Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Virus


  • This topic is locked This topic is locked
21 replies to this topic

#1 Magic Rat

Magic Rat

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 03 February 2011 - 10:20 PM

Thanks so much for your help!

I removed a bunch of trojans with Malbytes Anti-Malware and Hitman Pro 3.5.

But I've still got a redirect virus that won't let me follow almost any Google link to the proper site. (Currently the MBAM active protection blocks all of these redirects).

I've run updated versions of MBAM, Hitman Pro 3.5, Adaware and Spybot Search & Destroy. But the problem remains.

Also, something keeps disabling the McAfee real-time scanner. When I turn it back on, it automatically turns off after a few minutes (though not all the time).

Judging from other posts, I'm sure you can help. Here's the DDS log:


DDS (Ver_10-12-12.02) - NTFSx86
Run by Rick at 19:12:56.31 on Thu 02/03/2011
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1278 [GMT -5:00]

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Secunia\PSI\PSIA.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
c:\program files\real\realplayer\RealPlay.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\Documents and Settings\Rick\Desktop\dds.scr
c:\program files\real\realplayer\RealPlay.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101104211932.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PfLEguVYiWwSt.exe] c:\documents and settings\all users\application data\PfLEguVYiWwSt.exe
uRun: [AVG Antivirus 2011] c:\program files\avg antivirus 2011\avg.exe
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
mPolicies-explorer: <NO NAME> =
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102458049968
DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} - hxxp://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rick\applic~1\mozilla\firefox\profiles\jb41nd37.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-9 64160]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-8-17 386840]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-8-17 84072]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-7-1 363344]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-17 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-17 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-17 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-17 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-17 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-17 141792]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-1-10 993848]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-17 55840]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-7-1 20952]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-8-17 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-8-17 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-17 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-8-17 88544]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-8-17 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-17 84264]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S3 UsbCmxp;Scientific Atlanta WebSTAR 2000 series Cable Modem;c:\windows\system32\drivers\sacmxp2.sys [2005-9-15 14336]

=============== Created Last 30 ================

2011-01-31 02:03:57 -------- d-----w- c:\docume~1\rick\locals~1\applic~1\Temp
2011-01-30 20:10:47 -------- d-----w- c:\docume~1\rick\locals~1\applic~1\Adobe
2011-01-30 19:58:48 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2011-01-30 19:58:44 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2011-01-30 19:58:31 -------- d-----w- c:\windows\Logs
2011-01-30 19:58:27 -------- d-----w- c:\program files\Winamp Detect
2011-01-30 19:42:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-30 19:42:36 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-01-30 19:36:57 11776 ----a-w- c:\program files\mozilla firefox\plugins\nprjplug.dll
2011-01-30 19:36:36 -------- d-----w- c:\program files\common files\xing shared
2011-01-30 19:36:09 150712 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
2011-01-30 19:35:49 100864 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll
2011-01-30 19:30:51 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2011-01-30 19:30:51 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2011-01-30 19:09:34 -------- d-----w- c:\docume~1\rick\locals~1\applic~1\Secunia PSI
2011-01-30 19:09:18 -------- d-----w- c:\program files\Secunia
2011-01-30 15:45:45 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2011-01-30 05:35:53 86016 --sha-r- c:\windows\system32\prnqctl5.dll
2011-01-18 04:27:36 -------- d-----w- c:\program files\iTunes
2011-01-17 23:59:11 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-01-17 23:54:43 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-01-17 23:46:47 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-01-17 23:46:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro

==================== Find3M ====================

2011-01-30 19:42:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-30 19:35:31 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-01-30 19:35:31 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:34:12 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34:11 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-11-06 00:34:11 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34:11 17408 ----a-w- c:\windows\system32\corpol.dll
2009-04-02 01:25:53 1878888 ------w- c:\program files\install_flash_player.exe

============= FINISH: 19:14:26.17 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:15 AM

Posted 04 February 2011 - 12:16 AM

Hello Magic Rat ,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


1.
We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

2.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

3.
Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

4.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TdssKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 Magic Rat

Magic Rat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 04 February 2011 - 09:45 AM

Problems. I'm writing this on a different, clean computer.

I ran TDSSKiller. Nothing found.

I tried to run RKILL from the desktop, but nothing happened. I had run it successfully before from a thumb drive when I was removing the first trojans. It's been renamed iEXPLORE. That worked.

I ran Combo Fix (after installing the Windows Recovery) and it went through 50 steps. Then it said it was deleting 3 or 4 files (I didn't write down their names because I was expecting to get a log). But after another 3 minutes, the computer screen went blue and I got this message:

"Plug and play detected an error, most likely caused by a faulty driver...

Stop: 0x000000CA (0x00000004, 0x85267558, 0x00000000, 0x00000000)...

Physical memory dump complete."

When I rebooted, there was a red warning button on the tray that said "Warning: you have exceeded your profile space by 4100257 KB"

I tried to launch Firefox, but nothing happened. I tried to run TDSSKiller, but it just froze. The cursor was free, but nothing seemed to open.

Help!

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:15 AM

Posted 04 February 2011 - 12:34 PM

Hello,


Please boot into safemode and run Combofix again. Did Combofix produce a log after it ran? Why are you running TDsskiller again? Please only do the things I ask of you in the order I give them.

Lets boot into safemode and run Combofix.

1.
Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details.

Now run combofix again and post the log.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 Magic Rat

Magic Rat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 04 February 2011 - 01:28 PM

OK. I'll run Combo Fix in safe mode as soon as I get home tonight.

Your instructions asked for a TdssKiller log. I thought you wanted a new log after running this again. (Or possibly I confused it with DDS). I'm new to all this stuff. Sorry for the mistake.

And thanks again.

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:15 AM

Posted 04 February 2011 - 04:44 PM

Hello,

I just need the original first run of TDsskiller's log and the Combofix.txt

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 Magic Rat

Magic Rat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 06 February 2011 - 08:09 PM

I think I might have forgotten to save the TDssKiller log. Is it worth it to run again for you to see the log?

I ran ComboFix in safe mode and it restarted the computer. But then the computer stalled before it could generate a log. I rebooted, ran ComboFix again in safe mode and now have the log.

Unfortunately, my cable has been out since Friday (I'm writing this at a friend's house). So I'll post the log when I'm back online.

Also: AVG Virus 2011 appeared on my programs start menu, but I never downloaded it. Not sure if it's real or another Trojan. Any idea?

And when I disabled McAfee, checking "never" to restart the firewall or active scanning, both were active after a reboot.

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:15 AM

Posted 07 February 2011 - 12:19 AM

Hello,


There is a fake AVG Virus going around don't do anything until I see those logs. Go ahead and run TDSSKILLER again and post that log along with the Combofix log

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 Magic Rat

Magic Rat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 07 February 2011 - 06:54 PM

Back online. Here are the logs.

2011/02/07 18:52:21.0453 1676 TDSS rootkit removing tool 2.4.16.0 Feb 1 2011 10:34:03
2011/02/07 18:52:21.0781 1676 ================================================================================
2011/02/07 18:52:21.0781 1676 SystemInfo:
2011/02/07 18:52:21.0781 1676
2011/02/07 18:52:21.0781 1676 OS Version: 5.1.2600 ServicePack: 3.0
2011/02/07 18:52:21.0781 1676 Product type: Workstation
2011/02/07 18:52:21.0781 1676 ComputerName: COMPUTER
2011/02/07 18:52:21.0781 1676 UserName: Rick
2011/02/07 18:52:21.0781 1676 Windows directory: C:\WINDOWS
2011/02/07 18:52:21.0781 1676 System windows directory: C:\WINDOWS
2011/02/07 18:52:21.0781 1676 Processor architecture: Intel x86
2011/02/07 18:52:21.0781 1676 Number of processors: 2
2011/02/07 18:52:21.0781 1676 Page size: 0x1000
2011/02/07 18:52:21.0781 1676 Boot type: Safe boot with network
2011/02/07 18:52:21.0781 1676 ================================================================================
2011/02/07 18:52:22.0640 1676 Initialize success
2011/02/07 18:52:52.0765 1556 ================================================================================
2011/02/07 18:52:52.0765 1556 Scan started
2011/02/07 18:52:52.0765 1556 Mode: Manual;
2011/02/07 18:52:52.0765 1556 ================================================================================
2011/02/07 18:52:53.0546 1556 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/02/07 18:52:53.0734 1556 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/02/07 18:52:54.0015 1556 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/02/07 18:52:54.0218 1556 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/02/07 18:52:54.0406 1556 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/02/07 18:52:55.0468 1556 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/02/07 18:52:55.0625 1556 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/02/07 18:52:55.0906 1556 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/02/07 18:52:56.0031 1556 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/02/07 18:52:56.0250 1556 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/02/07 18:52:56.0625 1556 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/02/07 18:52:56.0890 1556 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/02/07 18:52:57.0031 1556 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/02/07 18:52:57.0250 1556 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/02/07 18:52:57.0406 1556 cfwids (7e6f7da1c4de5680820f964562548949) C:\WINDOWS\system32\drivers\cfwids.sys
2011/02/07 18:52:58.0015 1556 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/02/07 18:52:58.0203 1556 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/02/07 18:52:58.0406 1556 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/02/07 18:52:58.0562 1556 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/02/07 18:52:58.0750 1556 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/02/07 18:52:59.0078 1556 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/02/07 18:52:59.0265 1556 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/02/07 18:52:59.0515 1556 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/02/07 18:52:59.0718 1556 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/02/07 18:52:59.0859 1556 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/02/07 18:53:00.0046 1556 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/02/07 18:53:00.0156 1556 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/02/07 18:53:00.0359 1556 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/02/07 18:53:00.0468 1556 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/02/07 18:53:00.0671 1556 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2011/02/07 18:53:00.0750 1556 GEARAspiWDM (df6e37b27a9a1a498c6d9f29995b7a03) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/02/07 18:53:00.0953 1556 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/02/07 18:53:01.0171 1556 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/02/07 18:53:01.0515 1556 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/02/07 18:53:02.0109 1556 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/02/07 18:53:02.0343 1556 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/02/07 18:53:02.0625 1556 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/02/07 18:53:02.0828 1556 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/02/07 18:53:02.0953 1556 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/02/07 18:53:03.0140 1556 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/02/07 18:53:03.0296 1556 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/02/07 18:53:03.0500 1556 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/02/07 18:53:03.0906 1556 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/02/07 18:53:04.0171 1556 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/02/07 18:53:04.0515 1556 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/02/07 18:53:04.0734 1556 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/02/07 18:53:05.0031 1556 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/02/07 18:53:05.0515 1556 Lbd (53b670772d98b459a5af35598ab5815e) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2011/02/07 18:53:06.0343 1556 MBAMProtector (836e0e09ca9869be7eb39ef2cf3602c7) C:\WINDOWS\system32\drivers\mbam.sys
2011/02/07 18:53:06.0781 1556 mfeapfk (84d59a3eddfb9438fb94f7f80d37859d) C:\WINDOWS\system32\drivers\mfeapfk.sys
2011/02/07 18:53:07.0000 1556 mfeavfk (67e961988312b1a28d6f93357b0bf998) C:\WINDOWS\system32\drivers\mfeavfk.sys
2011/02/07 18:53:07.0140 1556 mfebopk (19161b1796cf74a6a326abde309062ba) C:\WINDOWS\system32\drivers\mfebopk.sys
2011/02/07 18:53:07.0328 1556 mfefirek (d5f89b4934960c70882924d992c6abfc) C:\WINDOWS\system32\drivers\mfefirek.sys
2011/02/07 18:53:07.0453 1556 mfehidk (0efab2b91b27543fe589de700de07136) C:\WINDOWS\system32\drivers\mfehidk.sys
2011/02/07 18:53:07.0671 1556 mfendisk (549dd4966bf0b1d1fc205ca0755a745b) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
2011/02/07 18:53:07.0718 1556 mfendiskmp (549dd4966bf0b1d1fc205ca0755a745b) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
2011/02/07 18:53:07.0875 1556 mferkdet (c9eda1eada2ab6e34cd1a10c3a24ab25) C:\WINDOWS\system32\drivers\mferkdet.sys
2011/02/07 18:53:08.0062 1556 mfetdi2k (e6c5f7aade5a31c057d73201acfe8adf) C:\WINDOWS\system32\drivers\mfetdi2k.sys
2011/02/07 18:53:08.0218 1556 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/02/07 18:53:08.0390 1556 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/02/07 18:53:08.0531 1556 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/02/07 18:53:08.0796 1556 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/02/07 18:53:09.0078 1556 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/02/07 18:53:09.0296 1556 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/02/07 18:53:09.0546 1556 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/02/07 18:53:09.0687 1556 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/02/07 18:53:09.0843 1556 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/02/07 18:53:09.0937 1556 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/02/07 18:53:10.0109 1556 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/02/07 18:53:10.0203 1556 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/02/07 18:53:10.0421 1556 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/02/07 18:53:10.0546 1556 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/02/07 18:53:10.0734 1556 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/02/07 18:53:10.0796 1556 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/02/07 18:53:10.0890 1556 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/02/07 18:53:11.0093 1556 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/02/07 18:53:11.0234 1556 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/02/07 18:53:11.0484 1556 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/02/07 18:53:11.0687 1556 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/02/07 18:53:11.0921 1556 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/02/07 18:53:12.0250 1556 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/02/07 18:53:12.0531 1556 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/02/07 18:53:12.0625 1556 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/02/07 18:53:12.0812 1556 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
2011/02/07 18:53:13.0015 1556 P16X (e433c553d00d76fbc616294b60a7a530) C:\WINDOWS\system32\drivers\P16X.sys
2011/02/07 18:53:13.0250 1556 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/02/07 18:53:13.0390 1556 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/02/07 18:53:13.0578 1556 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/02/07 18:53:13.0718 1556 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/02/07 18:53:14.0531 1556 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/02/07 18:53:14.0812 1556 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/02/07 18:53:16.0953 1556 PfModNT (2f5532f9b0f903b26847da674b4f55b2) C:\WINDOWS\System32\PfModNT.sys
2011/02/07 18:53:18.0000 1556 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/02/07 18:53:18.0515 1556 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/02/07 18:53:19.0046 1556 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/02/07 18:53:19.0437 1556 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/02/07 18:53:20.0218 1556 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/02/07 18:53:22.0406 1556 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/02/07 18:53:22.0796 1556 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/02/07 18:53:23.0265 1556 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/02/07 18:53:23.0796 1556 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/02/07 18:53:24.0250 1556 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/02/07 18:53:24.0781 1556 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/02/07 18:53:25.0187 1556 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/02/07 18:53:25.0890 1556 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/02/07 18:53:26.0437 1556 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/02/07 18:53:27.0187 1556 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/02/07 18:53:27.0750 1556 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/02/07 18:53:29.0062 1556 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/02/07 18:53:29.0468 1556 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/02/07 18:53:30.0421 1556 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/02/07 18:53:30.0718 1556 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/02/07 18:53:31.0031 1556 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/02/07 18:53:31.0343 1556 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/02/07 18:53:31.0671 1556 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/02/07 18:53:33.0125 1556 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/02/07 18:53:33.0625 1556 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/02/07 18:53:34.0125 1556 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/02/07 18:53:34.0765 1556 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/02/07 18:53:35.0421 1556 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/02/07 18:53:36.0343 1556 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/02/07 18:53:37.0171 1556 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/02/07 18:53:37.0718 1556 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/02/07 18:53:37.0968 1556 UsbCmxp (9cde12f787742b58f9bd326fe8598419) C:\WINDOWS\system32\DRIVERS\sacmxp2.sys
2011/02/07 18:53:38.0296 1556 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/02/07 18:53:38.0453 1556 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/02/07 18:53:38.0609 1556 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/02/07 18:53:38.0828 1556 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/02/07 18:53:38.0968 1556 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/02/07 18:53:39.0109 1556 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/02/07 18:53:39.0250 1556 USB_RNDIS (bee793d4a059caea55d6ac20e19b3a8f) C:\WINDOWS\system32\DRIVERS\usb8023.sys
2011/02/07 18:53:39.0437 1556 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/02/07 18:53:39.0578 1556 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/02/07 18:53:39.0937 1556 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/02/07 18:53:40.0546 1556 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/02/07 18:53:40.0953 1556 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/02/07 18:53:41.0750 1556 ================================================================================
2011/02/07 18:53:41.0750 1556 Scan finished
2011/02/07 18:53:41.0750 1556 ================================================================================


ComboFix 11-01-31.02 - Rick 02/04/2011 21:56:09.3.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1726 [GMT -5:00]
Running from: c:\documents and settings\Rick\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

-- Previous Run --

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

--------

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2011-01-05 to 2011-02-05 )))))))))))))))))))))))))))))))
.

2011-02-05 02:42 . 2011-02-05 02:42 -------- d-----w- c:\windows\LastGood
2011-02-04 13:35 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2011-02-04 13:35 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2011-01-31 02:03 . 2011-01-31 02:03 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\Temp
2011-01-30 20:10 . 2011-01-30 20:10 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-01-30 20:10 . 2011-01-31 02:03 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\Adobe
2011-01-30 19:58 . 2009-09-04 22:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2011-01-30 19:58 . 2006-09-28 21:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2011-01-30 19:58 . 2011-01-30 19:58 -------- d-----w- c:\windows\Logs
2011-01-30 19:58 . 2011-01-30 19:58 -------- d-----w- c:\program files\Winamp Detect
2011-01-30 19:46 . 2011-02-04 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2011-01-30 19:42 . 2011-01-30 19:42 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-01-30 19:42 . 2011-01-30 19:42 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-30 19:36 . 2011-01-30 19:36 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll
2011-01-30 19:36 . 2011-01-30 19:36 -------- d-----w- c:\program files\Common Files\xing shared
2011-01-30 19:36 . 2011-01-30 19:36 150712 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll
2011-01-30 19:35 . 2011-01-30 19:35 100864 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpjplug.dll
2011-01-30 19:30 . 2010-12-03 19:35 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-01-30 19:30 . 2010-12-03 19:35 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-01-30 19:09 . 2011-01-30 19:09 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\Secunia PSI
2011-01-30 19:09 . 2011-01-30 19:09 -------- d-----w- c:\program files\Secunia
2011-01-30 15:45 . 2011-01-30 15:45 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2011-01-30 05:35 . 2011-01-30 05:35 86016 --sha-r- c:\windows\system32\prnqctl5.dll
2011-01-18 04:27 . 2011-01-18 04:28 -------- d-----w- c:\program files\iTunes
2011-01-17 23:59 . 2011-01-30 21:11 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-01-17 23:54 . 2011-02-03 21:48 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-01-17 23:46 . 2011-01-17 23:46 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-01-17 23:46 . 2011-01-17 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-01-17 23:44 . 2011-01-17 23:44 -------- d-----w- c:\documents and settings\Administrator
2011-01-17 04:03 . 2011-01-17 04:03 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Apple
2011-01-17 02:04 . 2011-01-17 02:04 -------- d-----w- c:\documents and settings\Guest\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-30 19:42 . 2007-06-13 11:50 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-30 19:35 . 2004-12-07 23:50 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-01-30 19:35 . 2003-03-19 00:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-12-20 23:09 . 2009-07-02 03:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2009-07-02 03:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2004-12-07 21:14 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2002-09-03 19:50 249856 ----a-w- c:\windows\system32\odbc32.dll
2009-04-02 01:25 . 2009-04-02 01:25 1878888 ------w- c:\program files\install_flash_player.exe
2010-10-14 02:28 . 2010-11-05 01:19 24376 ------w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((( SnapShot@2011-02-05_02.19.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-12-07 21:18 . 2011-02-05 02:29 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-12-07 21:18 . 2011-02-04 11:18 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-12-07 21:18 . 2011-02-05 02:29 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-12-07 21:18 . 2011-02-04 11:18 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-02-05 02:42 . 2010-09-01 08:30 15544 c:\windows\LastGood\system32\DRIVERS\psi_mf.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PfLEguVYiWwSt.exe"="c:\documents and settings\All Users\Application Data\PfLEguVYiWwSt.exe" [BU]
"AVG Antivirus 2011"="c:\program files\AVG Antivirus 2011\avg.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-22 1191936]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-11-03 4800512]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-07-14 570664]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2011-01-17 6347584]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-01-30 273544]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2009-02-09 20:23 509784 ------w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-03-13 01:56 342312 ------w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/9/2009 3:25 PM 64160]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [8/17/2010 10:08 PM 84072]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [8/17/2010 10:07 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [8/17/2010 10:08 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [8/17/2010 10:08 PM 141792]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [8/17/2010 10:08 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [8/17/2010 10:08 PM 88544]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/1/2009 10:22 PM 363344]
S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [8/17/2010 10:07 PM 271480]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [8/17/2010 10:08 PM 55840]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 950096]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/1/2009 10:22 PM 20952]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [8/17/2010 10:08 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [8/17/2010 10:08 PM 84264]
S3 UsbCmxp;Scientific Atlanta WebSTAR 2000 series Cable Modem;c:\windows\system32\drivers\sacmxp2.sys [9/15/2005 8:25 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-07-30 14:39 451872 ------w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2011-01-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 20:23]

2011-02-05 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1659004503-1960408961-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]

2011-02-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1659004503-1960408961-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Rick\Application Data\Mozilla\Firefox\Profiles\jb41nd37.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-04 22:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="REMOVED"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1424)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2011-02-04 22:06:29
ComboFix-quarantined-files.txt 2011-02-05 03:06

Pre-Run: 56,464,748,544 bytes free
Post-Run: 56,404,746,240 bytes free

- - End Of File - - 3C78CC5C369684CE103EA8D4ED30B6D4

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:15 AM

Posted 10 February 2011 - 05:01 PM

Hello,


Sorry, I have been working long hours and taking care of my wife. ON the good note, your logs look good. Lets do some general cleanup of leftovers and final checking.

1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::
c:\documents and settings\All Users\Application Data\PfLEguVYiWwSt.exe
c:\program files\AVG Antivirus 2011\avg.exe

DDS::
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>

Registry::
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=-

Reglockdel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


2.
Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

3.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
Posted Image
You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.


Things to include in your next reply::
Combofix.txt
MBAM log
Eset log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 Magic Rat

Magic Rat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 11 February 2011 - 04:25 PM

Thanks for the reply, and please don't worry about the delay. Your life comes first, of course. Way before my mess of a computer, which you're volunteering to fix. I hope your wife is ok.

Quick question, though, before I do all this. Do I need to do this is normal mode, or can I do it in safe mode? I ask because I have so far been able to do anything outside of safe mode. Programs just freeze up (though I'm able to move the cursor).

Thanks again.

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:15 AM

Posted 11 February 2011 - 05:32 PM

Hello,

Please try and run Eset in normal mode after you run Combofix.
Combofix can be ran in either mode.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 Magic Rat

Magic Rat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 12 February 2011 - 02:15 AM

Eset detected nothing, and it did not offer me any opportunity to create a log. Other logs are below.

Computer is running fine until it slows to a halt. McAfee keeps shutting certain functions on and off.

Just now, I lost the ability to type this reply or click on anything (though the cursor remained free to move). What's going on?

Also, the AVG 2011 Antivirus icons remain in the programs menu, though perhaps they are no longer connected to any .exe

Here are the logs. Thanks for everything so far. Think we might be close. Or not.



ComboFix 11-02-11.01 - Rick 02/12/2011 0:04.4.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1742 [GMT -5:00]
Running from: c:\documents and settings\Rick\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rick\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\documents and settings\All Users\Application Data\PfLEguVYiWwSt.exe"
"c:\program files\AVG Antivirus 2011\avg.exe"
.

((((((((((((((((((((((((( Files Created from 2011-01-12 to 2011-02-12 )))))))))))))))))))))))))))))))
.

2011-02-04 13:35 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2011-02-04 13:35 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2011-01-31 02:03 . 2011-01-31 02:03 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\Temp
2011-01-30 20:10 . 2011-01-30 20:10 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-01-30 20:10 . 2011-01-31 02:03 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\Adobe
2011-01-30 19:58 . 2009-09-04 22:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2011-01-30 19:58 . 2006-09-28 21:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2011-01-30 19:58 . 2011-01-30 19:58 -------- d-----w- c:\windows\Logs
2011-01-30 19:58 . 2011-01-30 19:58 -------- d-----w- c:\program files\Winamp Detect
2011-01-30 19:46 . 2011-02-04 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2011-01-30 19:42 . 2011-01-30 19:42 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-01-30 19:42 . 2011-01-30 19:42 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-30 19:36 . 2011-01-30 19:36 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll
2011-01-30 19:36 . 2011-01-30 19:36 -------- d-----w- c:\program files\Common Files\xing shared
2011-01-30 19:36 . 2011-01-30 19:36 150712 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll
2011-01-30 19:35 . 2011-01-30 19:35 100864 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpjplug.dll
2011-01-30 19:30 . 2010-12-03 19:35 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-01-30 19:30 . 2010-12-03 19:35 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-01-30 19:09 . 2011-01-30 19:09 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\Secunia PSI
2011-01-30 19:09 . 2011-01-30 19:09 -------- d-----w- c:\program files\Secunia
2011-01-30 15:45 . 2011-01-30 15:45 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2011-01-30 05:35 . 2011-01-30 05:35 86016 --sha-r- c:\windows\system32\prnqctl5.dll
2011-01-18 04:27 . 2011-01-18 04:28 -------- d-----w- c:\program files\iTunes
2011-01-17 23:59 . 2011-01-30 21:11 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-01-17 23:54 . 2011-02-03 21:48 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-01-17 23:46 . 2011-01-17 23:46 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-01-17 23:46 . 2011-01-17 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-01-17 23:44 . 2011-01-17 23:44 -------- d-----w- c:\documents and settings\Administrator
2011-01-17 04:03 . 2011-01-17 04:03 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Apple
2011-01-17 02:04 . 2011-01-17 02:04 -------- d-----w- c:\documents and settings\Guest\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-30 19:42 . 2007-06-13 11:50 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-30 19:35 . 2004-12-07 23:50 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-01-30 19:35 . 2003-03-19 00:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-12-20 23:09 . 2009-07-02 03:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2009-07-02 03:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2004-12-07 21:14 81920 ----a-w- c:\windows\system32\isign32.dll
2009-04-02 01:25 . 2009-04-02 01:25 1878888 ------w- c:\program files\install_flash_player.exe
2010-10-14 02:28 . 2010-11-05 01:19 24376 ------w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((( SnapShot@2011-02-05_02.19.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-12-07 21:18 . 2011-02-05 02:29 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-12-07 21:18 . 2011-02-04 11:18 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-22 1191936]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-11-03 4800512]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-07-14 570664]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2011-01-17 6347584]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-01-30 273544]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2009-02-09 20:23 509784 ------w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-03-13 01:56 342312 ------w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/9/2009 3:25 PM 64160]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [8/17/2010 10:08 PM 84072]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [8/17/2010 10:07 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [8/17/2010 10:08 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [8/17/2010 10:08 PM 141792]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [8/17/2010 10:08 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [8/17/2010 10:08 PM 88544]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/1/2009 10:22 PM 363344]
S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [8/17/2010 10:07 PM 271480]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [8/17/2010 10:08 PM 55840]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 950096]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/1/2009 10:22 PM 20952]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [8/17/2010 10:08 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [8/17/2010 10:08 PM 84264]
S3 UsbCmxp;Scientific Atlanta WebSTAR 2000 series Cable Modem;c:\windows\system32\drivers\sacmxp2.sys [9/15/2005 8:25 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-07-30 14:39 451872 ------w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2011-01-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 20:23]

2011-02-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1659004503-1960408961-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]

2011-02-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1659004503-1960408961-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Rick\Application Data\Mozilla\Firefox\Profiles\jb41nd37.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-12 00:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="REMOVED"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1036)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2011-02-12 00:13:16
ComboFix-quarantined-files.txt 2011-02-12 05:13
ComboFix2.txt 2011-02-05 03:06

Pre-Run: 56,323,923,968 bytes free
Post-Run: 56,305,745,920 bytes free

- - End Of File - - 1D0DA003431D9C92F099D3353467EC63


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5745

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.11

2/12/2011 12:17:53 AM
mbam-log-2011-02-12 (00-17-53).txt

Scan type: Quick scan
Objects scanned: 161470
Time elapsed: 1 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:15 AM

Posted 12 February 2011 - 12:54 PM

Hello,

Lets make sure there no AVG left at all on your machine. You can go ahead and delete that icon from programs.


1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Folder::
c:\program files\AVG Antivirus 2011

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HitmanPro35"=-
Driver::
Lavasoft Ad-Aware Service

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


2.
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

3.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

4.
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:

1. DDS.txt
2. Attach.txt

Save both reports to your desktop post the contents of the DDS.txt and Attach.txt logs.


Things to include in your next reply::
Combofix.txt
DrWebCureIt log
GMER log
DDS.txt
Attach.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 Magic Rat

Magic Rat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 12 February 2011 - 07:25 PM

DrWebCureIt did not find anything and produced no log.

The other logs are below.

Unfortunately, my computer still grinds to a halt in normal mode. I think there is something buggy about McAfee Security Center. Everything else seems to work. But when I turn on active scanning, it sometimes turns itself off. If I leave it off, I get constant messages to turn it on. And when I turn it on, I get a partial freeze where the cursor can move but nothing opens and no buttons respond (including McAfee). You'll see all the errors in the attach.log.

Also, the installed program aaa seems suspicious, no?

In any case, I might just get a new computer. This one is 8 years old and seems to be telling me something. I'm debating between an HPE-580t, a Dell Studio XPS 9100 and a Velocity Micro Vector Winter Edition. Any general thoughts?

Thanks again for all your help. Let me know if there is anything more to do here. I sure hope there is.



ComboFix 11-02-12.01 - Rick 02/12/2011 14:20:59.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1417 [GMT -5:00]
Running from: c:\documents and settings\Rick\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rick\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LAVASOFT_AD-AWARE_SERVICE
-------\Service_Lavasoft Ad-Aware Service


((((((((((((((((((((((((( Files Created from 2011-01-12 to 2011-02-12 )))))))))))))))))))))))))))))))
.

2011-02-12 05:33 . 2011-02-12 05:33 -------- d-----w- c:\program files\ESET
2011-02-04 13:35 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2011-02-04 13:35 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2011-01-31 02:03 . 2011-01-31 02:03 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\Temp
2011-01-30 20:10 . 2011-01-30 20:10 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-01-30 20:10 . 2011-01-31 02:03 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\Adobe
2011-01-30 19:58 . 2009-09-04 22:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2011-01-30 19:58 . 2006-09-28 21:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2011-01-30 19:58 . 2011-01-30 19:58 -------- d-----w- c:\windows\Logs
2011-01-30 19:58 . 2011-01-30 19:58 -------- d-----w- c:\program files\Winamp Detect
2011-01-30 19:46 . 2011-02-04 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2011-01-30 19:42 . 2011-01-30 19:42 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-01-30 19:42 . 2011-01-30 19:42 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-30 19:36 . 2011-01-30 19:36 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll
2011-01-30 19:36 . 2011-01-30 19:36 -------- d-----w- c:\program files\Common Files\xing shared
2011-01-30 19:36 . 2011-01-30 19:36 150712 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll
2011-01-30 19:35 . 2011-01-30 19:35 100864 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpjplug.dll
2011-01-30 19:30 . 2010-12-03 19:35 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-01-30 19:30 . 2010-12-03 19:35 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-01-30 19:09 . 2011-01-30 19:09 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\Secunia PSI
2011-01-30 19:09 . 2011-01-30 19:09 -------- d-----w- c:\program files\Secunia
2011-01-30 15:45 . 2011-01-30 15:45 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2011-01-30 05:35 . 2011-01-30 05:35 86016 --sha-r- c:\windows\system32\prnqctl5.dll
2011-01-21 14:44 . 2011-01-21 14:44 439296 -c----w- c:\windows\system32\dllcache\shimgvw.dll
2011-01-18 04:27 . 2011-01-18 04:28 -------- d-----w- c:\program files\iTunes
2011-01-17 23:59 . 2011-01-30 21:11 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-01-17 23:54 . 2011-02-12 05:23 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-01-17 23:46 . 2011-01-17 23:46 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-01-17 23:46 . 2011-01-17 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-01-17 23:44 . 2011-01-17 23:44 -------- d-----w- c:\documents and settings\Administrator
2011-01-17 04:03 . 2011-01-17 04:03 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Apple
2011-01-17 02:04 . 2011-01-17 02:04 -------- d-----w- c:\documents and settings\Guest\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-30 19:42 . 2007-06-13 11:50 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-30 19:35 . 2004-12-07 23:50 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-01-30 19:35 . 2003-03-19 00:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-01-21 14:44 . 2002-09-03 19:55 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2002-09-03 19:33 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2002-09-03 20:03 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2002-09-03 19:41 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:09 . 2009-07-02 03:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2004-08-24 00:32 832512 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:08 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 23:08 . 2002-09-03 19:40 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:08 . 2002-09-03 19:35 17408 ----a-w- c:\windows\system32\corpol.dll
2010-12-20 23:08 . 2009-07-02 03:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2002-09-03 19:42 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 05:59 389120 ------w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2002-09-03 19:50 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2002-09-03 19:35 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2002-09-03 19:50 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2002-08-29 01:04 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2004-12-07 21:14 81920 ----a-w- c:\windows\system32\isign32.dll
2009-04-02 01:25 . 2009-04-02 01:25 1878888 ------w- c:\program files\install_flash_player.exe
2010-10-14 02:28 . 2010-11-05 01:19 24376 ------w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-22 1191936]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-11-03 4800512]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-07-14 570664]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-01-30 273544]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2009-02-09 20:23 509784 ------w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-03-13 01:56 342312 ------w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/9/2009 3:25 PM 64160]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [8/17/2010 10:08 PM 84072]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [8/17/2010 10:07 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [8/17/2010 10:08 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [8/17/2010 10:08 PM 141792]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [8/17/2010 10:08 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [8/17/2010 10:08 PM 88544]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/1/2009 10:22 PM 363344]
S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [8/17/2010 10:07 PM 271480]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [8/17/2010 10:08 PM 55840]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/1/2009 10:22 PM 20952]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [8/17/2010 10:08 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [8/17/2010 10:08 PM 84264]
S3 UsbCmxp;Scientific Atlanta WebSTAR 2000 series Cable Modem;c:\windows\system32\drivers\sacmxp2.sys [9/15/2005 8:25 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-07-30 14:39 451872 ------w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2011-01-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 20:23]

2011-02-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1659004503-1960408961-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]

2011-02-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1659004503-1960408961-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Rick\Application Data\Mozilla\Firefox\Profiles\jb41nd37.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-12 14:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="REMOVED"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(380)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\mcafee.com\agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2011-02-12 14:39:46 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-12 19:39
ComboFix2.txt 2011-02-12 05:13
ComboFix3.txt 2011-02-05 03:06

Pre-Run: 55,901,818,880 bytes free
Post-Run: 55,876,345,856 bytes free

- - End Of File - - AB474EA64E10CF0E3266BEBDDA985E00

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-12 19:07:56
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800BB-75FJA1 rev.14.03G14
Running: gmer.exe; Driver: C:\DOCUME~1\Rick\LOCALS~1\Temp\pgldqpoc.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF764787E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7647C10]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF743E0F6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF743E122]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF743E178]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF743E0CC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF743E0A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF743E0B8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF743E10C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF743E14E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF743E1A2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF743E18E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF743E162]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[1080] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\services.exe[1080] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00040FD4
.text C:\WINDOWS\system32\services.exe[1080] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E50FEF
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E50F8D
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E50082
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E50065
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E50FA8
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E50FC3
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E50F55
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E50F72
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E50F04
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E50F15
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E500B8
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E5004A
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E50014
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E5009D
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E5002F
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E50FD4
.text C:\WINDOWS\system32\services.exe[1080] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E50F3A
.text C:\WINDOWS\system32\services.exe[1080] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[1080] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070080
.text C:\WINDOWS\system32\services.exe[1080] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[1080] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[1080] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[1080] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[1080] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0007005B
.text C:\WINDOWS\system32\services.exe[1080] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[1080] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060FB0
.text C:\WINDOWS\system32\services.exe[1080] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060FC1
.text C:\WINDOWS\system32\services.exe[1080] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0006001D
.text C:\WINDOWS\system32\services.exe[1080] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[1080] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060FD2
.text C:\WINDOWS\system32\services.exe[1080] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060FE3
.text C:\WINDOWS\system32\services.exe[1080] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050FE5
.text C:\WINDOWS\system32\lsass.exe[1092] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\system32\lsass.exe[1092] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CF0FC3
.text C:\WINDOWS\system32\lsass.exe[1092] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CF0FD4
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE006E
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0F6F
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE003D
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0F8A
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0FA5
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE0F54
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE00A6
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE00E3
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE00D2
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE00F4
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0022
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0089
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0FC0
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0011
.text C:\WINDOWS\system32\lsass.exe[1092] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE00B7
.text C:\WINDOWS\system32\lsass.exe[1092] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D20FBC
.text C:\WINDOWS\system32\lsass.exe[1092] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D20043
.text C:\WINDOWS\system32\lsass.exe[1092] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D20FCD
.text C:\WINDOWS\system32\lsass.exe[1092] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D20FDE
.text C:\WINDOWS\system32\lsass.exe[1092] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D20F86
.text C:\WINDOWS\system32\lsass.exe[1092] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\system32\lsass.exe[1092] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D20028
.text C:\WINDOWS\system32\lsass.exe[1092] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D20FA1
.text C:\WINDOWS\system32\lsass.exe[1092] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D10FCA
.text C:\WINDOWS\system32\lsass.exe[1092] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D10055
.text C:\WINDOWS\system32\lsass.exe[1092] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D10033
.text C:\WINDOWS\system32\lsass.exe[1092] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D10FEF
.text C:\WINDOWS\system32\lsass.exe[1092] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D10044
.text C:\WINDOWS\system32\lsass.exe[1092] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D10018
.text C:\WINDOWS\system32\lsass.exe[1092] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\svchost.exe[1256] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00AB0FEF
.text C:\WINDOWS\system32\svchost.exe[1256] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00AB0000
.text C:\WINDOWS\system32\svchost.exe[1256] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AB0FCA
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AA0FE5
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AA0027
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AA0F32
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AA0016
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryExA 7C801D53 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AA0F57
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AA0F83
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AA0EF0
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AA0038
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AA0EB3
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AA0EC4
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AA0E8E
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AA0F68
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AA0FD4
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AA0F0D
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AA0F9E
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AA0FB9
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AA0EDF
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AE0FA8
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AE0F79
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AE0FB9
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AE0FD4
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AE0036
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AE0FE5
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00AE0025
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AE000A
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AD003A
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AD0FB9
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AD0FEF
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AD000C
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AD0FD4
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AD0029
.text C:\WINDOWS\system32\svchost.exe[1256] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[1328] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[1328] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C00025
.text C:\WINDOWS\system32\svchost.exe[1328] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C00014
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF000A
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF0F97
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0FA8
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0082
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0FB9
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF004A
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF0F7C
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF00C2
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF00DF
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF0F50
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF0F2B
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF0065
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF00A7
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0FD4
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF0025
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF0F6B
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C30FC3
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C3005B
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C30FDE
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C30040
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C3002F
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C30FA8
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C2004E
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C20FC3
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C20FE5
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C2000C
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C20FD4
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C2001D
.text C:\WINDOWS\system32\svchost.exe[1328] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C10000
.text C:\WINDOWS\System32\svchost.exe[1368] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02300FEF
.text C:\WINDOWS\System32\svchost.exe[1368] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02300FDE
.text C:\WINDOWS\System32\svchost.exe[1368] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0230000A
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 022F0FE5
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 022F0098
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 022F0087
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 022F006C
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 022F0051
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 022F0025
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 022F00CB
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 022F00BA
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 022F0F4D
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 022F00F0
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 022F0F3C
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 022F0036
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 022F0000
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 022F00A9
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 022F0FB9
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 022F0FCA
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 022F0F72
.text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02340FB2
.text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02340039
.text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02340FC3
.text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02340FD4
.text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02340F86
.text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02340FEF
.text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02340028
.text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02340F97
.text C:\WINDOWS\System32\svchost.exe[1368] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02330062
.text C:\WINDOWS\System32\svchost.exe[1368] msvcrt.dll!system 77C293C7 5 Bytes JMP 02330051
.text C:\WINDOWS\System32\svchost.exe[1368] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0233001B
.text C:\WINDOWS\System32\svchost.exe[1368] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02330000
.text C:\WINDOWS\System32\svchost.exe[1368] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02330036
.text C:\WINDOWS\System32\svchost.exe[1368] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02330FE3
.text C:\WINDOWS\System32\svchost.exe[1368] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0232000A
.text C:\WINDOWS\System32\svchost.exe[1368] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 02310FEF
.text C:\WINDOWS\System32\svchost.exe[1368] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 0231000A
.text C:\WINDOWS\System32\svchost.exe[1368] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 02310FD4
.text C:\WINDOWS\System32\svchost.exe[1368] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 02310025
.text C:\WINDOWS\System32\svchost.exe[1520] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes JMP 00910000
.text C:\WINDOWS\System32\svchost.exe[1520] ntdll.dll!NtCreateFile + 4 7C90D0B2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1520] ntdll.dll!NtCreateProcess 7C90D14E 3 Bytes JMP 00910FD4
.text C:\WINDOWS\System32\svchost.exe[1520] ntdll.dll!NtCreateProcess + 4 7C90D152 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1520] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 00910FE5
.text C:\WINDOWS\System32\svchost.exe[1520] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00900000
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00900F92
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00900087
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0090006C
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00900051
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00900040
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009000A2
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00900F66
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00900F2E
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009000C7
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009000EC
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00900FAF
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00900FEF
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00900F77
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00900FD4
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00900025
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00900F3F
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE0022
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE0FAF
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE0FDB
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE0011
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE006C
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE0000
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BE0047
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE0FC0
.text C:\WINDOWS\System32\svchost.exe[1520] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BD0FB2
.text C:\WINDOWS\System32\svchost.exe[1520] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BD0047
.text C:\WINDOWS\System32\svchost.exe[1520] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BD0022
.text C:\WINDOWS\System32\svchost.exe[1520] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BD0000
.text C:\WINDOWS\System32\svchost.exe[1520] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BD0FD7
.text C:\WINDOWS\System32\svchost.exe[1520] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BD0011
.text C:\WINDOWS\System32\svchost.exe[1520] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00920FEF
.text C:\WINDOWS\System32\svchost.exe[1520] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00920000
.text C:\WINDOWS\System32\svchost.exe[1520] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00920FC0
.text C:\WINDOWS\System32\svchost.exe[1520] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 00920011
.text C:\WINDOWS\System32\svchost.exe[1520] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00930000
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1692] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1692] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\System32\svchost.exe[1876] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00D60FEF
.text C:\WINDOWS\System32\svchost.exe[1876] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D60FCA
.text C:\WINDOWS\System32\svchost.exe[1876] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D60000
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D50FEF
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D50F70
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D50F81
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D50F9E
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D5005B
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D50FC3
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D500AC
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D5009B
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D500D8
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D50F3F
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D50F24
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D5004A
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D5000A
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D50080
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D50025
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D50FD4
.text C:\WINDOWS\System32\svchost.exe[1876] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D500BD
.text C:\WINDOWS\System32\svchost.exe[1876] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D4002C
.text C:\WINDOWS\System32\svchost.exe[1876] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D40F83
.text C:\WINDOWS\System32\svchost.exe[1876] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D4001B
.text C:\WINDOWS\System32\svchost.exe[1876] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D40FEF
.text C:\WINDOWS\System32\svchost.exe[1876] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D40F9E
.text C:\WINDOWS\System32\svchost.exe[1876] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D40000
.text C:\WINDOWS\System32\svchost.exe[1876] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D40FAF
.text C:\WINDOWS\System32\svchost.exe[1876] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F4, 88]
.text C:\WINDOWS\System32\svchost.exe[1876] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D40FC0
.text C:\WINDOWS\System32\svchost.exe[1876] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D80047
.text C:\WINDOWS\System32\svchost.exe[1876] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D80FBC
.text C:\WINDOWS\System32\svchost.exe[1876] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D80011
.text C:\WINDOWS\System32\svchost.exe[1876] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D80000
.text C:\WINDOWS\System32\svchost.exe[1876] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D8002C
.text C:\WINDOWS\System32\svchost.exe[1876] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D80FD7
.text C:\WINDOWS\System32\svchost.exe[1876] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D70FEF
.text C:\WINDOWS\System32\svchost.exe[1924] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B80000
.text C:\WINDOWS\System32\svchost.exe[1924] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B80036
.text C:\WINDOWS\System32\svchost.exe[1924] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B80025
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B70000
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B70F48
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B7003D
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B70F63
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B70F8A
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B70FA5
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B70F1C
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B70064
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B70EF7
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B70090
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B700A1
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B7002C
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B70F2D
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B70FCA
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B7001B
.text C:\WINDOWS\System32\svchost.exe[1924] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B70075
.text C:\WINDOWS\System32\svchost.exe[1924] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B6002F
.text C:\WINDOWS\System32\svchost.exe[1924] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B60079
.text C:\WINDOWS\System32\svchost.exe[1924] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B6001E
.text C:\WINDOWS\System32\svchost.exe[1924] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B60FDE
.text C:\WINDOWS\System32\svchost.exe[1924] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B60FB2
.text C:\WINDOWS\System32\svchost.exe[1924] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\System32\svchost.exe[1924] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B60FC3
.text C:\WINDOWS\System32\svchost.exe[1924] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D6, 88]
.text C:\WINDOWS\System32\svchost.exe[1924] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B6004A
.text C:\WINDOWS\System32\svchost.exe[1924] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B9004C
.text C:\WINDOWS\System32\svchost.exe[1924] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B90031
.text C:\WINDOWS\System32\svchost.exe[1924] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B90FD2
.text C:\WINDOWS\System32\svchost.exe[1924] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\System32\svchost.exe[1924] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B90FC1
.text C:\WINDOWS\System32\svchost.exe[1924] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B9000C
.text C:\WINDOWS\Explorer.EXE[2072] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090FEF
.text C:\WINDOWS\Explorer.EXE[2072] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0009000A
.text C:\WINDOWS\Explorer.EXE[2072] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090FD4
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0000
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F7B
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B007A
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0FAC
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0069
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B003D
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F4F
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0097
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F0F
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F2A
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0EFE
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B004E
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0011
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0F6A
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B002C
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FDB
.text C:\WINDOWS\Explorer.EXE[2072] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B00A8
.text C:\WINDOWS\Explorer.EXE[2072] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A002C
.text C:\WINDOWS\Explorer.EXE[2072] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A008E
.text C:\WINDOWS\Explorer.EXE[2072] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0FE5
.text C:\WINDOWS\Explorer.EXE[2072] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A001B
.text C:\WINDOWS\Explorer.EXE[2072] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A007D
.text C:\WINDOWS\Explorer.EXE[2072] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0000
.text C:\WINDOWS\Explorer.EXE[2072] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002A0062
.text C:\WINDOWS\Explorer.EXE[2072] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0047
.text C:\WINDOWS\Explorer.EXE[2072] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B004B
.text C:\WINDOWS\Explorer.EXE[2072] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B003A
.text C:\WINDOWS\Explorer.EXE[2072] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0029
.text C:\WINDOWS\Explorer.EXE[2072] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B000C
.text C:\WINDOWS\Explorer.EXE[2072] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B0FCA
.text C:\WINDOWS\Explorer.EXE[2072] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\Explorer.EXE[2072] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 002D0FEF
.text C:\WINDOWS\Explorer.EXE[2072] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 002D0FDE
.text C:\WINDOWS\Explorer.EXE[2072] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 002D0FC3
.text C:\WINDOWS\Explorer.EXE[2072] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 002D0014
.text C:\WINDOWS\Explorer.EXE[2072] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01660000
.text C:\program files\real\realplayer\update\realsched.exe[2492] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[1800] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [00407740] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[1800] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [004077A0] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----


DDS (Ver_10-12-12.02) - NTFSx86
Run by Rick at 19:08:40.57 on Sat 02/12/2011
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1535 [GMT -5:00]

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Rick\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101104211932.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mPolicies-explorer: <NO NAME> =
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102458049968
DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} - hxxp://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rick\applic~1\mozilla\firefox\profiles\jb41nd37.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-9 64160]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-8-17 386840]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-8-17 84072]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-7-1 363344]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-17 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-17 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-17 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-17 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-17 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-17 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-17 55840]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-7-1 20952]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-8-17 152960]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-17 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-8-17 88544]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-8-17 52104]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-8-17 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-17 84264]
S3 UsbCmxp;Scientific Atlanta WebSTAR 2000 series Cable Modem;c:\windows\system32\drivers\sacmxp2.sys [2005-9-15 14336]

=============== Created Last 30 ================

2011-02-12 19:45:01 -------- d-----w- c:\documents and settings\rick\DoctorWeb
2011-02-12 05:33:51 -------- d-----w- c:\program files\ESET
2011-02-12 05:01:07 98816 ----a-w- c:\windows\sed.exe
2011-02-12 05:01:07 89088 ----a-w- c:\windows\MBR.exe
2011-02-12 05:01:07 256512 ----a-w- c:\windows\PEV.exe
2011-02-12 05:01:07 161792 ----a-w- c:\windows\SWREG.exe
2011-02-04 13:35:58 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2011-02-04 13:35:58 50176 ----a-w- c:\windows\system32\proquota.exe
2011-02-04 13:26:34 -------- d-sha-r- C:\cmdcons
2011-01-31 02:03:57 -------- d-----w- c:\docume~1\rick\locals~1\applic~1\Temp
2011-01-30 20:10:47 -------- d-----w- c:\docume~1\rick\locals~1\applic~1\Adobe
2011-01-30 19:58:48 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2011-01-30 19:58:44 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2011-01-30 19:58:31 -------- d-----w- c:\windows\Logs
2011-01-30 19:58:27 -------- d-----w- c:\program files\Winamp Detect
2011-01-30 19:42:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-30 19:42:36 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-01-30 19:36:57 11776 ----a-w- c:\program files\mozilla firefox\plugins\nprjplug.dll
2011-01-30 19:36:36 -------- d-----w- c:\program files\common files\xing shared
2011-01-30 19:36:09 150712 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
2011-01-30 19:35:49 100864 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll
2011-01-30 19:30:51 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2011-01-30 19:30:51 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2011-01-30 19:09:34 -------- d-----w- c:\docume~1\rick\locals~1\applic~1\Secunia PSI
2011-01-30 19:09:18 -------- d-----w- c:\program files\Secunia
2011-01-30 15:45:45 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2011-01-30 05:35:53 86016 --sha-r- c:\windows\system32\prnqctl5.dll
2011-01-21 14:44:37 439296 -c----w- c:\windows\system32\dllcache\shimgvw.dll
2011-01-18 04:27:36 -------- d-----w- c:\program files\iTunes
2011-01-17 23:59:11 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-01-17 23:54:43 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-01-17 23:46:47 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-01-17 23:46:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro

==================== Find3M ====================

2011-01-30 19:42:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-30 19:35:31 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-01-30 19:35:31 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:08:45 832512 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:08:45 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 23:08:45 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:08:45 17408 ----a-w- c:\windows\system32\corpol.dll
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:25 389120 ------w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2009-04-02 01:25:53 1878888 ------w- c:\program files\install_flash_player.exe

============= FINISH: 19:09:40.12 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/7/2004 4:18:48 PM
System Uptime: 2/12/2011 5:53:55 PM (2 hours ago)

Motherboard: Dell Computer Corp. | | 02Y832
Processor: Intel® Pentium® 4 CPU 2.40GHz | Microprocessor | 2394/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 74 GiB total, 52.019 GiB free.
D: is CDROM ()
F: is FIXED (NTFS) - 932 GiB total, 489.289 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_14F1&DEV_2702&SUBSYS_8D881028&REV_01\4&1C660DD6&0&08F0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_14F1&DEV_2702&SUBSYS_8D881028&REV_01\4&1C660DD6&0&08F0
Service:

==== System Restore Points ===================

RP1: 1/30/2011 2:14:41 AM - System Checkpoint
RP2: 1/30/2011 2:22:16 PM - Removed Adobe Acrobat 6.0 Professional
RP3: 1/30/2011 2:28:25 PM - Removed Bonjour
RP4: 1/30/2011 2:41:17 PM - Removed Java™ 6 Update 18
RP5: 1/30/2011 2:42:00 PM - Installed Java™ 6 Update 22
RP6: 1/30/2011 2:46:01 PM - Installed WinZip 15.0
RP7: 1/30/2011 2:51:23 PM - Installed QuickTime
RP8: 1/30/2011 2:58:42 PM - Installed DirectX
RP9: 1/30/2011 3:11:46 PM - Installed Adobe Reader X.
RP10: 1/31/2011 3:42:17 PM - System Checkpoint
RP11: 2/1/2011 6:34:23 PM - System Checkpoint
RP12: 2/2/2011 1:11:16 AM - Spybot-S&D Spyware removal
RP13: 2/3/2011 9:21:56 PM - System Checkpoint
RP14: 2/12/2011 2:34:05 AM - Software Distribution Service 3.0

==== Installed Programs ======================

aaa
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.4
AutoUpdate
BitTornado 0.3.7
Canon MP Navigator 3.0
Canon MP160
Canon MP160 User Registration
Canon My Printer
Canon Utilities Easy-PhotoPrint
CCleaner (remove only)
CyberLink DVD Suite
Dell ResourceCD
DivX
DivX Player
Easy-WebPrint
Echoes Hub v2.2
ESET Online Scanner v3
Exact Audio Copy 0.99pb3
FLAC Installer 1.1.2a (remove only)
Hitman Pro 3.5
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel® PRO Network Adapters and Drivers
iTunes
Java Auto Updater
Java™ 6 Update 22
Java™ 6 Update 7
LightScribe System Software 1.14.19.1
LimeWire
Malwarebytes' Anti-Malware
McAfee SecurityCenter
McAfee Shredder
Memorex exPressit Label Design Studio
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office Standard Edition 2003
mkw Audio Compression Toolkit
Movica
Mozilla Firefox (3.6.13)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 7 Essentials
neroxml
NVIDIA Windows 2000/XP Display Drivers
Octoshape add-in for Adobe Flash Player
PowerDVD
PowerProducer
Quicken 2005
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
Scientific Atlanta WebSTAR 2000 series Cable Modem
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sound Blaster Live!
Spybot - Search & Destroy 1.3
Star Wars Galactic Battlegrounds
System Requirements Lab
Trader's Little Helper 2.4.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Winamp
Winamp Detector Plug-in
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Format Runtime
WinRAR archiver
WinZip 15.0

==== Event Viewer Messages From Past Week ========

2/9/2011 9:48:01 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
2/9/2011 9:48:01 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/9/2011 9:47:18 AM, error: Service Control Manager [7000] - The MCSTRM service failed to start due to the following error: The system cannot find the file specified.
2/9/2011 9:46:01 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/9/2011 9:15:45 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
2/9/2011 12:38:39 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service iPod Service with arguments "-Service" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
2/9/2011 11:51:07 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
2/8/2011 9:29:10 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
2/8/2011 9:28:23 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm OMCI
2/7/2011 8:26:01 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNaSvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
2/6/2011 4:46:47 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec mfehidk mfetdi2k MRxSmb NetBIOS NetBT OMCI RasAcd Rdbss Tcpip WS2IFSL
2/6/2011 4:46:47 PM, error: Service Control Manager [7001] - The McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
2/6/2011 4:46:47 PM, error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.
2/6/2011 4:46:47 PM, error: Service Control Manager [7001] - The McAfee Proxy Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
2/6/2011 4:46:47 PM, error: Service Control Manager [7001] - The McAfee Personal Firewall Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
2/6/2011 4:46:47 PM, error: Service Control Manager [7001] - The McAfee Network Agent service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
2/6/2011 4:46:47 PM, error: Service Control Manager [7001] - The McAfee Firewall Core Service service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
2/6/2011 4:46:47 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
2/6/2011 4:46:47 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/12/2011 9:51:04 AM, error: Service Control Manager [7034] - The McShield service terminated unexpectedly. It has done this 9 time(s).
2/12/2011 5:56:14 PM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 00006cbc, parameter3 b9ab2adc, parameter4 00000000.
2/12/2011 4:02:40 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
2/12/2011 2:45:43 AM, error: Service Control Manager [7034] - The McAfee Scanner service terminated unexpectedly. It has done this 1 time(s).
2/12/2011 2:45:42 AM, error: Service Control Manager [7034] - The McShield service terminated unexpectedly. It has done this 8 time(s).
2/12/2011 2:16:35 AM, error: Service Control Manager [7034] - The McShield service terminated unexpectedly. It has done this 7 time(s).
2/12/2011 2:00:34 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the McShield service, but this action failed with the following error: An instance of the service is already running.
2/12/2011 12:37:18 AM, error: Service Control Manager [7034] - The McShield service terminated unexpectedly. It has done this 6 time(s).
2/12/2011 12:35:29 AM, error: Service Control Manager [7031] - The McShield service terminated unexpectedly. It has done this 5 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
2/12/2011 12:31:00 AM, error: Service Control Manager [7031] - The McShield service terminated unexpectedly. It has done this 4 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
2/12/2011 12:29:06 AM, error: Service Control Manager [7031] - The McShield service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
2/12/2011 12:27:07 AM, error: Service Control Manager [7031] - The McShield service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
2/12/2011 12:24:57 AM, error: Service Control Manager [7031] - The McShield service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
2/12/2011 10:23:39 AM, error: Service Control Manager [7034] - The McShield service terminated unexpectedly. It has done this 11 time(s).
2/12/2011 10:20:53 AM, error: Service Control Manager [7034] - The McShield service terminated unexpectedly. It has done this 10 time(s).

==== End Of File ===========================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users