Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirects/pop ups/ spyware [code 38]


  • This topic is locked This topic is locked
16 replies to this topic

#1 g8trs99

g8trs99

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 15 June 2010 - 07:30 PM

Hi board. I'm looking for some expert advice. Thank you in advance.
Our computer is having a keyboard issue [code 38]. It states a previous version of
the driver exists. I have to continually uninstall the keyboard and reboot for it to work.
Yahoo search redirects to off the wall things when conducting a search and clicking on a link on the search page.
Google seems fine.
I get wierd pop-ups and pop-up blocker is on full.

I ran hijackthis and i deleted some R0 and R1, R2 things that said yahoo default search.
I also deleted a *local proxy server R. I can't remember if 1,2,or three.



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:18:40 PM, on 6/15/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\dlcjcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe
C:\Program Files\Dell Photo AIO Printer 964\memcard.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100518064708.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DLCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcjmon.exe] "C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 964\memcard.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [frfqbvwq] C:\Documents and Settings\Jesse\Local Settings\Application Data\uqcjcqihi\tbvrkbjtssd.exe
O4 - HKUS\S-1-5-21-3817426034-323463974-1293857777-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Crystal')
O4 - HKUS\S-1-5-21-3817426034-323463974-1293857777-1007\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'Crystal')
O4 - HKUS\S-1-5-21-3817426034-323463974-1293857777-1007\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" (User 'Crystal')
O4 - HKUS\S-1-5-21-3817426034-323463974-1293857777-1007\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'Crystal')
O4 - HKUS\S-1-5-21-3817426034-323463974-1293857777-1007\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User 'Crystal')
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.38.55/ttinst.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcj_device - Unknown owner - C:\WINDOWS\system32\dlcjcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Update Service (gupdate1ca66c7481044d2) (gupdate1ca66c7481044d2) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: McAfee Personal Firewall (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 12164 bytes


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:49 PM

Posted 15 June 2010 - 07:45 PM


Hello g8trs99,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


1.
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
More information with a screenshot, can be found here.

2.
Download and Run RKill
    Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply


3.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Things to include in your next reply::
Combofix.txt
uninstall_list.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 g8trs99

g8trs99
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 16 June 2010 - 08:01 PM

ComboFix 10-06-16.02 - Jesse 06/16/2010 20:16:36.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.587 [GMT -4:00]
Running from: c:\documents and settings\Jesse\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bszip.dll
c:\windows\xpsp1hfm.log

Infected copy of c:\windows\system32\drivers\kbdhid.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-05-17 to 2010-06-17 )))))))))))))))))))))))))))))))
.

2010-06-15 23:29 . 2010-06-15 23:29 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
2010-06-15 00:37 . 2010-06-15 00:37 388096 ----a-r- c:\documents and settings\Crystal\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-14 02:19 . 2010-06-14 02:19 388096 ----a-r- c:\documents and settings\Jesse\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-14 02:19 . 2010-06-14 02:19 -------- d-----w- c:\program files\Trend Micro
2010-06-13 16:58 . 2010-06-13 16:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2010-06-12 05:33 . 2010-06-12 05:33 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-12 05:32 . 2010-06-12 05:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-27 11:29 . 2010-05-27 11:29 503808 ----a-w- c:\documents and settings\Jesse\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-73b27fa0-n\msvcp71.dll
2010-05-27 11:29 . 2010-05-27 11:29 61440 ----a-w- c:\documents and settings\Jesse\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7c669e9c-n\decora-sse.dll
2010-05-27 11:29 . 2010-05-27 11:29 499712 ----a-w- c:\documents and settings\Jesse\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-73b27fa0-n\jmc.dll
2010-05-27 11:29 . 2010-05-27 11:29 348160 ----a-w- c:\documents and settings\Jesse\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-73b27fa0-n\msvcr71.dll
2010-05-27 11:29 . 2010-05-27 11:29 12800 ----a-w- c:\documents and settings\Jesse\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7c669e9c-n\decora-d3d.dll
2010-05-27 11:29 . 2010-05-27 11:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-27 11:21 . 2010-05-03 21:06 922400 ----a-w- c:\documents and settings\Jesse\Application Data\Sun\Java\JRERunOnce.exe
2010-05-27 01:24 . 2010-05-27 01:24 -------- d-----w- c:\documents and settings\Jesse\Local Settings\Application Data\uqcjcqihi
2010-05-25 04:20 . 2010-05-25 04:20 503808 ----a-w- c:\documents and settings\Crystal\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-44b487e5-n\msvcp71.dll
2010-05-25 04:20 . 2010-05-25 04:20 499712 ----a-w- c:\documents and settings\Crystal\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-44b487e5-n\jmc.dll
2010-05-25 04:20 . 2010-05-25 04:20 348160 ----a-w- c:\documents and settings\Crystal\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-44b487e5-n\msvcr71.dll
2010-05-24 10:34 . 2010-05-24 10:34 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-17 00:14 . 2009-11-16 14:37 -------- d-----w- c:\documents and settings\Crystal\Application Data\Skype
2010-06-16 23:06 . 2009-11-16 14:39 -------- d-----w- c:\documents and settings\Crystal\Application Data\skypePM
2010-06-15 23:33 . 2009-06-13 12:50 -------- d-----w- c:\program files\Safari
2010-06-15 01:37 . 2009-05-16 00:22 -------- d-----w- c:\program files\Dl_cats
2010-06-14 04:32 . 2009-06-09 21:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-31 22:13 . 2009-06-03 21:55 5852 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-05-31 22:13 . 2009-06-03 21:55 56 --sh--r- c:\windows\system32\2615BC9984.sys
2010-05-27 11:21 . 2006-01-30 15:55 -------- d-----w- c:\program files\Common Files\Java
2010-05-18 21:32 . 2009-11-22 23:48 -------- d-----w- c:\program files\McAfee Security Scan
2010-05-05 10:39 . 2006-01-30 16:11 -------- d-----w- c:\program files\McAfee.com
2010-05-05 10:28 . 2010-05-05 10:27 -------- d-----w- c:\program files\iTunes
2010-05-05 10:27 . 2010-05-05 10:27 -------- d-----w- c:\program files\iPod
2010-05-05 10:27 . 2009-05-16 04:59 -------- d-----w- c:\program files\Common Files\Apple
2010-05-05 10:22 . 2009-05-27 08:48 -------- d-----w- c:\documents and settings\Crystal\Application Data\Apple Computer
2010-05-05 10:22 . 2009-05-16 05:02 -------- d-----w- c:\documents and settings\Jesse\Application Data\Apple Computer
2010-05-05 10:20 . 2010-05-05 10:20 -------- d-----w- c:\program files\Bonjour
2010-05-05 10:17 . 2010-05-05 10:17 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-02 03:14 . 2006-01-30 16:13 -------- d-----w- c:\program files\McAfee
2010-05-02 03:14 . 2009-06-29 03:14 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-27 21:16 . 2010-05-01 14:02 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-27 21:16 . 2010-05-01 14:02 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-27 21:16 . 2010-05-01 14:02 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-27 21:16 . 2010-05-01 14:02 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-27 21:16 . 2010-05-01 14:02 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-27 21:16 . 2010-05-01 14:02 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-27 21:16 . 2010-05-01 14:02 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-27 21:16 . 2010-05-01 14:02 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-27 21:16 . 2010-05-01 14:02 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-27 21:16 . 2010-05-01 14:02 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-21 10:32 . 2010-04-21 10:31 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-21 10:27 . 2009-05-16 05:00 -------- d-----w- c:\program files\QuickTime
2010-04-21 10:16 . 2010-04-21 10:16 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-02 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-01-30 26112]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-01-30 168448]
"DLCJCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll" [2005-08-15 73728]
"dlcjmon.exe"="c:\program files\Dell Photo AIO Printer 964\dlcjmon.exe" [2005-08-12 430080]
"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 964\memcard.exe" [2005-08-10 286720]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-13 1117184]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [5/1/2010 10:02 AM 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [6/28/2009 11:16 PM 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/1/2010 10:02 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [5/1/2010 10:02 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [5/1/2010 10:02 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [5/1/2010 10:02 AM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [5/1/2010 10:02 AM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [5/1/2010 10:02 AM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [5/1/2010 10:02 AM 88480]
S2 gupdate1ca66c7481044d2;Google Update Service (gupdate1ca66c7481044d2);c:\program files\Google\Update\GoogleUpdate.exe [11/16/2009 10:15 AM 133104]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [5/1/2010 10:02 AM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [5/1/2010 10:02 AM 83496]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-06-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-16 14:15]

2010-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-16 14:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-frfqbvwq - c:\documents and settings\Jesse\Local Settings\Application Data\uqcjcqihi\tbvrkbjtssd.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-16 20:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCJCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86251D01]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7556f28
\Driver\ACPI -> ACPI.sys @ 0xf73e9cb8
\Driver\atapi -> atapi.sys @ 0xf737b852
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1032)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1092)
c:\windows\system32\WININET.dll
.
Completion time: 2010-06-16 20:35:03
ComboFix-quarantined-files.txt 2010-06-17 00:34

Pre-Run: 118,425,337,856 bytes free
Post-Run: 125,688,782,848 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - D1E058118E66D58C7BD773CE762F87BF
________________________________________________________
964plc32
ABBYY FineReader 6.0 Sprint
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3.2
AOLIcon
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Control Panel
ATI Display Driver
Banctec Service Agreement
Bonjour
Bushnell GPS PC Companion V1.1
Compatibility Pack for the 2007 Office system
Corel Paint Shop Pro X
Corel Photo Album 6
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Game Console
Dell Media Experience
Dell Photo AIO Printer 964
DellSupport
Digital Content Portal
Disney Toontown Online
EarthLink setup files
EducateU
ELIcon
Get High Speed Internet!
Google AFE
Google Chrome
Google Desktop
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
H&R Block Deluxe + Efile 2009
High Definition Audio Driver Package - KB835221
HiJackThis
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel® 537EP V9x DF PCI Modem
Intel® PRO Network Connections Drivers
Intel® PROSet for Wired Connections
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 20
Learn2 Player (Uninstall Only)
Macromedia Flash Player
McAfee AntiVirus Plus
McAfee Security Scan Plus
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Office Basic Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Modem Event Monitor
Modem Helper
Modem On Hold
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetZeroInstallers
OGA Notifier 2.0.0048.0
Photo Click
Photo Viewer s2.5
PowerDVD 5.5
Print to Fax
QuickBooks Simple Start Special Edition
QuickTime
RealPlayer Basic
Safari
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Skype web features
Skype™ 4.1
Sonic Copy Module
Sonic DLA
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Data
Sonic Update Manager
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
WebCyberCoach 3.2 Dell
WildGames
WildTangent Web Driver
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows XP Service Pack 3



#4 g8trs99

g8trs99
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 16 June 2010 - 08:23 PM

Still having pop ups and different sites on the search engine (yahoo) than the link I click on.
Unsure on the keyboard issue.

#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:49 PM

Posted 17 June 2010 - 05:15 PM

Hello,

We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

CODE
Domains::

File::
c:\windows\system32\2615BC9984.sys

Folder::
c:\documents and settings\Jesse\Local Settings\Application Data\uqcjcqihi


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2.
  • Download the file TDSSKiller.zip and extract it into a folder on the infected computer.
  • Double-click the file TDSSKiller.exe.
  • Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.
  • If nothing has been detected, the utility will conduct a search for hidden services. If such a service is detected, the utility will report its name with a prompt to remove it. Type delete to remove a service.
  • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list.

3.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

4.
Uninstalling A Program Through "add/remove"

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Java 2 Runtime Environment, SE v1.4.2_03

Additional instructions can be found here if needed.

Things to include in your next reply:
Combofix.txt
Tddskiller log
Gmer log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 g8trs99

g8trs99
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 18 June 2010 - 05:30 AM

6:30 am here in FL.
I will be caughting a plane to Denver to night and be there all next week.
I will do this as soon as I can the following week. Please do not lock the thread after 5 days.
Thanks for your help.

#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:49 PM

Posted 24 June 2010 - 06:24 PM

Ok

Send me a pm when you get back

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 g8trs99

g8trs99
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 26 June 2010 - 05:41 PM

ok I'm back. Here is the newest ComboFix run.
6-26-10
-
-

ComboFix 10-06-26.02 - Jesse 06/26/2010 17:34:03.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.711 [GMT -4:00]
Running from: c:\documents and settings\Jesse\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jesse\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point

FILE ::
"c:\windows\system32\2615BC9984.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jesse\Local Settings\Application Data\uqcjcqihi
c:\windows\system32\2615BC9984.sys

Infected copy of c:\windows\system32\DRIVERS\kbdhid.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-05-26 to 2010-06-26 )))))))))))))))))))))))))))))))
.

2010-06-26 21:19 . 2010-06-26 21:19 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2010-06-18 01:06 . 2010-06-18 01:06 -------- d-----w- c:\program files\Common Files\Skype
2010-06-17 00:46 . 2010-06-17 00:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-06-15 23:29 . 2010-06-15 23:29 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
2010-06-15 00:37 . 2010-06-15 00:37 388096 ----a-r- c:\documents and settings\Crystal\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-14 02:19 . 2010-06-14 02:19 388096 ----a-r- c:\documents and settings\Jesse\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-14 02:19 . 2010-06-14 02:19 -------- d-----w- c:\program files\Trend Micro
2010-06-13 16:58 . 2010-06-13 16:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2010-06-12 05:33 . 2010-06-12 05:33 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-12 05:32 . 2010-06-12 05:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-26 21:17 . 2009-11-16 14:37 -------- d-----w- c:\documents and settings\Crystal\Application Data\Skype
2010-06-26 20:59 . 2009-11-16 14:39 -------- d-----w- c:\documents and settings\Crystal\Application Data\skypePM
2010-06-18 21:47 . 2009-05-16 00:22 -------- d-----w- c:\program files\Dl_cats
2010-06-15 23:33 . 2009-06-13 12:50 -------- d-----w- c:\program files\Safari
2010-06-14 04:32 . 2009-06-09 21:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-31 22:13 . 2009-06-03 21:55 5852 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-05-27 11:29 . 2010-05-27 11:29 503808 ----a-w- c:\documents and settings\Jesse\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-73b27fa0-n\msvcp71.dll
2010-05-27 11:29 . 2010-05-27 11:29 61440 ----a-w- c:\documents and settings\Jesse\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7c669e9c-n\decora-sse.dll
2010-05-27 11:29 . 2010-05-27 11:29 499712 ----a-w- c:\documents and settings\Jesse\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-73b27fa0-n\jmc.dll
2010-05-27 11:29 . 2010-05-27 11:29 348160 ----a-w- c:\documents and settings\Jesse\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-73b27fa0-n\msvcr71.dll
2010-05-27 11:29 . 2010-05-27 11:29 12800 ----a-w- c:\documents and settings\Jesse\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7c669e9c-n\decora-d3d.dll
2010-05-27 11:29 . 2010-05-27 11:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-27 11:21 . 2006-01-30 15:55 -------- d-----w- c:\program files\Common Files\Java
2010-05-25 04:20 . 2010-05-25 04:20 503808 ----a-w- c:\documents and settings\Crystal\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-44b487e5-n\msvcp71.dll
2010-05-25 04:20 . 2010-05-25 04:20 499712 ----a-w- c:\documents and settings\Crystal\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-44b487e5-n\jmc.dll
2010-05-25 04:20 . 2010-05-25 04:20 348160 ----a-w- c:\documents and settings\Crystal\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-44b487e5-n\msvcr71.dll
2010-05-18 21:32 . 2009-11-22 23:48 -------- d-----w- c:\program files\McAfee Security Scan
2010-05-05 10:39 . 2006-01-30 16:11 -------- d-----w- c:\program files\McAfee.com
2010-05-05 10:28 . 2010-05-05 10:27 -------- d-----w- c:\program files\iTunes
2010-05-05 10:27 . 2010-05-05 10:27 -------- d-----w- c:\program files\iPod
2010-05-05 10:27 . 2009-05-16 04:59 -------- d-----w- c:\program files\Common Files\Apple
2010-05-05 10:22 . 2009-05-27 08:48 -------- d-----w- c:\documents and settings\Crystal\Application Data\Apple Computer
2010-05-05 10:22 . 2009-05-16 05:02 -------- d-----w- c:\documents and settings\Jesse\Application Data\Apple Computer
2010-05-05 10:20 . 2010-05-05 10:20 -------- d-----w- c:\program files\Bonjour
2010-05-05 10:17 . 2010-05-05 10:17 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-03 21:06 . 2010-05-27 11:21 922400 ----a-w- c:\documents and settings\Jesse\Application Data\Sun\Java\JRERunOnce.exe
2010-05-02 03:14 . 2006-01-30 16:13 -------- d-----w- c:\program files\McAfee
2010-05-02 03:14 . 2009-06-29 03:14 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-27 21:16 . 2010-05-01 14:02 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-27 21:16 . 2010-05-01 14:02 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-27 21:16 . 2010-05-01 14:02 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-27 21:16 . 2010-05-01 14:02 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-27 21:16 . 2010-05-01 14:02 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-27 21:16 . 2010-05-01 14:02 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-27 21:16 . 2010-05-01 14:02 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-27 21:16 . 2010-05-01 14:02 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-27 21:16 . 2010-05-01 14:02 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-27 21:16 . 2010-05-01 14:02 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-21 10:16 . 2010-04-21 10:16 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-06-17_00.31.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-26 21:45 . 2010-06-26 21:45 16384 c:\windows\Temp\Perflib_Perfdata_1a4.dat
+ 2009-05-16 00:15 . 2008-04-13 18:39 14592 c:\windows\system32\dllcache\kbdhid.sys
+ 2009-05-16 00:16 . 2010-06-26 21:02 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-05-16 00:16 . 2010-06-16 19:47 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-05-16 00:16 . 2010-06-16 19:47 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-05-16 00:16 . 2010-06-26 21:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-06-17 00:40 . 2010-06-26 21:02 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-05-16 00:16 . 2010-06-16 19:47 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-06-18 21:22 . 2010-06-18 21:22 700416 c:\windows\Installer\24e1ff1.msi
+ 2010-06-18 01:07 . 2010-06-18 01:07 371272 c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe
- 2009-11-16 14:15 . 2009-11-16 14:15 371272 c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe
+ 2010-06-18 01:07 . 2010-06-18 01:07 1575936 c:\windows\Installer\52774d7.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-02 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-01-30 26112]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-01-30 168448]
"DLCJCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll" [2005-08-15 73728]
"dlcjmon.exe"="c:\program files\Dell Photo AIO Printer 964\dlcjmon.exe" [2005-08-12 430080]
"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 964\memcard.exe" [2005-08-10 286720]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-13 1117184]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [5/1/2010 10:02 AM 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [6/28/2009 11:16 PM 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/1/2010 10:02 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [5/1/2010 10:02 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [5/1/2010 10:02 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [5/1/2010 10:02 AM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [5/1/2010 10:02 AM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [5/1/2010 10:02 AM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [5/1/2010 10:02 AM 88480]
S2 gupdate1ca66c7481044d2;Google Update Service (gupdate1ca66c7481044d2);c:\program files\Google\Update\GoogleUpdate.exe [11/16/2009 10:15 AM 133104]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [5/1/2010 10:02 AM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [5/1/2010 10:02 AM 83496]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-06-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-06-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-16 14:15]

2010-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-16 14:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-26 18:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCJCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1340)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\system32\dlcjcoms.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\InstallShield\UpdateService\agent.exe
.
**************************************************************************
.
Completion time: 2010-06-26 18:38:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-26 22:38
ComboFix2.txt 2010-06-17 00:35

Pre-Run: 113,902,194,688 bytes free
Post-Run: 119,979,773,952 bytes free

- - End Of File - - 14CE5FE7893FA8807FB113C026445E9F


#9 g8trs99

g8trs99
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 26 June 2010 - 06:38 PM

Here is the Gmer thing-
When I copied and tried to hook back up to Internet exp the computer when into a blue screen and said dumping phy memory. I thurn off ASAP and it booted back up ok.
On the TDSSKILLER is nerve got a log. It ran and said nothing was found.
_____________________________
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-26 19:32:16
Windows 5.1.2600 Service Pack 3
Running: 7smmstni.exe; Driver: C:\DOCUME~1\Jesse\LOCALS~1\Temp\pwloapob.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF7318DB0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF7318DC4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF7318DF0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF7318E46]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF7318D9C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF7318D74]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF7318D88]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF7318DDA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF7318E1C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF7318E06]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF7318E70]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF7318E5C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF7318E30]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AF4 7 Bytes JMP F7318E34 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B1FE6 7 Bytes JMP F7318E4A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2DF4 5 Bytes JMP F7318E60 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805C05DA 5 Bytes JMP F7318E20 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB3FA 5 Bytes JMP F7318D78 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB686 5 Bytes JMP F7318D8C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D2982 5 Bytes JMP F7318E74 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D3A 7 Bytes JMP F7318E0A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231EA 7 Bytes JMP F7318DDE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237C8 5 Bytes JMP F7318DB4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C64 7 Bytes JMP F7318DC8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E34 7 Bytes JMP F7318DF4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624BA6 5 Bytes JMP F7318DA0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xF788D760]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[288] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes JMP 00910FEF
.text C:\WINDOWS\system32\svchost.exe[288] ntdll.dll!NtCreateFile + 4 7C90D0B2 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[288] ntdll.dll!NtCreateProcess 7C90D14E 3 Bytes JMP 00910FC3
.text C:\WINDOWS\system32\svchost.exe[288] ntdll.dll!NtCreateProcess + 4 7C90D152 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[288] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 00910FDE
.text C:\WINDOWS\system32\svchost.exe[288] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0090009A
.text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00900FA5
.text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00900073
.text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00900062
.text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00900FD1
.text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009000D7
.text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009000C6
.text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00900F74
.text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0090010D
.text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00900F63
.text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00900FB6
.text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00900011
.text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009000AB
.text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0090003D
.text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0090002C
.text C:\WINDOWS\system32\svchost.exe[288] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009000F2
.text C:\WINDOWS\system32\svchost.exe[288] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D00036
.text C:\WINDOWS\system32\svchost.exe[288] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D00FB9
.text C:\WINDOWS\system32\svchost.exe[288] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D00FE5
.text C:\WINDOWS\system32\svchost.exe[288] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D0001B
.text C:\WINDOWS\system32\svchost.exe[288] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D0006C
.text C:\WINDOWS\system32\svchost.exe[288] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D00000
.text C:\WINDOWS\system32\svchost.exe[288] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D0005B
.text C:\WINDOWS\system32\svchost.exe[288] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D00FD4
.text C:\WINDOWS\system32\svchost.exe[288] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CF002E
.text C:\WINDOWS\system32\svchost.exe[288] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CF0FAD
.text C:\WINDOWS\system32\svchost.exe[288] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CF0FD2
.text C:\WINDOWS\system32\svchost.exe[288] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CF0000
.text C:\WINDOWS\system32\svchost.exe[288] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CF001D
.text C:\WINDOWS\system32\svchost.exe[288] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CF0FE3
.text C:\WINDOWS\system32\svchost.exe[288] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\svchost.exe[288] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00920014
.text C:\WINDOWS\system32\svchost.exe[288] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00920025
.text C:\WINDOWS\system32\svchost.exe[288] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00920036
.text C:\WINDOWS\system32\svchost.exe[288] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00930000
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[572] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[572] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00D80FEF
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D80FD4
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D8000A
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D70FEF
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D70FAD
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D70098
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D70087
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D70FCA
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D7005B
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D700CE
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D700BD
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D700FA
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D70F61
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D70115
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D7006C
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D70014
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D70F92
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D7004A
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D7002F
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D700DF
.text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D6002C
.text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D60F91
.text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D60011
.text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D60FE5
.text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D60FA2
.text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D60000
.text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D6004E
.text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D6003D
.text C:\WINDOWS\system32\svchost.exe[912] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D50FAD
.text C:\WINDOWS\system32\svchost.exe[912] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D5002E
.text C:\WINDOWS\system32\svchost.exe[912] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D50FC8
.text C:\WINDOWS\system32\svchost.exe[912] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D50FEF
.text C:\WINDOWS\system32\svchost.exe[912] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D5001D
.text C:\WINDOWS\system32\svchost.exe[912] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D5000C
.text C:\WINDOWS\system32\services.exe[1080] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\services.exe[1080] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00900FB9
.text C:\WINDOWS\system32\services.exe[1080] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00900FCA
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FD009A
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FD0FA5
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FD0089
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FD0FC0
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FD0047
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FD00D9
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FD00BC
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FD010C
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FD00FB
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FD0F4E
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FD0062
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FD001B
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FD00AB
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FD0FDB
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FD002C
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FD00EA
.text C:\WINDOWS\system32\services.exe[1080] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930FDB
.text C:\WINDOWS\system32\services.exe[1080] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930FAF
.text C:\WINDOWS\system32\services.exe[1080] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930036
.text C:\WINDOWS\system32\services.exe[1080] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930025
.text C:\WINDOWS\system32\services.exe[1080] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930FCA
.text C:\WINDOWS\system32\services.exe[1080] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\services.exe[1080] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00930062
.text C:\WINDOWS\system32\services.exe[1080] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930047
.text C:\WINDOWS\system32\services.exe[1080] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920F8D
.text C:\WINDOWS\system32\services.exe[1080] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920022
.text C:\WINDOWS\system32\services.exe[1080] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920011
.text C:\WINDOWS\system32\services.exe[1080] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\services.exe[1080] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FBC
.text C:\WINDOWS\system32\services.exe[1080] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920FD7
.text C:\WINDOWS\system32\services.exe[1080] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910FEF
.text C:\WINDOWS\system32\lsass.exe[1092] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00CB0FEF
.text C:\WINDOWS\system32\lsass.exe[1092] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CB0014
.text C:\WINDOWS\system32\lsass.exe[1092] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CB0FDE
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D3000A
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D30F77
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D3006C
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D30F92
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D30FAF
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D30FCA
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D30F49
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D30F66
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D300C7
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D300AC
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D300E2
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D30051
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D3001B
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D30091
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D30FE5
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D30036
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D30F24
.text C:\WINDOWS\system32\lsass.exe[1092] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CE0040
.text C:\WINDOWS\system32\lsass.exe[1092] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CE008A
.text C:\WINDOWS\system32\lsass.exe[1092] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\lsass.exe[1092] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CE0025
.text C:\WINDOWS\system32\lsass.exe[1092] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CE0FCD
.text C:\WINDOWS\system32\lsass.exe[1092] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CE000A
.text C:\WINDOWS\system32\lsass.exe[1092] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CE0FDE
.text C:\WINDOWS\system32\lsass.exe[1092] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [EE, 88]
.text C:\WINDOWS\system32\lsass.exe[1092] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CE005B
.text C:\WINDOWS\system32\lsass.exe[1092] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CD002C
.text C:\WINDOWS\system32\lsass.exe[1092] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CD001B
.text C:\WINDOWS\system32\lsass.exe[1092] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CD0000
.text C:\WINDOWS\system32\lsass.exe[1092] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CD0FEF
.text C:\WINDOWS\system32\lsass.exe[1092] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CD0FA1
.text C:\WINDOWS\system32\lsass.exe[1092] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CD0FD2
.text C:\WINDOWS\system32\lsass.exe[1092] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CC0FEF
.text C:\WINDOWS\system32\svchost.exe[1300] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\svchost.exe[1300] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FF0FD4
.text C:\WINDOWS\system32\svchost.exe[1300] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FE0FC0
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FE00AB
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE008E
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FE0073
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FE0047
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FE00DC
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FE0F94
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE0108
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE0F65
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FE0F4A
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FE0062
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FE001B
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FE0FAF
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FE0FDB
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FE002C
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FE00ED
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02430051
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0243006C
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02430040
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02430025
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02430FAF
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0243000A
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02430FD4
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [63, 8A]
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02430FE5
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0242003D
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!system 77C293C7 5 Bytes JMP 02420FB2
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02420FCD
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02420FEF
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02420022
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02420FDE
.text C:\WINDOWS\system32\svchost.exe[1300] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0241000A
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00D70FEF
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D70FDE
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D7000A
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D60FEF
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D60098
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D60FA3
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D6007D
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D60062
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D60040
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D60F6D
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D60F7E
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D600F2
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D600E1
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D60F48
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D60051
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D6000A
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D600A9
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D6002F
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D60FDE
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D600D0
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DA0022
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DA0F94
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DA0FD1
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DA0011
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DA0FA5
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DA0000
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00DA0047
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DA0FC0
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D90F92
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D90FA3
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D9001D
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D9000C
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D90FBE
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D90FE3
.text C:\WINDOWS\system32\svchost.exe[1400] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D80000
.text C:\WINDOWS\System32\svchost.exe[1456] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 039A0FEF
.text C:\WINDOWS\System32\svchost.exe[1456] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 039A0FC3
.text C:\WINDOWS\System32\svchost.exe[1456] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 039A0FD4
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03990FEF
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0399006C
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0399005B
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03990F83
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03990040
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03990FB9
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03990F46
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0399008E
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 039900CE
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 039900B3
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03990F10
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03990F9E
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0399000A
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0399007D
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03990FD4
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03990025
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03990F35
.text C:\WINDOWS\System32\svchost.exe[1456] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 039E0025
.text C:\WINDOWS\System32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 039E0080
.text C:\WINDOWS\System32\svchost.exe[1456] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 039E0FD4
.text C:\WINDOWS\System32\svchost.exe[1456] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 039E000A
.text C:\WINDOWS\System32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 039E0FB9
.text C:\WINDOWS\System32\svchost.exe[1456] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 039E0FEF
.text C:\WINDOWS\System32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 039E005B
.text C:\WINDOWS\System32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 039E0040
.text C:\WINDOWS\System32\svchost.exe[1456] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 039D0070
.text C:\WINDOWS\System32\svchost.exe[1456] msvcrt.dll!system 77C293C7 5 Bytes JMP 039D005F
.text C:\WINDOWS\System32\svchost.exe[1456] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 039D0029
.text C:\WINDOWS\System32\svchost.exe[1456] msvcrt.dll!_open 77C2F566 5 Bytes JMP 039D0000
.text C:\WINDOWS\System32\svchost.exe[1456] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 039D0044
.text C:\WINDOWS\System32\svchost.exe[1456] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 039D0FEF
.text C:\WINDOWS\System32\svchost.exe[1456] WS2_32.dll!socket 71AB4211 5 Bytes JMP 039C000A
.text C:\WINDOWS\System32\svchost.exe[1456] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 039B0000
.text C:\WINDOWS\System32\svchost.exe[1456] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 039B0FDB
.text C:\WINDOWS\System32\svchost.exe[1456] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 039B0FCA
.text C:\WINDOWS\System32\svchost.exe[1456] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 039B0FAF
.text C:\WINDOWS\system32\svchost.exe[1524] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 007A0FEF
.text C:\WINDOWS\system32\svchost.exe[1524] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 007A0014
.text C:\WINDOWS\system32\svchost.exe[1524] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007A0FDE
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00790000
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00790F8A
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0079007F
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!LoadLibraryExW 7C801AF5 3 Bytes JMP 00790064
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!LoadLibraryExW + 4 7C801AF9 1 Byte [83]
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00790047
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00790FB9
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007900B5
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007900A4
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!CreateProcessW 7C802336 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00790F3A
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00790F4B
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007900EE
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00790036
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00790FDB
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00790F79
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00790FCA
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00790011
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00790F5C
.text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007D0036
.text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007D0FAF
.text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007D0FE5
.text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007D001B
.text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007D0FC0
.text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007D0000
.text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 007D0062
.text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007D0051
.text C:\WINDOWS\system32\svchost.exe[1524] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007C0FAD
.text C:\WINDOWS\system32\svchost.exe[1524] msvcrt.dll!system 77C293C7 5 Bytes JMP 007C0038
.text C:\WINDOWS\system32\svchost.exe[1524] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007C0FE3
.text C:\WINDOWS\system32\svchost.exe[1524] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007C000C
.text C:\WINDOWS\system32\svchost.exe[1524] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007C0FC8
.text C:\WINDOWS\system32\svchost.exe[1524] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007C001D
.text C:\WINDOWS\system32\svchost.exe[1524] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007B0000
.text C:\WINDOWS\system32\svchost.exe[1612] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[1612] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BF0FD4
.text C:\WINDOWS\system32\svchost.exe[1612] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BF000A
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0067
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0F7C
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE004A
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0F8D
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0FA8
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE00A6
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0095
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE00CB
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE0F32
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE00E6
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE002F
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FD4
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0078
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0014
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0FC3
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE0F43
.text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C20025
.text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C20F83
.text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C20FD4
.text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C2000A
.text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C20F9E
.text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C2004A
.text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C20FC3
.text C:\WINDOWS\system32\svchost.exe[1612] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C10F8B
.text C:\WINDOWS\system32\svchost.exe[1612] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C10F9C
.text C:\WINDOWS\system32\svchost.exe[1612] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C10FC8
.text C:\WINDOWS\system32\svchost.exe[1612] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\system32\svchost.exe[1612] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C10FAD
.text C:\WINDOWS\system32\svchost.exe[1612] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C1000C
.text C:\WINDOWS\system32\svchost.exe[1612] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C00FE5
.text C:\WINDOWS\system32\wuauclt.exe[1936] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 027E000A
.text C:\WINDOWS\system32\wuauclt.exe[1936] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 027E001B
.text C:\WINDOWS\system32\wuauclt.exe[1936] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 027E0FEF
.text C:\WINDOWS\system32\wuauclt.exe[1936] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 027D0000
.text C:\WINDOWS\system32\wuauclt.exe[1936] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 027D0F6F
.text C:\WINDOWS\system32\wuauclt.exe[1936] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 027D0064
.text C:\WINDOWS\system32\wuauclt.exe[1936] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 027D0049
.text C:\WINDOWS\system32\wuauclt.exe[1936] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 027D0F8A
.text C:\WINDOWS\system32\wuauclt.exe[1936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 027D0FB6
.text C:\WINDOWS\system32\wuauclt.exe[1936] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 027D0F4D
.text C:\WINDOWS\system32\wuauclt.exe[1936] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 027D0089
.text C:\WINDOWS\system32\wuauclt.exe[1936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 027D0F21
.text C:\WINDOWS\system32\wuauclt.exe[1936] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 027D00BA
.text C:\WINDOWS\system32\wuauclt.exe[1936] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 027D00CB
.text C:\WINDOWS\system32\wuauclt.exe[1936] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 027D0FA5
.text C:\WINDOWS\system32\wuauclt.exe[1936] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 027D0FE5
.text C:\WINDOWS\system32\wuauclt.exe[1936] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 027D0F5E
.text C:\WINDOWS\system32\wuauclt.exe[1936] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 027D002C
.text C:\WINDOWS\system32\wuauclt.exe[1936] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 027D0011
.text C:\WINDOWS\system32\wuauclt.exe[1936] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 027D0F3C
.text C:\WINDOWS\system32\wuauclt.exe[1936] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 027B0069
.text C:\WINDOWS\system32\wuauclt.exe[1936] msvcrt.dll!system 77C293C7 5 Bytes JMP 027B0058
.text C:\WINDOWS\system32\wuauclt.exe[1936] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 027B0022
.text C:\WINDOWS\system32\wuauclt.exe[1936] msvcrt.dll!_open 77C2F566 5 Bytes JMP 027B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[1936] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 027B0033
.text C:\WINDOWS\system32\wuauclt.exe[1936] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 027B0FDE
.text C:\WINDOWS\system32\wuauclt.exe[1936] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 027C001B
.text C:\WINDOWS\system32\wuauclt.exe[1936] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 027C006C
.text C:\WINDOWS\system32\wuauclt.exe[1936] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 027C0FCA
.text C:\WINDOWS\system32\wuauclt.exe[1936] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 027C0000
.text C:\WINDOWS\system32\wuauclt.exe[1936] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 027C0FAF
.text C:\WINDOWS\system32\wuauclt.exe[1936] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 027C0FEF
.text C:\WINDOWS\system32\wuauclt.exe[1936] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 027C0047
.text C:\WINDOWS\system32\wuauclt.exe[1936] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 027C002C
.text C:\WINDOWS\system32\wuauclt.exe[1936] WS2_32.dll!socket 71AB4211 5 Bytes JMP 027A0000
.text C:\WINDOWS\Explorer.EXE[2016] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F00FE5
.text C:\WINDOWS\Explorer.EXE[2016] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F0001B
.text C:\WINDOWS\Explorer.EXE[2016] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F00000
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EF0FEF
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EF00AE
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EF0FAF
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EF0087
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EF0076
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EF004A
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EF00DA
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EF00C9
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EF0109
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EF0F70
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EF011A
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EF005B
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EF000A
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EF0F9E
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EF0FD4
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EF0025
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EF0F81
.text C:\WINDOWS\Explorer.EXE[2016] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01D60FDB
.text C:\WINDOWS\Explorer.EXE[2016] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01D60F83
.text C:\WINDOWS\Explorer.EXE[2016] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01D6002C
.text C:\WINDOWS\Explorer.EXE[2016] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01D60011
.text C:\WINDOWS\Explorer.EXE[2016] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01D60F9E
.text C:\WINDOWS\Explorer.EXE[2016] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01D60000
.text C:\WINDOWS\Explorer.EXE[2016] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01D60FAF
.text C:\WINDOWS\Explorer.EXE[2016] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F6, 89]
.text C:\WINDOWS\Explorer.EXE[2016] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01D60FCA
.text C:\WINDOWS\Explorer.EXE[2016] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01D50055
.text C:\WINDOWS\Explorer.EXE[2016] msvcrt.dll!system 77C293C7 5 Bytes JMP 01D50FCA
.text C:\WINDOWS\Explorer.EXE[2016] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01D50029
.text C:\WINDOWS\Explorer.EXE[2016] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01D50FEF
.text C:\WINDOWS\Explorer.EXE[2016] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01D5003A
.text C:\WINDOWS\Explorer.EXE[2016] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01D5000C
.text C:\WINDOWS\Explorer.EXE[2016] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01590FEF
.text C:\WINDOWS\Explorer.EXE[2016] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01590FDE
.text C:\WINDOWS\Explorer.EXE[2016] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01590014
.text C:\WINDOWS\Explorer.EXE[2016] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0159002F
.text C:\WINDOWS\Explorer.EXE[2016] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01D40FEF

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[816] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [004076E0] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[816] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [00407740] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat F0CDCD20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)






***********
Seems to be a bit better. Did not have a redirect or a pop up for about 10 mins.

Edited by g8trs99, 26 June 2010 - 06:45 PM.


#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:49 PM

Posted 26 June 2010 - 07:59 PM

Hello,

Welcome back! Logs look good lets run a couple other scanners to make sure.

1.
Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

2.
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Things to include in your next reply::
MBAM log
ESET log
HiJAckthis log
HOW is your machine running?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:49 PM

Posted 28 June 2010 - 05:47 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding smile.gif

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 g8trs99

g8trs99
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 30 June 2010 - 08:43 PM

Running Mbam now.
Sorry I've been busy.
Our nephew is living with us now due to some family problems he
was dealing with. Having to deal with that. Thank you for your help.

-
-
Mbam log
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4262

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/30/2010 9:50:39 PM
mbam-log-2010-06-30 (21-50-39).txt

Scan type: Quick scan
Objects scanned: 151223
Time elapsed: 10 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by g8trs99, 30 June 2010 - 08:51 PM.


#13 g8trs99

g8trs99
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 30 June 2010 - 10:24 PM

eset
-
C:\Documents and Settings\Jesse\Application Data\Sun\Java\Deployment\cache\6.0\60\11a9a9bc-71c08699 multiple threats deleted - quarantined
-
-
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:25:14 PM, on 6/30/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe
C:\Program Files\Dell Photo AIO Printer 964\memcard.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\dlcjcoms.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100518064708.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DLCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcjmon.exe] "C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 964\memcard.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-3817426034-323463974-1293857777-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Crystal')
O4 - HKUS\S-1-5-21-3817426034-323463974-1293857777-1007\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'Crystal')
O4 - HKUS\S-1-5-21-3817426034-323463974-1293857777-1007\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" (User 'Crystal')
O4 - HKUS\S-1-5-21-3817426034-323463974-1293857777-1007\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'Crystal')
O4 - HKUS\S-1-5-21-3817426034-323463974-1293857777-1007\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized (User 'Crystal')
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.38.55/ttinst.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcj_device - Unknown owner - C:\WINDOWS\system32\dlcjcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Update Service (gupdate1ca66c7481044d2) (gupdate1ca66c7481044d2) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: McAfee Personal Firewall (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 13219 bytes



It sure is running better. Not sure if fixed or not, but I have not had any redirects or keyboard issues.

Edited by g8trs99, 30 June 2010 - 10:26 PM.


#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:49 PM

Posted 01 July 2010 - 05:55 PM

Hello, g8trs99.
Congratulations! You now appear clean! specool.gif

Uninstall Combofix
  • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Click on then Run....
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall



    <Notice the space between the "x" and "/".> <--- It needs to be there
    Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall


  • Please advise if this step is missed for any reason as it performs some important actions:
    "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".


Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

We Need to Clean Up Our Mess
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Recommendations
Below are some recommendations to lower your chances of (re)infection.
  1. Install and maintain an outbound firewall
  2. Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  3. Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  4. Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  5. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    1. Click the "Start Menu" (or Windows Orb)
    2. Click "All Programs"
    3. Click "Windows Update"
    4. On the left, choose "Change Settings"
    5. Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    6. Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    7. Click "Check for Updates" in the upper left corner.
    8. Follow the instructions to install the latest updates.
    9. Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  6. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  7. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:49 PM

Posted 03 July 2010 - 08:37 AM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding smile.gif

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users