. It comes up with a "parsing failed: Unable to open file deluxe\install.log. Any way I can remove this unused program (easily!!).

No problem. (Pretty easy)

Download and Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :files
    C:\Program Files\PopCap Games\Dynomite Deluxe\
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

Download HijackThis
  • Download the installer HERE onto your desktop and double click it.
  • You may be asked for confirmation for running an executable file. Select Run.
  • You will be asked choose the install location. Please leave it at the default:
    C:\Program Files\Trend Micro\HijackThis.
  • Select Install.
  • The installation process should only take a few seconds. A shortcut named HijackThis will be created on your desktop so there will be no need to access the HijackThis program directly. The HijackThis window will pop-up after the installation.
  • Click Open the Misc tools section - > Open Uninstall Manager.
  • Select "Dynomite Deluxe 2.70". Click "Delete this entry"

Let's have one last DDS log (hopefully). Include the Attach.txt too please.

With Regards,
The Panda

#9 llj68

llj68
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 10 February 2009 - 07:34 PM

Hi Panda---

Here is the log from the OTMoveIt

========== FILES ==========
C:\Program Files\PopCap Games\Dynomite Deluxe\Stomped moved successfully.
C:\Program Files\PopCap Games\Dynomite Deluxe\sounds moved successfully.
C:\Program Files\PopCap Games\Dynomite Deluxe\properties moved successfully.
C:\Program Files\PopCap Games\Dynomite Deluxe\music moved successfully.
C:\Program Files\PopCap Games\Dynomite Deluxe\images\fossils moved successfully.
C:\Program Files\PopCap Games\Dynomite Deluxe\images moved successfully.
C:\Program Files\PopCap Games\Dynomite Deluxe\data moved successfully.
C:\Program Files\PopCap Games\Dynomite Deluxe moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02102009_193325

It uninstalled fine (and easily, thanks!!) and I just removed it from my list of programs (in add/remove programs) when prompted.

I'm off to do the DDS and will post those logs shortly.

Thanks!!

Lisa

#10 llj68

llj68
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 10 February 2009 - 07:47 PM

OK--here's my DDS log and attach.txt. Don't know if it matters but it literally took about 15 seconds for DDS to do it's thing and present me with these logs. Hopefully I didn't do something wrong.

Also--if you could please advise which programs I should delete and which are good to keep for maintenance purposes (and when such maintenance should be done), I would sincerely appreciate it. I would rather not have to visit this site again in the near future (as nice as you have been!), and will take whatever measures are necessary to safeguard my system.

Finally, since I don't have real time protection using Spybot--whether one of these other programs I've downloaded would be a better fit for me. Obviously whatever I got came through my McAfee spyware protection, so I'm a bit under-impressed with that at the moment.

Again, thank you so much!!

Lisa



DDS (Ver_09-02-01.01) - NTFSx86
Run by Lisa at 19:40:56.21 on Tue 02/10/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.239 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Messenger\msmsgs.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\Lisa\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/apps/vso/en-us/vso9/default.asp?affid=105-36&dtag=9tt6p61
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6261\SiteAdv.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6261\SiteAdv.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Adobe Reader Speed Launch.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Microsoft Office.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Quicken Scheduled Updates.lnk.disabled
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,96/mcinsctl.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://zone.msn.com/bingame/dsh2/default/DinerDash2.1.0.0.68.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://comcast.oberon-media.com/online2/luxor_amun_rising/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6261\SiteAdv.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lisa\applic~1\mozilla\firefox\profiles\w7t4d3di.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - component: c:\program files\siteadvisor\6261\ff\components\FFHook.dll
FF - plugin: c:\documents and settings\lisa\application data\mozilla\firefox\profiles\w7t4d3di.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-30 64160]
R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2004-11-10 138801]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-3-30 201320]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2004-11-10 46800]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-5-2 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-3-30 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-3-30 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-3-30 35240]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-3-30 33832]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-3-30 40488]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-3-30 695624]

=============== Created Last 30 ================

2009-02-10 19:33 <DIR> --d----- C:\_OTMoveIt
2009-02-09 20:07 <DIR> --d----- C:\fsaua.data
2009-02-08 20:29 <DIR> --d----- c:\windows\system32\scripting
2009-02-08 20:29 <DIR> --d----- c:\windows\l2schemas
2009-02-08 20:29 <DIR> --d----- c:\windows\system32\en
2009-02-08 20:29 <DIR> --d----- c:\windows\system32\bits
2009-02-08 20:26 <DIR> --d----- c:\windows\ServicePackFiles
2009-02-08 20:24 <DIR> --d----- c:\windows\network diagnostic
2009-02-08 20:18 <DIR> --d----- c:\windows\EHome
2009-02-08 18:16 250 a------- c:\windows\gmer.ini
2009-02-08 18:05 161,792 a------- c:\windows\SWREG.exe
2009-02-08 18:05 98,816 a------- c:\windows\sed.exe
2009-02-08 09:43 54,156 a---h--- c:\windows\QTFont.qfn
2009-02-08 09:43 1,409 a------- c:\windows\QTFont.for
2009-01-31 14:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-31 14:58 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-31 14:58 <DIR> --d----- c:\docume~1\lisa\applic~1\SUPERAntiSpyware.com
2009-01-30 20:33 <DIR> --d----- c:\docume~1\lisa\applic~1\Malwarebytes
2009-01-30 20:33 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-30 20:33 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-30 20:32 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-30 20:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-30 20:15 15,688 a------- c:\windows\system32\lsdelete.exe
2009-01-30 19:35 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-01-30 19:32 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-30 19:32 <DIR> --d----- c:\program files\Lavasoft
2009-01-30 14:37 <DIR> --d----- c:\docume~1\lisa\applic~1\Pharaohs Secret
2009-01-28 23:00 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-28 23:00 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-28 23:00 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-28 23:00 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)

==================== Find3M ====================

2009-02-08 20:32 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-14 10:33 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-12 12:01 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-09 11:21 99,965 a------- c:\windows\UninstallFirefox.exe
2008-12-09 11:21 2,654 a------- c:\windows\mozver.dat

============= FINISH: 19:41:23.96 ===============




Here's the Attach.txt


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 1/24/2005 5:13:59 PM
System Uptime: 2/10/2009 7:28:06 PM (0 hours ago)

Motherboard: Dell Computer Corp. | | 0K8979
Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 132.648 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1241: 12/9/2008 11:01:47 AM - Installed PartitionMagic
RP1242: 12/9/2008 11:27:21 AM - Installed Ontrack® Fix-It Utilities 4.0
RP1243: 12/10/2008 7:46:11 AM - Software Distribution Service 3.0
RP1244: 12/11/2008 11:02:26 AM - System Checkpoint
RP1245: 12/12/2008 11:50:39 AM - System Checkpoint
RP1246: 12/13/2008 3:26:38 PM - System Checkpoint
RP1247: 12/14/2008 10:33:45 AM - Installed Java™ 6 Update 11
RP1248: 12/15/2008 11:18:03 AM - System Checkpoint
RP1249: 12/16/2008 11:55:15 AM - System Checkpoint
RP1250: 12/17/2008 12:31:44 PM - System Checkpoint
RP1251: 12/18/2008 3:51:24 PM - System Checkpoint
RP1252: 12/18/2008 11:44:29 PM - Software Distribution Service 3.0
RP1253: 12/21/2008 1:55:21 PM - System Checkpoint
RP1254: 12/22/2008 2:21:50 PM - System Checkpoint
RP1255: 12/23/2008 2:41:29 PM - System Checkpoint
RP1256: 12/24/2008 2:53:57 PM - System Checkpoint
RP1257: 12/25/2008 3:32:38 PM - System Checkpoint
RP1258: 12/26/2008 5:53:20 PM - System Checkpoint
RP1259: 12/27/2008 7:53:40 PM - System Checkpoint
RP1260: 12/28/2008 8:29:50 PM - System Checkpoint
RP1261: 12/29/2008 10:10:45 PM - System Checkpoint
RP1262: 12/31/2008 9:35:08 AM - System Checkpoint
RP1263: 1/1/2009 10:18:50 AM - System Checkpoint
RP1264: 1/2/2009 10:33:05 AM - System Checkpoint
RP1265: 1/3/2009 11:23:55 AM - System Checkpoint
RP1266: 1/4/2009 4:53:09 PM - System Checkpoint
RP1267: 1/5/2009 5:06:45 PM - System Checkpoint
RP1268: 1/6/2009 5:22:53 PM - System Checkpoint
RP1269: 1/7/2009 5:24:37 PM - System Checkpoint
RP1270: 1/8/2009 6:00:18 PM - System Checkpoint
RP1271: 1/9/2009 6:38:48 PM - System Checkpoint
RP1272: 1/11/2009 9:56:28 AM - System Checkpoint
RP1273: 1/12/2009 10:49:32 AM - System Checkpoint
RP1274: 1/13/2009 10:52:21 AM - System Checkpoint
RP1275: 1/13/2009 11:57:13 PM - Software Distribution Service 3.0
RP1276: 1/15/2009 8:21:12 AM - Software Distribution Service 3.0
RP1277: 1/16/2009 11:15:28 AM - System Checkpoint
RP1278: 1/17/2009 12:05:07 PM - System Checkpoint
RP1279: 1/18/2009 1:16:02 PM - System Checkpoint
RP1280: 1/19/2009 4:18:41 PM - System Checkpoint
RP1281: 1/20/2009 4:54:15 PM - System Checkpoint
RP1282: 1/21/2009 4:55:21 PM - System Checkpoint
RP1283: 1/22/2009 5:10:46 PM - System Checkpoint
RP1284: 1/23/2009 6:22:15 PM - System Checkpoint
RP1285: 1/24/2009 6:57:10 PM - System Checkpoint
RP1286: 1/25/2009 7:44:08 PM - System Checkpoint
RP1287: 1/26/2009 7:53:38 PM - System Checkpoint
RP1288: 1/27/2009 8:03:22 PM - System Checkpoint
RP1289: 1/28/2009 9:52:54 PM - System Checkpoint
RP1290: 1/29/2009 10:05:49 PM - System Checkpoint
RP1291: 1/31/2009 8:08:11 AM - System Checkpoint
RP1292: 1/31/2009 2:58:50 PM - Installed SUPERAntiSpyware Free Edition
RP1293: 2/1/2009 11:59:31 AM - Installed Adobe Reader 7.1.0
RP1294: 2/2/2009 12:04:16 PM - System Checkpoint
RP1295: 2/3/2009 1:16:11 PM - System Checkpoint
RP1296: 2/4/2009 1:54:34 PM - System Checkpoint
RP1297: 2/5/2009 2:50:35 PM - System Checkpoint
RP1298: 2/6/2009 3:55:22 PM - System Checkpoint
RP1299: 2/7/2009 4:21:39 PM - System Checkpoint
RP1300: 2/8/2009 6:06:37 PM - ComboFix created restore point
RP1301: 2/8/2009 8:12:06 PM - Software Distribution Service 3.0
RP1302: 2/8/2009 8:13:17 PM - Software Distribution Service 3.0
RP1303: 2/8/2009 8:45:03 PM - Software Distribution Service 3.0
RP1304: 2/9/2009 8:47:23 AM - Removed Java 2 Runtime Environment, SE v1.4.2_03
RP1305: 2/9/2009 8:48:58 AM - Removed J2SE Runtime Environment 5.0 Update 6
RP1306: 2/9/2009 8:49:49 AM - Removed J2SE Runtime Environment 5.0 Update 4
RP1307: 2/9/2009 8:50:39 AM - Removed J2SE Runtime Environment 5.0 Update 11
RP1308: 2/9/2009 8:51:39 AM - Removed J2SE Runtime Environment 5.0 Update 10
RP1309: 2/9/2009 11:59:33 PM - Software Distribution Service 3.0

==== Installed Programs ======================

Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 7.0.9
Adobe Shockwave Player
Avery® Wizard 2.1 for Microsoft® Office Word 2003
Banctec Service Agreement
Camera Window
Canon Camera Window for ZoomBrowser EX
Canon iP3300
Canon iP3300 User Registration
Canon My Printer
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Setup Utility 2.3
Canon Utilities Easy-PhotoPrint
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Picture Studio v3.0
Dell System Restore
DellSupport
DVD Shrink 3.2
Easy-WebPrint
Hotfix for Windows XP (KB952287)
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet for Wired Connections
Internet Explorer Default Page
iTunes
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio GDI+ Patch
Jasc Paint Shop Pro Studio, Dell Editon
Java™ 6 Update 11
LightScribe 1.4.31.1
LiveUpdate 2.0 (Symantec Corporation)
Malwarebytes' Anti-Malware
McAfee SecurityCenter
McAfee Shredder
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Office Basic Edition 2003
Microsoft Office XP Professional with FrontPage
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Mozilla Firefox (3.0.6)
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Musicmatch for Windows Media Player
Musicmatch® Jukebox
Nero Suite
Norton Ghost 9.0
Ontrack® Fix-It Utilities 4.0
PartitionMagic
PhotoStitch
PowerQuest PartitionMagic 8.0
Quicken 2004
QuickTime
RAW Image Task
RemoteCapture Task 1.0
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960714)
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spybot - Search & Destroy 1.2
Starry Night Backyard 3.1
SUPERAntiSpyware Free Edition
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Winamp (Remove Only)
Windows Defender Signatures
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

2/9/2009 8:48:11 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
2/8/2009 8:48:56 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Windows Internet Explorer 7 for Windows XP.
2/8/2009 8:42:49 PM, error: Service Control Manager [7022] - The Windows Firewall/Internet Connection Sharing (ICS) service hung on starting.
2/8/2009 2:11:53 PM, error: DCOM [10001] - Unable to start a DCOM Server: {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} as /. The error: "%233" Happened while starting this command: c:\PROGRA~1\mcafee.com\agent\mcagent.exe -Embedding
2/10/2009 7:20:02 PM, error: Print [6161] - The document Google/Search Engines Hi-Ja... owned by Lisa failed to print on printer Canon iP3300. Data type: NT EMF 1.008. Size of the spool file in bytes: 5171008. Number of bytes printed: 2724880. Total number of pages in the document: 14. Number of pages printed: 0. Client machine: \\D9TT6P61. Win32 error code returned by the print processor: 13 (0xd).

==== End Of File ===========================

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:48 PM

Posted 11 February 2009 - 03:37 PM

Hello.

Sorry for the delay. I just killed my computer yesterday. Anyways..

here's my DDS log and attach.txt. Don't know if it matters but it literally took about 15 seconds for DDS to do it's thing and present me with these logs

Yup. DDS works very fast.

Also--if you could please advise which programs I should delete and which are good to keep for maintenance purposes (and when such maintenance should be done),

It looks like you don't have all that much installed compared to some other machines I've seen.

Finally, since I don't have real time protection using Spybot--whether one of these other programs I've downloaded would be a better fit for me.

Spybot should have TeaTimer with it.

To enable TeaTimer: (get the latest version of SpyBot here if you don't have that already)
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Check this checkbox.
    Posted Image
  • Close/Exit Spybot Search and Destroy

With Regards,
The Panda

#12 llj68

llj68
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 11 February 2009 - 09:48 PM

Hi Panda--

I hope you have revived your computer--heck, at least you know what you are doing! I would be totally up a creek!

OK--I did the Spybot Tea Timer thing--deleted my old version of Spybot and installed the newer version. It updated and immunized the system upon installation. Seems to be working fine.

The programs/files I'm wondering about deleting are all the one's I downloaded for this fix. They are:

DDS
DDS log
SuperAnti Spyware
Gooredfx
Gooredlog
Goored backups (empty folder)
catchme
AFT cleaner (I think I might keep this one--I like that it clears out everything at the push of a button)
AdAware (which Spybot doesn't like so I turned it off)
GMER
GMER Log
Combofix
Combofix log
Attach
Malware Bytes
OTMoveIt 3

Just want to clean up my desktop a bit, I guess. Especially since I know some of these aren't for a novice like me. And I'm wondering about your recommendations about running scans, etc., to maintain the computer a bit better. While it's been nice posting with you and I sincerely appreciate all your help, I'd rather just keep a clean computer and not have to come back.

Everything is now working fine. Great, actually. Way better than it was before--didn't realize how fast it could be. No problems with Google or any other searches or weird delays, etc. No more "waiting for 7.7.7.0..." when I do searches.

When you have time, please advise about the clean up efforts.

Thanks again!

Lisa

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:48 PM

Posted 12 February 2009 - 08:27 AM

Hello.

All of those can be deleted safely. Uninstall MalwareBytes and SuperAntiSpyware using Add/Remove Programs.

Consider using CCleaner to remove temporary files rather than ATF-Cleaner, as it has a few useful features such as keeping selected cookies.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any questions or concerns?

With Regards,
The Panda

#14 llj68

llj68
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 13 February 2009 - 10:09 AM

Hi Panda--

I'm all set--you could probably close this topic now.

I have read the links you suggested and think that possibly my firewall was set too low when I had my new hard drive installed. I have since changed that. I also have Tea timer running from start up now.

I have created a new system restore point as advised and deleted the old ones. I have also created another "ghost" after all these issues have been corrected, so I should be good on backups.

I don't think I'll be using a registry cleaner after reading the forums. That sounds like it could royally mess up my computer, if used improperly. Since I'm not a computer expert by any means, I think I'll leave well enough alone. I will run SAS regularly, though.

Again, I can't thank you enough for all your help, expertise and prompt responses to all my questions and concerns. Sorry if I was a pain-- :thumbup2: I just didn't want to mess it up more. You are awesome!!

Thanks again,

Lisa

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:48 PM

Posted 13 February 2009 - 10:38 AM

Welcome.

CCleaner is not a registry cleaner, though it does have that feature available.

The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users