Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Goodle keeps redirecting


  • This topic is locked This topic is locked
42 replies to this topic

#1 jkswanda

jkswanda

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:42 PM

Posted 05 March 2011 - 03:10 PM

When using Internet Explorer and Mozilla Firefox and google, when selecting on of the items from the google search most of the time I get redirected to other sites such a Plomedia, GimmeAnswers,org, etc. I run Macafee Internet virus software with the Firewall running, also Webroot Spy Sweeper runing. I have ran Malwarebyte Anti-Malware and it removed a few virus, cookies, but didn't solve this problem.
The following is list of my computer system and some software:
Dell Desktop XPS DXpo51, Pentium D CPU 2.80 GHz with 2.7 GHz of 2.0 GB of Ram

-McAfee Internet Security software with the Firewall running says my system is clean
-Webroot Spy Sweeper 6.1.0.145 usually shows a few cookies, but that is all.
-have used Malwarebytes Anti-Malware lastest upgrade, show a couple of virus but has fixed this problem
-used SuperAnti-Spyware and it showed a few tracking cookies, but no trogens or virus
- ran TDSSkiller from Kaspersky's site -- no infection found

Here are the DDS, and Gmer files


DDS (Ver_10-12-12.02) - NTFSx86
Run by John at 13:26:51.87 on Sat 03/05/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1268 [GMT -6:00]

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2009 Deluxe\Planner\PLNRnote.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
C:\Program Files\iWin Games\iWinTrusted.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Documents and Settings\John\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {22FBC808-BE21-4A32-954A-4C6DADB24509} - No File
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101103233317.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No File
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll
TB: @c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [KelolandDesktop.exe] "c:\documents and settings\john\local settings\apps\2.0\ewrl6z94.0wd\w8vlc2qh.kq0\kelo..tion_3c6d74e4fb957e1d_0001.0001_dff654875c1213d0\KeloDesktop.exe"
uRun: [LightScribe Control Panel] "c:\program files\common files\lightscribe\LightScribeControlPanel.exe" -hidden
mRun: [NvCplDaemon] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\iaanotif.exe"
mRun: [CTSysVol] "c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe" /r
mRun: [CTHelper] "c:\windows\system32\CTHELPER.EXE"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [SM1BG] "c:\windows\SM1BG.EXE"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatchTray10.exe"
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [CanonSolutionMenu] "c:\program files\canon\solutionmenu\CNSLMAIN.exe" /logon
mRun: [CanonMyPrinter] "c:\program files\canon\myprinter\BJMyPrt.exe" /logon
mRun: [AppleSyncNotifier] "c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe"
mRun: [Bing Bar] "c:\program files\msn toolbar\platform\5.0.1423.0\mswinext.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
dRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\DELLNE~1.LNK -
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventp~1.lnk - c:\windows\installer\{c4609419-c11e-4ce6-b369-f3f8a7ddd94c}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EAA7D652BB0CAAA9D.exe
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1257035402294
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} - hxxps://secure.iolo.com/app/ocx/UpgradeVerify.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\pmnlIXrs
LSA: Notification Packages = scecli scecli
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\dh13hb6b.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z039&form=ZGAADF&q=
FF - component: c:\program files\mozilla firefox\components\Scriptff.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-7-7 386840]
R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2004-7-29 138801]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-11-6 29808]
R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [2008-7-9 244736]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-7-7 84072]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2004-7-29 46800]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-11-12 54752]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-2-19 724664]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-2-19 724664]
R2 iWinTrusted;iWinTrusted;c:\program files\iwin games\iWinTrusted.exe [2009-11-24 78104]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-7 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-7 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-7 271480]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-7-7 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-7-7 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-7-7 141792]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-11-6 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2010-6-26 1201640]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-7-7 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-7-7 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-7-7 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-7-7 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-7-7 88544]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-22 136176]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\roxio\digital home 10\RoxioUpnpService10.exe [2007-8-24 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2007-8-24 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2007-8-24 166384]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-7-7 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-7-7 84264]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\roxio\digital home 10\RoxioUPnPRenderer10.exe [2007-8-24 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2007-8-24 1083888]

=============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2011-03-05 02:03:49 -------- d-----w- c:\program files\Ask.com
2011-02-28 02:22:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-02-27 03:39:14 -------- d-----w- c:\docume~1\john\applic~1\McAfee
2011-02-24 02:31:01 -------- d-----w- c:\docume~1\john\locals~1\applic~1\Sunbelt Software
2011-02-22 23:14:23 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-02-21 23:54:43 -------- d-----w- c:\program files\iPod
2011-02-21 23:54:38 -------- d-----w- c:\program files\iTunes

==================== Find3M ====================

2011-02-19 02:16:32 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-19 18:26:16 98304 --sha-r- c:\windows\system32\oddbse32J.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ------w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ------w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ------w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ------w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2006-04-21 15:52:09 774144 ----a-w- c:\program files\RngInterstitial.dll
2003-08-27 19:19:18 36963 ------w- c:\program files\common files\SM1updtr.dll

============= FINISH: 13:27:56.23 ===============

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-03-05 13:07:33
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD25 rev.10.0
Running: gmer.exe; Driver: C:\DOCUME~1\John\LOCALS~1\Temp\axldapob.sys


---- System - GMER 1.0.15 ----

SSDT 8A585FA8 ZwAllocateVirtualMemory
SSDT 8A5CA8D8 ZwCreateKey
SSDT 8A5716D0 ZwCreateProcess
SSDT 8A571658 ZwCreateProcessEx
SSDT 8A571478 ZwCreateThread
SSDT 8A5D8148 ZwDeleteKey
SSDT 8A5D9148 ZwDeleteValueKey
SSDT 8A571220 ZwQueueApcThread
SSDT 8A585EB8 ZwReadVirtualMemory
SSDT 8A541180 ZwRenameKey
SSDT 8A571310 ZwSetContextThread
SSDT 8A5CA130 ZwSetInformationKey
SSDT 8A571568 ZwSetInformationProcess
SSDT 8A571388 ZwSetInformationThread
SSDT 8A5D91C0 ZwSetValueKey
SSDT 8A5714F0 ZwSuspendProcess
SSDT 8A571298 ZwSuspendThread
SSDT 8A5715E0 ZwTerminateProcess
SSDT 8A571400 ZwTerminateThread
SSDT 8A585F30 ZwWriteVirtualMemory

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9D7F16E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9D7F0CC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9D7F0A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9D7F0B8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9D7F144]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9D7F184]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9D7F158]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP B9D7F15C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B203A 7 Bytes JMP B9D7F172 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E48 5 Bytes JMP B9D7F188 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805C062E 5 Bytes JMP B9D7F148 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB440 5 Bytes JMP B9D7F0A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB6CC 5 Bytes JMP B9D7F0BC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 806254CE 5 Bytes JMP B9D7F0D0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB88B9360, 0x1DE5ED, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xA17F2300, 0x3ACC8, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xB7A07300, 0x1B7E, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[368] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 05420000
.text C:\WINDOWS\System32\svchost.exe[368] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 05420FDB
.text C:\WINDOWS\System32\svchost.exe[368] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 05420011
.text C:\WINDOWS\System32\svchost.exe[368] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 05410FE5
.text C:\WINDOWS\System32\svchost.exe[368] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 05410F5C
.text C:\WINDOWS\System32\svchost.exe[368] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 05410047
.text C:\WINDOWS\System32\svchost.exe[368] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 05410036
.text C:\WINDOWS\System32\svchost.exe[368] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 05410F79
.text C:\WINDOWS\System32\svchost.exe[368] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 05410F9E
.text C:\WINDOWS\System32\svchost.exe[368] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 054100A2
.text C:\WINDOWS\System32\svchost.exe[368] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 05410087
.text C:\WINDOWS\System32\svchost.exe[368] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 054100D1
.text C:\WINDOWS\System32\svchost.exe[368] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 05410F2E
.text C:\WINDOWS\System32\svchost.exe[368] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 05410F1D
.text C:\WINDOWS\System32\svchost.exe[368] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0541001B
.text C:\WINDOWS\System32\svchost.exe[368] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 05410FD4
.text C:\WINDOWS\System32\svchost.exe[368] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0541006C
.text C:\WINDOWS\System32\svchost.exe[368] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0541000A
.text C:\WINDOWS\System32\svchost.exe[368] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 05410FB9
.text C:\WINDOWS\System32\svchost.exe[368] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 05410F3F
.text C:\WINDOWS\System32\svchost.exe[368] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 06760FB9
.text C:\WINDOWS\System32\svchost.exe[368] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0676004A
.text C:\WINDOWS\System32\svchost.exe[368] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 06760FD4
.text C:\WINDOWS\System32\svchost.exe[368] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0676000A
.text C:\WINDOWS\System32\svchost.exe[368] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 06760F8D
.text C:\WINDOWS\System32\svchost.exe[368] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 06760FEF
.text C:\WINDOWS\System32\svchost.exe[368] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0676002F
.text C:\WINDOWS\System32\svchost.exe[368] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 06760FA8
.text C:\WINDOWS\System32\svchost.exe[368] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0675005D
.text C:\WINDOWS\System32\svchost.exe[368] msvcrt.dll!system 77C293C7 5 Bytes JMP 06750038
.text C:\WINDOWS\System32\svchost.exe[368] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 06750FE3
.text C:\WINDOWS\System32\svchost.exe[368] msvcrt.dll!_open 77C2F566 5 Bytes JMP 06750000
.text C:\WINDOWS\System32\svchost.exe[368] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 06750FD2
.text C:\WINDOWS\System32\svchost.exe[368] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0675001D
.text C:\WINDOWS\System32\svchost.exe[368] WS2_32.dll!socket 71AB4211 5 Bytes JMP 05440000
.text C:\WINDOWS\System32\svchost.exe[368] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 05430FEF
.text C:\WINDOWS\System32\svchost.exe[368] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 05430000
.text C:\WINDOWS\System32\svchost.exe[368] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 05430FCA
.text C:\WINDOWS\System32\svchost.exe[368] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 0543001B
.text C:\WINDOWS\system32\svchost.exe[440] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00980000
.text C:\WINDOWS\system32\svchost.exe[440] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00980FD4
.text C:\WINDOWS\system32\svchost.exe[440] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00980FE5
.text C:\WINDOWS\system32\svchost.exe[440] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00970FEF
.text C:\WINDOWS\system32\svchost.exe[440] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00970074
.text C:\WINDOWS\system32\svchost.exe[440] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00970F7F
.text C:\WINDOWS\system32\svchost.exe[440] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00970F90
.text C:\WINDOWS\system32\svchost.exe[440] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00970FA1
.text C:\WINDOWS\system32\svchost.exe[440] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00970FBC
.text C:\WINDOWS\system32\svchost.exe[440] kernel32.dll!GetStartupInfoW 7C801E54 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[440] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00970F58
.text C:\WINDOWS\system32\svchost.exe[440] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009700AA
.text C:\WINDOWS\system32\svchost.exe[440] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00970F18
.text C:\WINDOWS\system32\svchost.exe[440] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00970F33
.text C:\WINDOWS\system32\svchost.exe[440] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00970EFD
.text C:\WINDOWS\system32\svchost.exe[440] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00970043
.text C:\WINDOWS\system32\svchost.exe[440] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00970FDE
.text C:\WINDOWS\system32\svchost.exe[440] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00970099
.text C:\WINDOWS\system32\svchost.exe[440] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00970028
.text C:\WINDOWS\system32\svchost.exe[440] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00970FCD
.text C:\WINDOWS\system32\svchost.exe[440] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009700BB
.text C:\WINDOWS\system32\svchost.exe[440] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00960FC3
.text C:\WINDOWS\system32\svchost.exe[440] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0096005B
.text C:\WINDOWS\system32\svchost.exe[440] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00960FD4
.text C:\WINDOWS\system32\svchost.exe[440] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00960000
.text C:\WINDOWS\system32\svchost.exe[440] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0096004A
.text C:\WINDOWS\system32\svchost.exe[440] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00960FEF
.text C:\WINDOWS\system32\svchost.exe[440] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00960039
.text C:\WINDOWS\system32\svchost.exe[440] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00960FB2
.text C:\WINDOWS\system32\svchost.exe[440] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009A0038
.text C:\WINDOWS\system32\svchost.exe[440] msvcrt.dll!system 77C293C7 5 Bytes JMP 009A0FAD
.text C:\WINDOWS\system32\svchost.exe[440] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009A0FD2
.text C:\WINDOWS\system32\svchost.exe[440] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009A0000
.text C:\WINDOWS\system32\svchost.exe[440] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009A0027
.text C:\WINDOWS\system32\svchost.exe[440] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009A0FE3
.text C:\WINDOWS\system32\svchost.exe[440] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00990FE5
.text C:\WINDOWS\system32\svchost.exe[480] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\system32\svchost.exe[480] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 009F0000
.text C:\WINDOWS\system32\svchost.exe[480] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009F0FD4
.text C:\WINDOWS\system32\svchost.exe[480] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009E000A
.text C:\WINDOWS\system32\svchost.exe[480] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009E008C
.text C:\WINDOWS\system32\svchost.exe[480] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009E0F8D
.text C:\WINDOWS\system32\svchost.exe[480] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009E0065
.text C:\WINDOWS\system32\svchost.exe[480] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009E0FA8
.text C:\WINDOWS\system32\svchost.exe[480] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009E004A
.text C:\WINDOWS\system32\svchost.exe[480] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009E00BF
.text C:\WINDOWS\system32\svchost.exe[480] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009E00AE
.text C:\WINDOWS\system32\svchost.exe[480] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009E0F26
.text C:\WINDOWS\system32\svchost.exe[480] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009E0F41
.text C:\WINDOWS\system32\svchost.exe[480] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009E0F15
.text C:\WINDOWS\system32\svchost.exe[480] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009E0FC3
.text C:\WINDOWS\system32\svchost.exe[480] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009E0FE5
.text C:\WINDOWS\system32\svchost.exe[480] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009E009D
.text C:\WINDOWS\system32\svchost.exe[480] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009E0FD4
.text C:\WINDOWS\system32\svchost.exe[480] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009E001B
.text C:\WINDOWS\system32\svchost.exe[480] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009E0F5C
.text C:\WINDOWS\system32\svchost.exe[480] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009D000A
.text C:\WINDOWS\system32\svchost.exe[480] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009D0F5E
.text C:\WINDOWS\system32\svchost.exe[480] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009D0FAF
.text C:\WINDOWS\system32\svchost.exe[480] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009D0FCA
.text C:\WINDOWS\system32\svchost.exe[480] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009D0F6F
.text C:\WINDOWS\system32\svchost.exe[480] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009D0FE5
.text C:\WINDOWS\system32\svchost.exe[480] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 009D001B
.text C:\WINDOWS\system32\svchost.exe[480] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009D0F9E
.text C:\WINDOWS\system32\svchost.exe[480] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A10049
.text C:\WINDOWS\system32\svchost.exe[480] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A10038
.text C:\WINDOWS\system32\svchost.exe[480] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A10FD2
.text C:\WINDOWS\system32\svchost.exe[480] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A10000
.text C:\WINDOWS\system32\svchost.exe[480] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A1001D
.text C:\WINDOWS\system32\svchost.exe[480] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A10FEF
.text C:\WINDOWS\system32\svchost.exe[480] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A00000
.text C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe[812] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 00450771 C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe (Spy Sweeper Client Executable/Webroot Software, Inc.)
.text C:\WINDOWS\Explorer.EXE[1404] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\Explorer.EXE[1404] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CA001B
.text C:\WINDOWS\Explorer.EXE[1404] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CA0000
.text C:\WINDOWS\Explorer.EXE[1404] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C80FE5
.text C:\WINDOWS\Explorer.EXE[1404] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C8007D
.text C:\WINDOWS\Explorer.EXE[1404] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C80058
.text C:\WINDOWS\Explorer.EXE[1404] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C80047
.text C:\WINDOWS\Explorer.EXE[1404] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C80036
.text C:\WINDOWS\Explorer.EXE[1404] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C80FA5
.text C:\WINDOWS\Explorer.EXE[1404] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C80F48
.text C:\WINDOWS\Explorer.EXE[1404] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C8008E
.text C:\WINDOWS\Explorer.EXE[1404] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C80F15
.text C:\WINDOWS\Explorer.EXE[1404] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C80F26
.text C:\WINDOWS\Explorer.EXE[1404] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C80EFA
.text C:\WINDOWS\Explorer.EXE[1404] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C80F94
.text C:\WINDOWS\Explorer.EXE[1404] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C80FD4
.text C:\WINDOWS\Explorer.EXE[1404] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C80F63
.text C:\WINDOWS\Explorer.EXE[1404] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C80011
.text C:\WINDOWS\Explorer.EXE[1404] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C80000
.text C:\WINDOWS\Explorer.EXE[1404] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C80F37
.text C:\WINDOWS\Explorer.EXE[1404] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C70014
.text C:\WINDOWS\Explorer.EXE[1404] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C7006F
.text C:\WINDOWS\Explorer.EXE[1404] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C70FC3
.text C:\WINDOWS\Explorer.EXE[1404] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C70FD4
.text C:\WINDOWS\Explorer.EXE[1404] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C70FB2
.text C:\WINDOWS\Explorer.EXE[1404] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\Explorer.EXE[1404] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C70054
.text C:\WINDOWS\Explorer.EXE[1404] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C70039
.text C:\WINDOWS\Explorer.EXE[1404] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 014C0FBC
.text C:\WINDOWS\Explorer.EXE[1404] msvcrt.dll!system 77C293C7 5 Bytes JMP 014C0FCD
.text C:\WINDOWS\Explorer.EXE[1404] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 014C002C
.text C:\WINDOWS\Explorer.EXE[1404] msvcrt.dll!_open 77C2F566 5 Bytes JMP 014C0000
.text C:\WINDOWS\Explorer.EXE[1404] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 014C003D
.text C:\WINDOWS\Explorer.EXE[1404] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 014C0011
.text C:\WINDOWS\Explorer.EXE[1404] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00CC0FEF
.text C:\WINDOWS\Explorer.EXE[1404] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00CC000A
.text C:\WINDOWS\Explorer.EXE[1404] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00CC0FD4
.text C:\WINDOWS\Explorer.EXE[1404] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00CC0FB9
.text C:\WINDOWS\Explorer.EXE[1404] WS2_32.dll!socket 71AB4211 5 Bytes JMP 014B0000
.text C:\WINDOWS\system32\services.exe[1692] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[1692] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0005001B
.text C:\WINDOWS\system32\services.exe[1692] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0005000A
.text C:\WINDOWS\system32\services.exe[1692] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\services.exe[1692] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00040086
.text C:\WINDOWS\system32\services.exe[1692] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00040075
.text C:\WINDOWS\system32\services.exe[1692] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00040F9B
.text C:\WINDOWS\system32\services.exe[1692] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0004004E
.text C:\WINDOWS\system32\services.exe[1692] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00040FB6
.text C:\WINDOWS\system32\services.exe[1692] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00040F6A
.text C:\WINDOWS\system32\services.exe[1692] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 000400B2
.text C:\WINDOWS\system32\services.exe[1692] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00040F23
.text C:\WINDOWS\system32\services.exe[1692] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00040F3E
.text C:\WINDOWS\system32\services.exe[1692] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000400D7
.text C:\WINDOWS\system32\services.exe[1692] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0004003D
.text C:\WINDOWS\system32\services.exe[1692] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00040011
.text C:\WINDOWS\system32\services.exe[1692] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 000400A1
.text C:\WINDOWS\system32\services.exe[1692] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00040FDB
.text C:\WINDOWS\system32\services.exe[1692] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0004002C
.text C:\WINDOWS\system32\services.exe[1692] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00040F59
.text C:\WINDOWS\system32\services.exe[1692] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00700040
.text C:\WINDOWS\system32\services.exe[1692] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00700F9E
.text C:\WINDOWS\system32\services.exe[1692] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00700025
.text C:\WINDOWS\system32\services.exe[1692] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00700FEF
.text C:\WINDOWS\system32\services.exe[1692] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00700FB9
.text C:\WINDOWS\system32\services.exe[1692] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0070000A
.text C:\WINDOWS\system32\services.exe[1692] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0070005B
.text C:\WINDOWS\system32\services.exe[1692] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00700FD4
.text C:\WINDOWS\system32\services.exe[1692] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00070FD9
.text C:\WINDOWS\system32\services.exe[1692] msvcrt.dll!system 77C293C7 5 Bytes JMP 00070064
.text C:\WINDOWS\system32\services.exe[1692] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0007002E
.text C:\WINDOWS\system32\services.exe[1692] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[1692] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00070049
.text C:\WINDOWS\system32\services.exe[1692] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0007001D
.text C:\WINDOWS\system32\services.exe[1692] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00060FE5
.text C:\WINDOWS\system32\lsass.exe[1704] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\lsass.exe[1704] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CE0FCD
.text C:\WINDOWS\system32\lsass.exe[1704] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CE0FDE
.text C:\WINDOWS\system32\lsass.exe[1704] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\system32\lsass.exe[1704] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0F46
.text C:\WINDOWS\system32\lsass.exe[1704] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0F61
.text C:\WINDOWS\system32\lsass.exe[1704] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD0F72
.text C:\WINDOWS\system32\lsass.exe[1704] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0F83
.text C:\WINDOWS\system32\lsass.exe[1704] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0FAF
.text C:\WINDOWS\system32\lsass.exe[1704] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD0EFD
.text C:\WINDOWS\system32\lsass.exe[1704] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD0F24
.text C:\WINDOWS\system32\lsass.exe[1704] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD007B
.text C:\WINDOWS\system32\lsass.exe[1704] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD0EE2
.text C:\WINDOWS\system32\lsass.exe[1704] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD008C
.text C:\WINDOWS\system32\lsass.exe[1704] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0F9E
.text C:\WINDOWS\system32\lsass.exe[1704] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\lsass.exe[1704] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0F35
.text C:\WINDOWS\system32\lsass.exe[1704] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0FC0
.text C:\WINDOWS\system32\lsass.exe[1704] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD0011
.text C:\WINDOWS\system32\lsass.exe[1704] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD0060
.text C:\WINDOWS\system32\lsass.exe[1704] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D10047
.text C:\WINDOWS\system32\lsass.exe[1704] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D10FB6
.text C:\WINDOWS\system32\lsass.exe[1704] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D1002C
.text C:\WINDOWS\system32\lsass.exe[1704] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D1001B
.text C:\WINDOWS\system32\lsass.exe[1704] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D10FD1
.text C:\WINDOWS\system32\lsass.exe[1704] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D10000
.text C:\WINDOWS\system32\lsass.exe[1704] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D10073
.text C:\WINDOWS\system32\lsass.exe[1704] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D10058
.text C:\WINDOWS\system32\lsass.exe[1704] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D00F9C
.text C:\WINDOWS\system32\lsass.exe[1704] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D00031
.text C:\WINDOWS\system32\lsass.exe[1704] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D00FD2
.text C:\WINDOWS\system32\lsass.exe[1704] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\lsass.exe[1704] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D00FC1
.text C:\WINDOWS\system32\lsass.exe[1704] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D0000C
.text C:\WINDOWS\system32\lsass.exe[1704] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CF0FE5
.text C:\Program Files\Webroot\WebrootSecurity\SSU.EXE[1784] ntdll.dll!KiUserExceptionDispatcher + 9 7C90E485 5 Bytes JMP 00017DB0 C:\Program Files\Webroot\WebrootSecurity\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\WebrootSecurity\SSU.EXE[1784] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00016000 C:\Program Files\Webroot\WebrootSecurity\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\WebrootSecurity\SSU.EXE[1784] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 000169B0 C:\Program Files\Webroot\WebrootSecurity\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\WebrootSecurity\SSU.EXE[1784] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00016000 C:\Program Files\Webroot\WebrootSecurity\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\WebrootSecurity\SSU.EXE[1784] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00016960 C:\Program Files\Webroot\WebrootSecurity\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\WebrootSecurity\SSU.EXE[1784] kernel32.dll!VirtualFree 7C809B84 5 Bytes JMP 00016990 C:\Program Files\Webroot\WebrootSecurity\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\WINDOWS\system32\svchost.exe[1904] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A50000
.text C:\WINDOWS\system32\svchost.exe[1904] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A5002C
.text C:\WINDOWS\system32\svchost.exe[1904] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A50011
.text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A4000A
.text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A40FC0
.text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A400B5
.text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A40FD1
.text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A4008E
.text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A40058
.text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A40F8F
.text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A400D7
.text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A40F63
.text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A400FC
.text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A40F48
.text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A40073
.text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A4001B
.text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A400C6
.text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A40047
.text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A4002C
.text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A40F74
.text C:\WINDOWS\system32\svchost.exe[1904] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B7002C
.text C:\WINDOWS\system32\svchost.exe[1904] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B70FC0
.text C:\WINDOWS\system32\svchost.exe[1904] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B70FDB
.text C:\WINDOWS\system32\svchost.exe[1904] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B7001B
.text C:\WINDOWS\system32\svchost.exe[1904] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B7007D
.text C:\WINDOWS\system32\svchost.exe[1904] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B7000A
.text C:\WINDOWS\system32\svchost.exe[1904] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B70062
.text C:\WINDOWS\system32\svchost.exe[1904] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B70051
.text C:\WINDOWS\system32\svchost.exe[1904] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A70042
.text C:\WINDOWS\system32\svchost.exe[1904] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A70FAD
.text C:\WINDOWS\system32\svchost.exe[1904] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A7001D
.text C:\WINDOWS\system32\svchost.exe[1904] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A70000
.text C:\WINDOWS\system32\svchost.exe[1904] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A70FBE
.text C:\WINDOWS\system32\svchost.exe[1904] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A70FE3
.text C:\WINDOWS\system32\svchost.exe[1904] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A60000
.text C:\WINDOWS\system32\svchost.exe[1996] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A50000
.text C:\WINDOWS\system32\svchost.exe[1996] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A50022
.text C:\WINDOWS\system32\svchost.exe[1996] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A50011
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A40FEF
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A4006C
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A4005B
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A40F81
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A40F9E
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A40025
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A40F3A
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A40F4B
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A40F0E
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A40F1F
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A40EFD
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A40040
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A40FDE
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A40F5C
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A40FB9
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A4000A
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A4009D
.text C:\WINDOWS\system32\svchost.exe[1996] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AC002C
.text C:\WINDOWS\system32\svchost.exe[1996] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AC0F9B
.text C:\WINDOWS\system32\svchost.exe[1996] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AC001B
.text C:\WINDOWS\system32\svchost.exe[1996] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AC0FE5
.text C:\WINDOWS\system32\svchost.exe[1996] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AC0058
.text C:\WINDOWS\system32\svchost.exe[1996] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[1996] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00AC0047
.text C:\WINDOWS\system32\svchost.exe[1996] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AC0FCA
.text C:\WINDOWS\system32\svchost.exe[1996] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A70F9C
.text C:\WINDOWS\system32\svchost.exe[1996] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A70FB7
.text C:\WINDOWS\system32\svchost.exe[1996] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A70FD2
.text C:\WINDOWS\system32\svchost.exe[1996] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A7000C
.text C:\WINDOWS\system32\svchost.exe[1996] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A70027
.text C:\WINDOWS\system32\svchost.exe[1996] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A70FEF
.text C:\WINDOWS\system32\svchost.exe[1996] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A6000A
.text C:\WINDOWS\system32\svchost.exe[2384] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[2384] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BF002C
.text C:\WINDOWS\system32\svchost.exe[2384] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BF0011
.text C:\WINDOWS\system32\svchost.exe[2384] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[2384] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0F6D
.text C:\WINDOWS\system32\svchost.exe[2384] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0F88
.text C:\WINDOWS\system32\svchost.exe[2384] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0062
.text C:\WINDOWS\system32\svchost.exe[2384] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0FAF
.text C:\WINDOWS\system32\svchost.exe[2384] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0051
.text C:\WINDOWS\system32\svchost.exe[2384] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE0F4B
.text C:\WINDOWS\system32\svchost.exe[2384] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0087
.text C:\WINDOWS\system32\svchost.exe[2384] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE00AE
.text C:\WINDOWS\system32\svchost.exe[2384] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE0F15
.text C:\WINDOWS\system32\svchost.exe[2384] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE0EFA
.text C:\WINDOWS\system32\svchost.exe[2384] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0FCA
.text C:\WINDOWS\system32\svchost.exe[2384] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[2384] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0F5C
.text C:\WINDOWS\system32\svchost.exe[2384] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0040
.text C:\WINDOWS\system32\svchost.exe[2384] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0025
.text C:\WINDOWS\system32\svchost.exe[2384] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE0F30
.text C:\WINDOWS\system32\svchost.exe[2384] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930FCA
.text C:\WINDOWS\system32\svchost.exe[2384] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0093005B
.text C:\WINDOWS\system32\svchost.exe[2384] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930FE5
.text C:\WINDOWS\system32\svchost.exe[2384] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0093001B
.text C:\WINDOWS\system32\svchost.exe[2384] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930040
.text C:\WINDOWS\system32\svchost.exe[2384] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[2384] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00930F9E
.text C:\WINDOWS\system32\svchost.exe[2384] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B3, 88] {MOV BL, 0x88}
.text C:\WINDOWS\system32\svchost.exe[2384] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930FB9
.text C:\WINDOWS\system32\svchost.exe[2384] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920042
.text C:\WINDOWS\system32\svchost.exe[2384] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920FB7
.text C:\WINDOWS\system32\svchost.exe[2384] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0092001D
.text C:\WINDOWS\system32\svchost.exe[2384] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\svchost.exe[2384] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FC8
.text C:\WINDOWS\system32\svchost.exe[2384] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920FE3
.text C:\WINDOWS\system32\svchost.exe[2384] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00900FE5
.text C:\WINDOWS\system32\svchost.exe[2384] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\svchost.exe[2384] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00900FCA
.text C:\WINDOWS\system32\svchost.exe[2384] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 0090001B
.text C:\WINDOWS\system32\svchost.exe[2384] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910FEF
.text C:\WINDOWS\system32\svchost.exe[2428] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00EA0FEF
.text C:\WINDOWS\system32\svchost.exe[2428] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00EA0FCA
.text C:\WINDOWS\system32\svchost.exe[2428] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EA000A
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E90000
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E90F9B
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E90086
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E90FAC
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E90FC7
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E9004E
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E900B2
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E90F76
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E90F2D
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E90F3E
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E900E1
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E90069
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E90011
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E900A1
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E90033
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E90022
.text C:\WINDOWS\system32\svchost.exe[2428] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E90F4F
.text C:\WINDOWS\system32\svchost.exe[2428] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E80040
.text C:\WINDOWS\system32\svchost.exe[2428] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E80FB9
.text C:\WINDOWS\system32\svchost.exe[2428] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E8001B
.text C:\WINDOWS\system32\svchost.exe[2428] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E8000A
.text C:\WINDOWS\system32\svchost.exe[2428] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E80FD4
.text C:\WINDOWS\system32\svchost.exe[2428] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\system32\svchost.exe[2428] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E80076
.text C:\WINDOWS\system32\svchost.exe[2428] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E80051
.text C:\WINDOWS\system32\svchost.exe[2428] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E70FE3
.text C:\WINDOWS\system32\svchost.exe[2428] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E7006E
.text C:\WINDOWS\system32\svchost.exe[2428] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E70038
.text C:\WINDOWS\system32\svchost.exe[2428] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\svchost.exe[2428] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E70049
.text C:\WINDOWS\system32\svchost.exe[2428] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E7001D
.text C:\WINDOWS\system32\svchost.exe[2428] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E60FEF
.text C:\WINDOWS\system32\svchost.exe[2528] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\system32\svchost.exe[2528] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F30025
.text C:\WINDOWS\system32\svchost.exe[2528] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F3000A
.text C:\WINDOWS\system32\svchost.exe[2528] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F20FEF
.text C:\WINDOWS\system32\svchost.exe[2528] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F200A7
.text C:\WINDOWS\system32\svchost.exe[2528] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F20FA8
.text C:\WINDOWS\system32\svchost.exe[2528] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F20076
.text C:\WINDOWS\system32\svchost.exe[2528] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F20065
.text C:\WINDOWS\system32\svchost.exe[2528] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F2002F
.text C:\WINDOWS\system32\svchost.exe[2528] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F20F7C
.text C:\WINDOWS\system32\svchost.exe[2528] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F200CE
.text C:\WINDOWS\system32\svchost.exe[2528] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F200FA
.text C:\WINDOWS\system32\svchost.exe[2528] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F200E9
.text C:\WINDOWS\system32\svchost.exe[2528] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F20115
.text C:\WINDOWS\system32\svchost.exe[2528] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F2004A
.text C:\WINDOWS\system32\svchost.exe[2528] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F20FDE
.text C:\WINDOWS\system32\svchost.exe[2528] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F20F97
.text C:\WINDOWS\system32\svchost.exe[2528] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F20014
.text C:\WINDOWS\system32\svchost.exe[2528] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F20FCD
.text C:\WINDOWS\system32\svchost.exe[2528] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F20F6B
.text C:\WINDOWS\system32\svchost.exe[2528] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F10040
.text C:\WINDOWS\system32\svchost.exe[2528] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F10FA8
.text C:\WINDOWS\system32\svchost.exe[2528] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F10025
.text C:\WINDOWS\system32\svchost.exe[2528] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F10FEF
.text C:\WINDOWS\system32\svchost.exe[2528] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F10FB9
.text C:\WINDOWS\system32\svchost.exe[2528] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F1000A
.text C:\WINDOWS\system32\svchost.exe[2528] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F10FD4
.text C:\WINDOWS\system32\svchost.exe[2528] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [11, 89]
.text C:\WINDOWS\system32\svchost.exe[2528] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F1005B
.text C:\WINDOWS\system32\svchost.exe[2528] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F00FA1
.text C:\WINDOWS\system32\svchost.exe[2528] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F0002C
.text C:\WINDOWS\system32\svchost.exe[2528] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F00000
.text C:\WINDOWS\system32\svchost.exe[2528] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F00FE3
.text C:\WINDOWS\system32\svchost.exe[2528] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F0001B
.text C:\WINDOWS\system32\svchost.exe[2528] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F00FD2
.text C:\WINDOWS\system32\wuauclt.exe[2800] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 028E000A
.text C:\WINDOWS\system32\wuauclt.exe[2800] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 028E0FEF
.text C:\WINDOWS\system32\wuauclt.exe[2800] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 028E001B
.text C:\WINDOWS\system32\wuauclt.exe[2800] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0103000A
.text C:\WINDOWS\system32\wuauclt.exe[2800] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0103009F
.text C:\WINDOWS\system32\wuauclt.exe[2800] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0103008E
.text C:\WINDOWS\system32\wuauclt.exe[2800] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01030FAA
.text C:\WINDOWS\system32\wuauclt.exe[2800] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01030069
.text C:\WINDOWS\system32\wuauclt.exe[2800] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0103003D
.text C:\WINDOWS\system32\wuauclt.exe[2800] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01030F74
.text C:\WINDOWS\system32\wuauclt.exe[2800] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010300BC
.text C:\WINDOWS\system32\wuauclt.exe[2800] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010300E1
.text C:\WINDOWS\system32\wuauclt.exe[2800] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01030F48
.text C:\WINDOWS\system32\wuauclt.exe[2800] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010300F2
.text C:\WINDOWS\system32\wuauclt.exe[2800] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01030058
.text C:\WINDOWS\system32\wuauclt.exe[2800] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0103001B
.text C:\WINDOWS\system32\wuauclt.exe[2800] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01030F85
.text C:\WINDOWS\system32\wuauclt.exe[2800] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01030FDB
.text C:\WINDOWS\system32\wuauclt.exe[2800] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0103002C
.text C:\WINDOWS\system32\wuauclt.exe[2800] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01030F59
.text C:\WINDOWS\system32\wuauclt.exe[2800] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01010038
.text C:\WINDOWS\system32\wuauclt.exe[2800] msvcrt.dll!system 77C293C7 5 Bytes JMP 01010FA3
.text C:\WINDOWS\system32\wuauclt.exe[2800] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01010FD2
.text C:\WINDOWS\system32\wuauclt.exe[2800] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01010000
.text C:\WINDOWS\system32\wuauclt.exe[2800] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0101001D
.text C:\WINDOWS\system32\wuauclt.exe[2800] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01010FE3
.text C:\WINDOWS\system32\wuauclt.exe[2800] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01020036
.text C:\WINDOWS\system32\wuauclt.exe[2800] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0102006C
.text C:\WINDOWS\system32\wuauclt.exe[2800] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01020025
.text C:\WINDOWS\system32\wuauclt.exe[2800] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01020FEF
.text C:\WINDOWS\system32\wuauclt.exe[2800] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01020FAF
.text C:\WINDOWS\system32\wuauclt.exe[2800] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0102000A
.text C:\WINDOWS\system32\wuauclt.exe[2800] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01020FC0
.text C:\WINDOWS\system32\wuauclt.exe[2800] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [22, 89]
.text C:\WINDOWS\system32\wuauclt.exe[2800] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01020047
.text C:\WINDOWS\system32\wuauclt.exe[2800] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01000FEF
.text C:\WINDOWS\System32\svchost.exe[3736] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F8000A
.text C:\WINDOWS\System32\svchost.exe[3736] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F80FD4
.text C:\WINDOWS\System32\svchost.exe[3736] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F80FEF
.text C:\WINDOWS\System32\svchost.exe[3736] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F70FE5
.text C:\WINDOWS\System32\svchost.exe[3736] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F7005B
.text C:\WINDOWS\System32\svchost.exe[3736] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F70040
.text C:\WINDOWS\System32\svchost.exe[3736] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F70F66
.text C:\WINDOWS\System32\svchost.exe[3736] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F70F83
.text C:\WINDOWS\System32\svchost.exe[3736] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F70025
.text C:\WINDOWS\System32\svchost.exe[3736] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F70091
.text C:\WINDOWS\System32\svchost.exe[3736] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F70080
.text C:\WINDOWS\System32\svchost.exe[3736] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F70F1D
.text C:\WINDOWS\System32\svchost.exe[3736] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F70F2E
.text C:\WINDOWS\System32\svchost.exe[3736] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F700C7
.text C:\WINDOWS\System32\svchost.exe[3736] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F70F9E
.text C:\WINDOWS\System32\svchost.exe[3736] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F7000A
.text C:\WINDOWS\System32\svchost.exe[3736] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F70F55
.text C:\WINDOWS\System32\svchost.exe[3736] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F70FB9
.text C:\WINDOWS\System32\svchost.exe[3736] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F70FD4
.text C:\WINDOWS\System32\svchost.exe[3736] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F700A2
.text C:\WINDOWS\System32\svchost.exe[3736] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F60F9E
.text C:\WINDOWS\System32\svchost.exe[3736] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F60F6B
.text C:\WINDOWS\System32\svchost.exe[3736] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F60FB9
.text C:\WINDOWS\System32\svchost.exe[3736] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F60FD4
.text C:\WINDOWS\System32\svchost.exe[3736] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F60F7C
.text C:\WINDOWS\System32\svchost.exe[3736] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\System32\svchost.exe[3736] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F60014
.text C:\WINDOWS\System32\svchost.exe[3736] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F60F8D
.text C:\WINDOWS\System32\svchost.exe[3736] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F50F89
.text C:\WINDOWS\System32\svchost.exe[3736] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F50014
.text C:\WINDOWS\System32\svchost.exe[3736] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F50FB5
.text C:\WINDOWS\System32\svchost.exe[3736] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F50FE3
.text C:\WINDOWS\System32\svchost.exe[3736] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F50FA4
.text C:\WINDOWS\System32\svchost.exe[3736] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F50FD2
.text C:\WINDOWS\System32\svchost.exe[3736] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F40FEF
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[3776] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[3776] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\dllhost.exe[5728] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F10FEF
.text C:\WINDOWS\system32\dllhost.exe[5728] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F10FB9
.text C:\WINDOWS\system32\dllhost.exe[5728] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F10FDE
.text C:\WINDOWS\system32\dllhost.exe[5728] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F00FEF
.text C:\WINDOWS\system32\dllhost.exe[5728] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F0007D
.text C:\WINDOWS\system32\dllhost.exe[5728] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F00F88
.text C:\WINDOWS\system32\dllhost.exe[5728] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F00062
.text C:\WINDOWS\system32\dllhost.exe[5728] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F00051
.text C:\WINDOWS\system32\dllhost.exe[5728] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F00036
.text C:\WINDOWS\system32\dllhost.exe[5728] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F00F35
.text C:\WINDOWS\system32\dllhost.exe[5728] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F00F52
.text C:\WINDOWS\system32\dllhost.exe[5728] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F00F06
.text C:\WINDOWS\system32\dllhost.exe[5728] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F0009F
.text C:\WINDOWS\system32\dllhost.exe[5728] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F000BA
.text C:\WINDOWS\system32\dllhost.exe[5728] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F00FAF
.text C:\WINDOWS\system32\dllhost.exe[5728] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F0000A
.text C:\WINDOWS\system32\dllhost.exe[5728] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F00F6D
.text C:\WINDOWS\system32\dllhost.exe[5728] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F0001B
.text C:\WINDOWS\system32\dllhost.exe[5728] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F00FD4
.text C:\WINDOWS\system32\dllhost.exe[5728] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F0008E
.text C:\WINDOWS\system32\dllhost.exe[5728] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EE005D
.text C:\WINDOWS\system32\dllhost.exe[5728] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EE0042
.text C:\WINDOWS\system32\dllhost.exe[5728] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EE0016
.text C:\WINDOWS\system32\dllhost.exe[5728] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EE0FEF
.text C:\WINDOWS\system32\dllhost.exe[5728] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EE0027
.text C:\WINDOWS\system32\dllhost.exe[5728] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EE0FD2
.text C:\WINDOWS\system32\dllhost.exe[5728] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EF0036
.text C:\WINDOWS\system32\dllhost.exe[5728] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EF0076
.text C:\WINDOWS\system32\dllhost.exe[5728] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EF001B
.text C:\WINDOWS\system32\dllhost.exe[5728] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EF0FEF
.text C:\WINDOWS\system32\dllhost.exe[5728] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EF0FAF
.text C:\WINDOWS\system32\dllhost.exe[5728] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EF000A
.text C:\WINDOWS\system32\dllhost.exe[5728] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EF0047
.text C:\WINDOWS\system32\dllhost.exe[5728] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EF0FCA
.text C:\WINDOWS\system32\dllhost.exe[5728] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00ED0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Ip 88FFC378
Device \Driver\Tcpip \Device\Ip 890D93E8
Device \Driver\Tcpip \Device\Ip 892396C8
Device \Driver\Tcpip \Device\Ip 88EE3858

AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Tcp 88FFC378
Device \Driver\Tcpip \Device\Tcp 890D93E8
Device \Driver\Tcpip \Device\Tcp 892396C8
Device \Driver\Tcpip \Device\Tcp 88EE3858

AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\Tcpip \Device\Udp 88FFC378
Device \Driver\Tcpip \Device\Udp 890D93E8
Device \Driver\Tcpip \Device\Udp 892396C8
Device \Driver\Tcpip \Device\Udp 88EE3858

AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\RawIp 88FFC378
Device \Driver\Tcpip \Device\RawIp 890D93E8
Device \Driver\Tcpip \Device\RawIp 892396C8
Device \Driver\Tcpip \Device\RawIp 88EE3858

AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\IPMULTICAST 88FFC378
Device \Driver\Tcpip \Device\IPMULTICAST 890D93E8
Device \Driver\Tcpip \Device\IPMULTICAST 892396C8
Device \Driver\Tcpip \Device\IPMULTICAST 88EE3858
Device \FileSystem\Fastfat \Fat A0193D20

AttachedDevice \FileSystem\Fastfat \Fat ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:42 PM

Posted 08 March 2011 - 10:49 AM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 jkswanda

jkswanda
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:42 PM

Posted 09 March 2011 - 01:06 AM

I installed the MS Windows Recovery Console, and then ran the ComboFix program. I got to the step Preparing step --- Preparing Log report. After quit a while, the computer rebooted and --then a warning mesage as listed below:

indows - No Disk x Exception Processisng message
Cooooo13 Parameters 75b6bf7c 4 75b6bfx came up. I let it set for about 60 minutes, and then rebooted the computer. The computer came back up and seemed to load everything.

I attached the ComboFix log file, not sure it it is complete because of error message list above. Here is the ComboFix log file


ComboFix 11-03-08.03 - John 03/08/2011 22:26:43.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1307 [GMT -6:00]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\John\GoToAssistDownloadHelper.exe
C:\Program Files\Quicktime\QTTask.exe
C:\Program Files\Search Toolbar
C:\Program Files\Search Toolbar\icon.ico
C:\WINDOWS\desktop
C:\WINDOWS\desktop\manual_us.doc
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\system32\_003880_.tmp.dll
C:\WINDOWS\system32\_003881_.tmp.dll
C:\WINDOWS\system32\_003882_.tmp.dll
C:\WINDOWS\system32\_003883_.tmp.dll
C:\WINDOWS\system32\_003890_.tmp.dll
C:\WINDOWS\system32\_003891_.tmp.dll
C:\WINDOWS\system32\_003892_.tmp.dll
C:\WINDOWS\system32\_003893_.tmp.dll
C:\WINDOWS\system32\_003895_.tmp.dll
C:\WINDOWS\system32\_003896_.tmp.dll
C:\WINDOWS\system32\_003899_.tmp.dll
C:\WINDOWS\system32\_003900_.tmp.dll
C:\WINDOWS\system32\_003902_.tmp.dll
C:\WINDOWS\system32\_003903_.tmp.dll
C:\WINDOWS\system32\_003904_.tmp.dll
C:\WINDOWS\system32\_003906_.tmp.dll
C:\WINDOWS\system32\_003907_.tmp.dll
C:\WINDOWS\system32\_003909_.tmp.dll
C:\WINDOWS\system32\_003910_.tmp.dll
C:\WINDOWS\system32\_003914_.tmp.dll
C:\WINDOWS\system32\_003915_.tmp.dll
C:\WINDOWS\system32\_003917_.tmp.dll
C:\WINDOWS\system32\_003920_.tmp.dll
C:\WINDOWS\system32\_003922_.tmp.dll
C:\WINDOWS\system32\_003923_.tmp.dll
C:\WINDOWS\system32\_003924_.tmp.dll
C:\WINDOWS\system32\_003925_.tmp.dll
C:\WINDOWS\system32\_003926_.tmp.dll
C:\WINDOWS\system32\_003929_.tmp.dll
C:\WINDOWS\system32\_003930_.tmp.dll
C:\WINDOWS\system32\_003931_.tmp.dll
C:\WINDOWS\system32\_003932_.tmp.dll
C:\WINDOWS\system32\_003933_.tmp.dll
C:\WINDOWS\system32\_003938_.tmp.dll
C:\WINDOWS\system32\_003940_.tmp.dll
C:\WINDOWS\system32\_003941_.tmp.dll
C:\WINDOWS\system32\logs
C:\WINDOWS\XSxS


((((((((((((((((((((((((( Files Created from 2011-02-09 to 2011-03-09 )))))))))))))))))))))))))))))))


2011-03-09 04:44:15 . 2011-03-09 04:44:15 6429 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2011-03-09 04:44:15 . 2011-03-09 04:44:15 63115 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2011-03-09 04:44:15 . 2011-03-09 04:44:15 4599 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2011-03-09 04:44:14 . 2011-03-09 04:44:14 9310 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2011-03-09 04:44:14 . 2011-03-09 04:44:14 8646 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2011-03-09 04:44:13 . 2011-03-09 04:44:13 5927 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2011-03-09 04:44:12 . 2011-03-09 04:44:12 8613 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2011-03-09 04:44:12 . 2011-03-09 04:44:12 1651 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2011-03-09 04:44:11 . 2011-03-09 04:44:11 6910 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2011-03-09 04:44:09 . 2011-03-09 04:44:09 6208 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2011-03-09 04:44:09 . 2011-03-09 04:44:09 18541 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2011-03-09 04:44:08 . 2011-03-09 04:44:08 8288 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2011-03-09 04:43:57 . 2011-03-09 04:43:57 51852 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2011-03-09 04:43:54 . 2011-03-09 04:43:54 20719 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2011-03-09 04:43:52 . 2011-03-09 04:43:52 23327 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2011-03-09 04:43:51 . 2011-03-09 04:43:51 7271 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2011-03-09 04:43:50 . 2011-03-09 04:43:50 8782 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2011-03-09 04:16:39 . 2011-03-09 04:17:50 -------- d-----w- C:\32788R22FWJFW
2011-03-09 02:19:49 . 2011-03-09 02:19:49 -------- d-----w- C:\WINDOWS\LastGood.Tmp
2011-03-05 02:03:49 . 2011-03-05 02:03:49 -------- d-----w- C:\Program Files\Ask.com
2011-02-28 02:22:02 . 2011-02-28 02:22:02 -------- d-----w- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2011-02-27 03:39:14 . 2011-02-27 03:39:14 -------- d-----w- C:\Documents and Settings\John\Application Data\McAfee
2011-02-24 02:31:01 . 2011-02-24 02:31:01 -------- d-----w- C:\Documents and Settings\John\Local Settings\Application Data\Sunbelt Software
2011-02-22 23:14:23 . 2011-02-24 02:35:43 98392 ----a-w- C:\WINDOWS\system32\drivers\SBREDrv.sys
2011-02-21 23:54:43 . 2011-02-21 23:54:43 -------- d-----w- C:\Program Files\iPod
2011-02-21 23:54:38 . 2011-02-21 23:55:57 -------- d-----w- C:\Program Files\iTunes


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-02-19 02:16:32 . 2009-09-26 16:33:14 398760 ----a-r- C:\WINDOWS\system32\cpnprt2.cid
2011-01-21 14:44:37 . 2005-08-16 09:18:36 439296 ----a-w- C:\WINDOWS\system32\shimgvw.dll
2011-01-07 14:09:02 . 2005-08-16 09:18:04 290048 ----a-w- C:\WINDOWS\system32\atmfd.dll
2010-12-31 13:10:33 . 2008-09-10 01:18:25 1854976 ------w- C:\WINDOWS\system32\win32k.sys
2010-12-22 12:34:28 . 2005-08-16 09:18:21 301568 ----a-w- C:\WINDOWS\system32\kerberos.dll
2010-12-21 00:09:00 . 2010-08-13 13:09:42 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010-12-21 00:08:40 . 2010-08-13 13:09:40 20952 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2010-12-20 23:59:20 . 2005-08-16 09:18:45 916480 ----a-w- C:\WINDOWS\system32\wininet.dll
2010-12-20 23:59:19 . 2005-08-16 09:18:22 43520 ----a-w- C:\WINDOWS\system32\licmgr10.dll
2010-12-20 23:59:19 . 2005-08-16 09:18:19 1469440 ------w- C:\WINDOWS\system32\inetcpl.cpl
2010-12-20 17:26:00 . 2008-09-10 01:18:28 730112 ------w- C:\WINDOWS\system32\lsasrv.dll
2010-12-20 12:55:26 . 2005-08-16 09:18:19 385024 ----a-w- C:\WINDOWS\system32\html.iec
2010-12-09 15:15:09 . 2008-09-10 01:18:28 718336 ------w- C:\WINDOWS\system32\ntdll.dll
2010-12-09 14:30:22 . 2008-09-10 01:18:29 33280 ------w- C:\WINDOWS\system32\csrsrv.dll
2010-12-09 13:42:26 . 2008-09-10 01:18:11 2148864 ----a-w- C:\WINDOWS\system32\ntoskrnl.exe
2010-12-09 13:07:07 . 2008-09-10 01:18:11 2027008 ----a-w- C:\WINDOWS\system32\ntkrnlpa.exe
2006-04-21 15:52:09 . 2006-04-21 15:52:15 774144 ----a-w- C:\Program Files\RngInterstitial.dll
2003-08-27 19:19:18 . 2006-04-21 04:34:28 36963 ------w- C:\Program Files\Common Files\SM1updtr.dll
2010-10-14 03:28:54 . 2010-07-07 23:04:35 24376 ----a-w- C:\Program Files\mozilla firefox\components\Scriptff.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KelolandDesktop.exe"="C:\Documents and Settings\John\Local Settings\Apps\2.0\EWRL6Z94.0WD\W8VLC2QH.KQ0\kelo..tion_3c6d74e4fb957e1d_0001.0001_dff654875c1213d0\KeloDesktop.exe" [2008-03-06 16:09:46 401408]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-12-07 04:21:20 2387968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-09 04:57:00 7110656]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 12:56:14 139264]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 15:43:36 57344]
"CTHelper"="C:\WINDOWS\system32\CTHELPER.EXE" [2007-04-09 17:32:32 19456]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 04:46:24 57344]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 19:20:00 94208]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 20:52:42 240112]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 20:05:42 69632]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 15:55:32 206064]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 01:01:00 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 01:50:00 1603152]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 23:17:16 47904]
"Bing Bar"="C:\Program Files\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe" [2010-03-24 21:26:02 243544]
"mcui_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2010-09-30 18:10:36 1193848]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 16:44:34 31072]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2010-07-25 14:43:24 202256]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2011-01-25 21:08:14 421160]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 15:24:00 16384]
"SpySweeper"="C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-11-06 20:19:58 6515784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 21:18:15 443968]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 15:14:38 79136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Dell Network Assistant.lnk - [N/A]
Event Planner Reminder 2009.lnk - C:\WINDOWS\Installer\{C4609419-C11E-4CE6-B369-F3F8A7DDD94C}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EAA7D652BB0CAAA9D.exe [2008-12-20 237568]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
backup=C:\WINDOWS\pss\Symantec Fax Starter Edition Port.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Backup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-09-20 20:35:10 202024 ----a-w- C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJLaunchEXE]
2003-04-30 21:31:40 716800 ----a-w- C:\Program Files\Canon\BJCard\BJLaunch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJPD HID Control]
2003-05-07 18:15:30 45056 ----a-w- C:\Program Files\Canon\BJPV\TVMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 15:55:32 206064 ----a-w- C:\Program Files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2007-08-14 08:44:38 113136 ----a-w- C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 19:01:14 67584 ----a-w- C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2001-11-07 16:45:11 196608 ----a-w- C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 15:44:02 249856 ----a-w- C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2008-10-24 15:14:38 79136 ----a-w- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2007-09-20 14:51:46 1836328 ----a-w- C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 20:57:24 153136 ----a-w- C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]
2004-11-22 22:20:54 1126400 ----a-w- C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-02-04 18:02:14 79400 ----a-w- C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 15:03:38 210472 ----a-w- C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-07-25 14:43:24 202256 ----a-w- C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\dxdiag.exe"=
"C:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"C:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

R0 PQV2i;PQV2i;C:\WINDOWS\system32\drivers\PQV2i.sys [7/29/2004 2:33:08 AM 138801]
R0 ssfs0bbc;ssfs0bbc;C:\WINDOWS\system32\drivers\ssfs0bbc.sys [11/6/2009 11:00:34 AM 29808]
R1 c2scsi;c2scsi;C:\WINDOWS\system32\drivers\c2scsi.sys [7/9/2008 3:48:26 PM 244736]
R1 mfetdi2k;McAfee Inc. mfetdi2k;C:\WINDOWS\system32\drivers\mfetdi2k.sys [7/7/2010 5:04:14 PM 84072]
R1 PQIMount;PQIMount;C:\WINDOWS\system32\drivers\PQIMount.sys [7/29/2004 3:13:28 AM 46800]
R2 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe [2/19/2008 4:03:49 PM 724664]
R2 ioloSystemService;iolo System Service;C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe [2/19/2008 4:03:49 PM 724664]
R2 iWinTrusted;iWinTrusted;C:\Program Files\iWin Games\iWinTrusted.exe [11/24/2009 1:43:00 PM 78104]
R2 McMPFSvc;McAfee Personal Firewall Service;"C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [7/7/2010 5:04:00 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [7/7/2010 5:04:00 PM 271480]
R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe [7/7/2010 5:04:42 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe [7/7/2010 5:04:17 PM 141792]
R2 WRConsumerService;Webroot Client Service;C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe [6/26/2010 6:59:49 PM 1201640]
R3 cfwids;McAfee Inc. cfwids;C:\WINDOWS\system32\drivers\cfwids.sys [7/7/2010 5:04:14 PM 55840]
R3 mfefirek;McAfee Inc. mfefirek;C:\WINDOWS\system32\drivers\mfefirek.sys [7/7/2010 5:04:14 PM 313288]
R3 mfendiskmp;mfendiskmp;C:\WINDOWS\system32\drivers\mfendisk.sys [7/7/2010 5:04:14 PM 88544]
S0 Lbd;Lbd;C:\WINDOWS\system32\DRIVERS\Lbd.sys --> C:\WINDOWS\system32\DRIVERS\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);C:\Program Files\Google\Update\GoogleUpdate.exe [8/22/2010 7:09:16 PM 136176]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe [8/24/2007 2:53:16 PM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [8/24/2007 2:52:48 PM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [8/24/2007 2:52:46 PM 166384]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;C:\WINDOWS\system32\drivers\mfendisk.sys [7/7/2010 5:04:14 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;C:\WINDOWS\system32\drivers\mferkdet.sys [7/7/2010 5:04:14 PM 84264]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [8/2/2005 3:10:13 PM 32512]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [8/24/2007 2:53:14 PM 72176]
S3 RoxMediaDB10;RoxMediaDB10;C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [8/24/2007 2:52:38 PM 1083888]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-12-07 04:18:44 451872 ----a-w- C:\Program Files\Common Files\LightScribe\LSRunOnce.exe

Contents of the 'Scheduled Tasks' folder

2011-02-28 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57:18 . 2008-07-30 17:34:12]

2011-03-09 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-08-23 01:09:16 . 2010-08-23 01:08:53]

2011-03-09 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-08-23 01:09:16 . 2010-08-23 01:08:53]

2011-03-09 C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-2387373335-3420589129-3197500523-1005.job
- C:\Program Files\Real\RealUpgrade\realupgrade.exe [2010-06-03 08:02:42 . 2010-06-03 08:02:42]



2011-03-05 C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-2387373335-3420589129-3197500523-1005.job
- C:\Program Files\Real\RealUpgrade\realupgrade.exe [2010-06-03 08:02:42 . 2010-06-03 08:02:42]

2011-03-05 C:\WINDOWS\Tasks\vtscheduletask.job
- C:\Program Files\McAfee\Supportability\MVT\MvtApp.exe [2011-02-27 03:37:52 . 2010-10-28 20:25:50]

2011-03-04 C:\WINDOWS\Tasks\wrSpySweeper_LA2BAC308025F411493B97D1D6DC4837E.job
- C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe [2010-06-27 00:59:00 . 2009-11-06 20:19:58]

2011-03-04 C:\WINDOWS\Tasks\wrSpySweeper_LA2BAC308025F411493B97D1D6DC4837E.job
- C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe [2010-06-27 00:59:00 . 2009-11-06 20:19:58]

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:42 PM

Posted 09 March 2011 - 09:28 AM

Hi

Please re-run combofix and post the resulting log.

NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 jkswanda

jkswanda
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:42 PM

Posted 09 March 2011 - 04:29 PM

I ran the programs you asked me to run. Did get one error when running the Combofix program.
the error was ---- PEV.cffxxe application error -- then Combofix continued running and completed and make a log file.

ComboFix 11-03-08.03 - John 03/09/2011 9:30.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1334 [GMT -6:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\John\GoToAssistDownloadHelper.exe
c:\program files\Quicktime\QTTask.exe
c:\program files\Search Toolbar\icon.ico
c:\windows\desktop\manual_us.doc
c:\windows\Fonts\a.zip
c:\windows\system32\_003880_.tmp.dll
c:\windows\system32\_003881_.tmp.dll
c:\windows\system32\_003882_.tmp.dll
c:\windows\system32\_003883_.tmp.dll
c:\windows\system32\_003890_.tmp.dll
c:\windows\system32\_003891_.tmp.dll
c:\windows\system32\_003892_.tmp.dll
c:\windows\system32\_003893_.tmp.dll
c:\windows\system32\_003895_.tmp.dll
c:\windows\system32\_003896_.tmp.dll
c:\windows\system32\_003899_.tmp.dll
c:\windows\system32\_003900_.tmp.dll
c:\windows\system32\_003902_.tmp.dll
c:\windows\system32\_003903_.tmp.dll
c:\windows\system32\_003904_.tmp.dll
c:\windows\system32\_003906_.tmp.dll
c:\windows\system32\_003907_.tmp.dll
c:\windows\system32\_003909_.tmp.dll
c:\windows\system32\_003910_.tmp.dll
c:\windows\system32\_003914_.tmp.dll
c:\windows\system32\_003915_.tmp.dll
c:\windows\system32\_003917_.tmp.dll
c:\windows\system32\_003920_.tmp.dll
c:\windows\system32\_003922_.tmp.dll
c:\windows\system32\_003923_.tmp.dll
c:\windows\system32\_003924_.tmp.dll
c:\windows\system32\_003925_.tmp.dll
c:\windows\system32\_003926_.tmp.dll
c:\windows\system32\_003929_.tmp.dll
c:\windows\system32\_003930_.tmp.dll
c:\windows\system32\_003931_.tmp.dll
c:\windows\system32\_003932_.tmp.dll
c:\windows\system32\_003933_.tmp.dll
c:\windows\system32\_003938_.tmp.dll
c:\windows\system32\_003940_.tmp.dll
c:\windows\system32\_003941_.tmp.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-02-09 to 2011-03-09 )))))))))))))))))))))))))))))))
.
.
2011-03-09 14:47 . 2011-03-09 14:47 -------- d-----w- c:\windows\LastGood
2011-03-05 02:03 . 2011-03-05 02:03 -------- d-----w- c:\program files\Ask.com
2011-02-28 02:22 . 2011-02-28 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-02-27 03:39 . 2011-02-27 03:39 -------- d-----w- c:\documents and settings\John\Application Data\McAfee
2011-02-24 02:31 . 2011-02-24 02:31 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\Sunbelt Software
2011-02-22 23:14 . 2011-02-24 02:35 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-02-21 23:54 . 2011-02-21 23:54 -------- d-----w- c:\program files\iPod
2011-02-21 23:54 . 2011-02-21 23:55 -------- d-----w- c:\program files\iTunes
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-19 02:16 . 2009-09-26 16:33 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-02-04 23:48 . 2005-08-16 09:18 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 23:48 . 2005-08-16 09:18 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2005-08-16 09:37 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2005-08-16 09:37 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2005-08-16 09:18 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2005-08-16 09:18 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2008-09-10 01:18 1854976 ------w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2005-08-16 09:18 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-21 00:09 . 2010-08-13 13:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 00:08 . 2010-08-13 13:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 23:59 . 2005-08-16 09:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2005-08-16 09:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2005-08-16 09:18 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2008-09-10 01:18 730112 ------w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2005-08-16 09:18 385024 ----a-w- c:\windows\system32\html.iec
2006-04-21 15:52 . 2006-04-21 15:52 774144 ----a-w- c:\program files\RngInterstitial.dll
2003-08-27 19:19 . 2006-04-21 04:34 36963 ------w- c:\program files\Common Files\SM1updtr.dll
2010-10-14 03:28 . 2010-07-07 23:04 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-12-07 2387968]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-09 7110656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTHelper"="c:\windows\system32\CTHELPER.EXE" [2007-04-09 19456]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 240112]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 69632]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"Bing Bar"="c:\program files\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe" [2010-03-24 243544]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-07-25 202256]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [BU]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-11-06 6515784]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dell Network Assistant.lnk - [N/A]
Event Planner Reminder 2009.lnk - c:\windows\Installer\{C4609419-C11E-4CE6-B369-F3F8A7DDD94C}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EAA7D652BB0CAAA9D.exe [2008-12-20 237568]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
backup=c:\windows\pss\Symantec Fax Starter Edition Port.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Backup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-09-20 20:35 202024 ----a-w- c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJLaunchEXE]
2003-04-30 21:31 716800 ----a-w- c:\program files\Canon\BJCard\BJLaunch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJPD HID Control]
2003-05-07 18:15 45056 ----a-w- c:\program files\Canon\BJPV\TVMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 15:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2007-08-14 08:44 113136 ----a-w- c:\program files\Roxio\CinePlayer\DMXLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 19:01 67584 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2001-11-07 16:45 196608 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 15:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2008-10-24 15:14 79136 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Plugin]
c:\progra~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2007-09-20 14:51 1836328 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 20:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]
2004-11-22 22:20 1126400 ----a-w- c:\program files\Symantec\Norton Ghost\Agent\GhostTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-02-04 18:02 79400 ----a-w- c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 15:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-07-25 14:43 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
.
R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [7/29/2004 2:33 AM 138801]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/6/2009 11:00 AM 29808]
R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [7/9/2008 3:48 PM 244736]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [7/7/2010 5:04 PM 84072]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [7/29/2004 3:13 AM 46800]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2/19/2008 4:03 PM 724664]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2/19/2008 4:03 PM 724664]
R2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [11/24/2009 1:43 PM 78104]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [7/7/2010 5:04 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [7/7/2010 5:04 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [7/7/2010 5:04 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [7/7/2010 5:04 PM 141792]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [6/26/2010 6:59 PM 1201640]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [7/7/2010 5:04 PM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [7/7/2010 5:04 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [7/7/2010 5:04 PM 88544]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/22/2010 7:09 PM 136176]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [8/24/2007 2:53 PM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [8/24/2007 2:52 PM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [8/24/2007 2:52 PM 166384]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [7/7/2010 5:04 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [7/7/2010 5:04 PM 84264]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 3:10 PM 32512]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [8/24/2007 2:53 PM 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [8/24/2007 2:52 PM 1083888]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-12-07 04:18 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]
.
2011-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-23 01:08]
.
2011-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-23 01:08]
.
2011-03-09 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2387373335-3420589129-3197500523-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 08:02]
.
2011-03-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2387373335-3420589129-3197500523-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 08:02]
.
2011-03-05 c:\windows\Tasks\vtscheduletask.job
- c:\program files\McAfee\Supportability\MVT\MvtApp.exe [2011-02-27 20:25]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} - hxxps://secure.iolo.com/app/ocx/UpgradeVerify.cab
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\dh13hb6b.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z039&form=ZGAADF&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{22FBC808-BE21-4A32-954A-4C6DADB24509} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-AnyDVD - c:\program files\SlySoft\AnyDVD\AnyDVD-uninst.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-09 09:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2387373335-3420589129-3197500523-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(5560)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-03-09 10:03:16
ComboFix-quarantined-files.txt 2011-03-09 16:03
.
Pre-Run: 78,883,364,864 bytes free
Post-Run: 78,862,864,384 bytes free
.
- - End Of File - - B4F54BFAE247048355A61F3A5059F80F

mbam-log-2011-03-09
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5999

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/9/2011 10:23:56 AM
mbam-log-2011-03-09 (10-23-56).txt

Scan type: Quick scan
Objects scanned: 182285
Time elapsed: 5 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESETSCAN.txt
C:\Downloads\nero 8.1.1\Nero-8.1.1.0_eng_trial_wch.exe Win32/Toolbar.AskSBar application
C:\Downloads\utility\Search and Recover\SearchAndRecover.exe probably unknown NewHeur_PE virus
C:\Program Files\FoxTabVideoConverter\VideoConverter.exe a variant of Win32/SweetIM.B application

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:42 PM

Posted 09 March 2011 - 04:46 PM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Driver::
iWinTrusted

Folder::
c:\program files\iWin Games

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


Visit ADOBEand download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
  • Scroll down to where it says Java Runtime Environment (JRE) 6 Update 24 The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement
  • Click Continue The page will refresh.
  • Click on the link to download Windows Offline Installation and Save the file to your Desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start(or My Computer) > Control Panel and double-click on Add or Remove Programs and remove all older versions of Java.
  • Click (highlight) any item with Java Runtime Environment (JRE, J2SE, Java™ SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u24-windows-i586-p.exe to install the newest version.
  • After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button.
    • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window. Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
  • Click OK to leave the Temporary Files Window.
  • Click OK to leave the Java Control Panel.
  • Delete jre-6u24-windows-i586-p.exe from your desktop.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 jkswanda

jkswanda
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:42 PM

Posted 09 March 2011 - 06:20 PM

Here is the new combofix with the CFScript added. Will also update my ADOBE and Jave versions.

ComboFix 11-03-09.01 - John 03/09/2011 16:10:23.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1514 [GMT -6:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\John\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\iWin Games
c:\program files\iWin Games\iWinTrusted.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_IWINTRUSTED
-------\Service_iWinTrusted
.
.
((((((((((((((((((((((((( Files Created from 2011-02-09 to 2011-03-09 )))))))))))))))))))))))))))))))
.
.
2011-03-09 22:32 . 2011-03-09 22:32 63115 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2011-03-09 22:32 . 2011-03-09 22:32 4599 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2011-03-09 17:23 . 2011-03-09 17:23 -------- d-----w- c:\program files\ESET
2011-03-05 02:03 . 2011-03-05 02:03 -------- d-----w- c:\program files\Ask.com
2011-02-28 02:22 . 2011-02-28 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-02-27 03:39 . 2011-02-27 03:39 -------- d-----w- c:\documents and settings\John\Application Data\McAfee
2011-02-24 02:31 . 2011-02-24 02:31 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\Sunbelt Software
2011-02-22 23:14 . 2011-02-24 02:35 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-02-21 23:54 . 2011-02-21 23:54 -------- d-----w- c:\program files\iPod
2011-02-21 23:54 . 2011-02-21 23:55 -------- d-----w- c:\program files\iTunes
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-19 02:16 . 2009-09-26 16:33 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-02-04 23:48 . 2005-08-16 09:18 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 23:48 . 2005-08-16 09:18 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2005-08-16 09:37 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2005-08-16 09:37 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2005-08-16 09:18 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2005-08-16 09:18 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2008-09-10 01:18 1854976 ------w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2005-08-16 09:18 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-21 00:09 . 2010-08-13 13:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 00:08 . 2010-08-13 13:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 23:59 . 2005-08-16 09:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2005-08-16 09:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2005-08-16 09:18 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2008-09-10 01:18 730112 ------w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2005-08-16 09:18 385024 ----a-w- c:\windows\system32\html.iec
2006-04-21 15:52 . 2006-04-21 15:52 774144 ----a-w- c:\program files\RngInterstitial.dll
2003-08-27 19:19 . 2006-04-21 04:34 36963 ------w- c:\program files\Common Files\SM1updtr.dll
2010-10-14 03:28 . 2010-07-07 23:04 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-12-07 2387968]
"KelolandDesktop.exe"="c:\documents and settings\John\Local Settings\Apps\2.0\EWRL6Z94.0WD\W8VLC2QH.KQ0\kelo..tion_3c6d74e4fb957e1d_0001.0001_dff654875c1213d0\KeloDesktop.exe" [2008-03-06 401408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-09 7110656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTHelper"="c:\windows\system32\CTHELPER.EXE" [2007-04-09 19456]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 240112]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 69632]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"Bing Bar"="c:\program files\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe" [2010-03-24 243544]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-07-25 202256]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [BU]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-11-06 6515784]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dell Network Assistant.lnk - [N/A]
Event Planner Reminder 2009.lnk - c:\windows\Installer\{C4609419-C11E-4CE6-B369-F3F8A7DDD94C}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EAA7D652BB0CAAA9D.exe [2008-12-20 237568]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
backup=c:\windows\pss\Symantec Fax Starter Edition Port.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-09-20 20:35 202024 ----a-w- c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJLaunchEXE]
2003-04-30 21:31 716800 ----a-w- c:\program files\Canon\BJCard\BJLaunch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJPD HID Control]
2003-05-07 18:15 45056 ----a-w- c:\program files\Canon\BJPV\TVMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 15:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2007-08-14 08:44 113136 ----a-w- c:\program files\Roxio\CinePlayer\DMXLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 19:01 67584 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2001-11-07 16:45 196608 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 15:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2008-10-24 15:14 79136 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Plugin]
c:\progra~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2007-09-20 14:51 1836328 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 20:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]
2004-11-22 22:20 1126400 ----a-w- c:\program files\Symantec\Norton Ghost\Agent\GhostTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-02-04 18:02 79400 ----a-w- c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 15:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-07-25 14:43 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
.
R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [7/29/2004 2:33 AM 138801]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/6/2009 11:00 AM 29808]
R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [7/9/2008 3:48 PM 244736]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [7/7/2010 5:04 PM 84072]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [7/29/2004 3:13 AM 46800]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2/19/2008 4:03 PM 724664]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2/19/2008 4:03 PM 724664]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [7/7/2010 5:04 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [7/7/2010 5:04 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [7/7/2010 5:04 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [7/7/2010 5:04 PM 141792]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [6/26/2010 6:59 PM 1201640]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [7/7/2010 5:04 PM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [7/7/2010 5:04 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [7/7/2010 5:04 PM 88544]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/22/2010 7:09 PM 136176]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [8/24/2007 2:53 PM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [8/24/2007 2:52 PM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [8/24/2007 2:52 PM 166384]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [7/7/2010 5:04 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [7/7/2010 5:04 PM 84264]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 3:10 PM 32512]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [8/24/2007 2:53 PM 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [8/24/2007 2:52 PM 1083888]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-12-07 04:18 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]
.
2011-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-23 01:08]
.
2011-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-23 01:08]
.
2011-03-09 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2387373335-3420589129-3197500523-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 08:02]
.
2011-03-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2387373335-3420589129-3197500523-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 08:02]
.
2011-03-09 c:\windows\Tasks\vtscheduletask.job
- c:\program files\McAfee\Supportability\MVT\MvtApp.exe [2011-02-27 20:25]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} - hxxps://secure.iolo.com/app/ocx/UpgradeVerify.cab
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\dh13hb6b.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z039&form=ZGAADF&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-09 16:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2387373335-3420589129-3197500523-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2348)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Canon\BJCard\Bjmcmng.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\MsPMSPSv.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
c:\program files\Webroot\WebrootSecurity\SSU.EXE
.
**************************************************************************
.
Completion time: 2011-03-09 16:53:56 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-09 22:53
ComboFix2.txt 2011-03-09 16:03
.
Pre-Run: 78,751,236,096 bytes free
Post-Run: 78,737,448,960 bytes free
.
- - End Of File - - 5A9C4C137E9D755AF1FE9D06374EE39D

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:42 PM

Posted 09 March 2011 - 06:37 PM

Hi

Please advise how your computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 jkswanda

jkswanda
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:42 PM

Posted 09 March 2011 - 08:57 PM

Not sure if my answer make it, but my computer seems to be working OK at this time. Did a few seaches with Google in Internet Explorer and don't seems to be redirected like I was before. Will check it our for a couple of days, and then get back to you plus want to help our a little with paypal funds. Thanks for all the very good help.

jkswanda

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:42 PM

Posted 09 March 2011 - 09:38 PM

Hi

Just some housekeeping to do now,

Please do the following:

You can delete the DDS and GMER logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:42 PM

Posted 13 March 2011 - 11:21 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 jkswanda

jkswanda
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:42 PM

Posted 11 May 2012 - 11:28 AM

I still can't download attachments to the Bleeping Computer reply screen. When I right click I only get a delete option, but not the option to paste a log file or attachment. I can copy lines from within the log.txt files, but can post the entire log file. I must be doing something wrong.

On your last instruction you had me load the combofix.exe file, and make a CFScript.txt file and run them on my computer. It runs, but after it gets to stage 50, it shows a number of files deleted see below:

Deleting Files:

C:\download\SkypeSetup.exe
C:\Program Files (x86)\iWin Games\iWinGamesHookIE.dll
C:\Program Files (x86)\Object\cartoonly\build.sh
C:\Program Files (x86)\Object\cartoonly\chrome.manifest
C:\Program Files (x86)\Object\cartoonly\config_build.sh
C:\Program Files (x86)\Object\cartoonly\content\._sudoku.js
C:\Program Files (x86)\Object\cartoonly\content\.DS_Store
C:\Program Files (x86)\Object\cartoonly\content\firefoxOverlay.xul
C:\Program Files (x86)\Object\cartoonly\content\installid.js
C:\Program Files (x86)\Object\cartoonly\content\overlay.js
C:\Program Files (x86)\Object\cartoonly\content\sudoku.js
C:\Program Files (x86)\Object\cartoonly\defaults\.DS_Store
C:\Program Files (x86)\Object\cartoonly\defaults\preferences\.DS_Store
C:\Program Files (x86)\Object\cartoonly\defaults\preferences\sudoku.js
C:\Program Files (x86)\Object\cartoonly\files
C:\Program Files (x86)\Object\cartoonly\install.rdf
C:\Program Files (x86)\Object\cartoonly\locale\.DS_Store
C:\Program Files (x86)\Object\cartoonly\locale\en-US\.DS_Store
C:\Program Files (x86)\Object\cartoonly\locale\en-US\sudoku.dtd
C:\Program Files (x86)\Object\cartoonly\locale\en-US\sudoku.properties
C:\Program Files (x86)\Object\cartoonly\readme.txt
C:\Program Files (x86)\Object\cartoonly\skin\overlay.css
C:\Program Files (x86)\Object\ChromeAddon.pem
C:\Program Files (x86)\Object\chromeaddon\._included.js
C:\Program Files (x86)\Object\chromeaddon\background.html
C:\Program Files (x86)\Object\chromeaddon\included.js
C:\Program Files (x86)\Object\chromeaddon\manifest.json
C:\Program Files (x86)\Object\config.ini
C:\Program Files (x86)\Object\status.txt
C:\Program Files (x86)\Object\status2.txt
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.
exe.lnk
C:\Users\JK Swanda\GoToAssistDownloadHelper.exe
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{f5f7fb7d-9862-11e1-a603-00221
9fcbf44}.TMContainer00000000000000000002.regtrans-ms

Deleting Folders:

C:\Program Files (x86)\Object

--Then the computer reboots, and everytime it reboots, it comes back to safe boot screen and every thing is back to the condition the compute was before I did anything. For example I had put the Combofix.exe and CFScript.exe on the computer'r desktop but these are gone after it reboots. So I never get the log from the Combofix.exe run as it is gone when the computer reboots.

I can upload the TDSSKill files by coping the lines, but can't load the entire log as I can't paste it to the reply screen.

Thanks for any help you can give me.

jkswanda

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:42 PM

Posted 11 May 2012 - 12:29 PM

please try running combofix in safe mode without a script

please delete the copy you have, then download a fresh copy

Link 1

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account



NEXT


  • Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool.
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click Scan

  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 jkswanda

jkswanda
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:42 PM

Posted 11 May 2012 - 04:19 PM

Attached File  MBR.zip   568bytes   0 downloadsI was topic448664.html and moved to this topic title by a monator, but can't find a place to download information on my last instructions in this forum.

topic448664.htmlAttached File  aswMBR.txt   1.86KB   2 downloads
jkswanda

---Ran as fresh load of Combofix.exe in Safemode and it run ok until it shows the files deleted. It then get to folders deleted and it reboots. When my computer reboots, it comes back in the original recovery mode-safe mode, and everything is lost. For example I had put combofix.exe in the desktop and it was gone. Also any logs that combofix may have make was gone. List above are the files deleted that I copied from the screen and put on a usb drive before it rebooted. Updated 5-12-12

Edited by jkswanda, 12 May 2012 - 09:20 AM.


#15 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:42 PM

Posted 11 May 2012 - 04:45 PM

Topics merged.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users